HowTo: Avanan Allow-Listing in Google Workspace

This HowTo article explains how to configure Avanan’s Allow Listing to allow Attack Phishing tests to reach end users.

Warning: CyberHoot supports fake email Attack-Phishing for customers.  Please keep in mind this approach uses negative reinforcement to reduce click rates in employees.  To be successful, always pair with Positive Reinforcement, educational, and realistic HootPhish phishing simulations for the best Affect and Effect on end users.

Allow List Cyberhoot.com Domain

In this activity, you will add the domain CyberHoot.com to a newly created or existing Allow-List in GSuite’s Admin Console. Domain Name: cyberhoot.com

Log in to https://admin.google.com and select Apps.Apps -> GMail -> spam/phishing/malwareSpamEdit existing rule or add new oneAdd training rule or edit existing training rule to have cyberhoot.comMake sure the rule is selected

Allowlist CyberHoot by Their IP

1. Log in to https://admin.google.com and select Apps.

2. Select G Suite.

3. Select Gmail.

4. Select Advanced settings.note

5. In the Organizations section, highlight your Domain. Do not select an organizational unit (OU).

NOTE: G SUITE DOES NOT PERMIT ALLOW-LISTING BY IP ADDRESS FOR INDIVIDUAL IPS, ONLY THE ENTIRE DOMAIN.

6. In the Email whitelist section, enter our IP addresses

3.212.253.236/3234.235.208.123/3244.209.10.205/3252.200.160.242/3254.164.218.52/3254.240.125.36/3254.240.125.37/32

7. Click Save.

Add Cyberhoot IP as Inbound Gateway

Please Note: We have found that this process exempts CyberHoot simulated phishing emails from the Gmail banner warnings. However, this is not documented by Google as an allow-list recommendation.

Video here: https://youtu.be/7IhKiz4gTXQ

Log in to your Google Admin Console.Navigate to Apps > G Suite > Gmail > Advanced settings.Under General Settings, select your top-level organization (typically your primary domain) on the left.Scroll down to the Inbound Gateway setting located under the Spam section. Hover over the setting and click the Edit button. This will open the Inbound gateway screen.Configure the Inbound gateway using the settings below:Gateway IPs3.212.253.236/3234.235.208.123/3244.209.10.205/3252.200.160.242/3254.164.218.52/3254.240.125.36/3254.240.125.37/32IMPORTANT: Leave the Reject all mail not from gateway IPs option unchecked. If this is checked, all email will stop flowing to your client.Check Require TLS for connections from the email gateways listed above.Message Tagging
you should already see “X-CLOUD-SEC-AV-SCL: true” — leave this as is if there is nothing there, you can enter something random instead – jlakdfuadoflualdsfjSelect the Disable Gmail spam evaluation on mail from this gateway; only use header value option.Click the SAVE button.

If Avanan, create or modify Avanan Rule

Gmail -> Settings -> Compliance Scroll Down to Content ComplianceRulesIf Avanan is in place, you will see the 4 avanan rules – the one you need to edit is the last one, ending in “_inline)ei”

4. REMEMBER THAT THE BYPASS RULE IS “IS WITHIN THE RANGE” and the INLINE RULE IS “IS NOT WITHIN THE RANGE”

5. Rule Name: Security Awareness Bypass 

InboundIf ANY of the following match the messagemetadata match: source up is within the rangeLeave 149 if its thereAdd54.240.125.36/3254.240.125.37/323.212.253.236/3234.235.208.123/3244.209.10.205/3252.200.160.242/3254.164.218.52/32if matchmodify messageadd custom headersYOU HAVE TO CHANGE THE VALUE TO MATCH THE AVANAN PORTAL IP – e.g. tenantname becomes <shortname>  for <Tenant Full Name> — set message header ‘X-CLOUD-SEC-AV-INFO’ (set message header ‘X-CLOUD-SEC-AV-INFO’ — ONLY PASTE IN CLOUD-SEC-AV-INFO) with the value ‘tenantname,google_mail,inline’(don’t forget to change the tenant name)ONLY PASTE IN CLOUD-SEC-AV-INFO) or you’ll get the two x’s

6. Edit of existing Avanan Compliance Rule “xyz_inline_el”

MAKE SURE THIS IS SET TO ALL, NOT ANY, OR ALL EMAIL WILL BREAK

ONLY change metadata match, source ip to include the IP’s for Cyberhoot under “not within range”

54.240.125.36/3254.240.125.37/323.212.253.236/3234.235.208.123/3244.209.10.205/3252.200.160.242/3254.164.218.52/32

Leave a Reply