This HowTo article explains how to configure Avanan’s Allow Listing rules to allow Attack Phishing tests to reach end users in Microsoft O365 environments.
Warning: CyberHoot supports fake email Attack-Phishing for customers. Please keep in mind this approach uses negative reinforcement to reduce click rates in employees. To be successful, always pair with Positive Reinforcement, educational, and realistic HootPhish phishing simulations for the best Affect and Effect on end users.
1. Access the Microsoft Security Dashboard for the client (can be done via CIPP), and follow the steps at this link https://cyberhoot.com/howto/howto-whitelist-by-x-header-in-exchange-2013-2016-or-microsoft-365/ but use the IP’s and domains below. Please Note: You do NOT need the “url” section mentioned at the link
IP Address’s to Allow:
3.212.253.236/32
34.235.208.123/32
44.209.10.205/32
52.200.160.242/32
54.164.218.52/32
54.240.125.36/32
54.240.125.37/32
Domain Names to Allow:
cyberhoot.com
ch-security-alert.com
ch-password-reset.com
ch-login-created.com
ch-contact-us.com
ch-account-2fa.com
For a detailed view of the Avanan screens, see the images on the next page.
2. Connection Filter Allow
Next you will want to add these IP’s instead (always leave Avanan IPs)
3.212.253.236/32
34.235.208.123/32
44.209.10.205/32
52.200.160.242/32
54.164.218.52/32
54.240.125.36/32
54.240.125.37/32
149.72.222.44/32
Mail Flow Rule for Avanan
Log into ADMIN.MICROSOFT.COM -> eXCHANGE PORTALCreate a New Exchange Mail flow Rule ABOVE Avanan Protect named “Avanan Cyberhoot (IPs)”Sender ip addresses belong to one of these ranges: ‘54.240.125.36/32’ or ‘54.240.125.37/32’
YOU HAVE TO CHANGE THE VALUE TO MATCH THE AVANAN PORTAL IP – e.g. tenantname becomes <shortname> for <Tenant Full Name> — set message header ‘X-CLOUD-SEC-AV-INFO’ with the value ‘tenantname,google_mail,inline’
3. Enable and Stop Processing more Rules as shown below.
4. Click on Rule
5. Edit Settings
6. Change Priority to 0
7. Save. The rule should now be at the top
8. Click on rule
9. “enable or disable rule” slider to enabled. it will now show enabled
Powershell Script for Safe Senders
Open powershell on your computerpaste in the text contained at this link: cyberhoot.com/wp-content/uploads/2023/08/PowerShell-Script-to-add-CyberHoot-Phishing-Domains-to-all-Users-Safe-Senders-Lists-4.txtClick enterAuthenticate to the client’s m365 GA accountIt will slowly run through a list of all their usersOnce completed you should see PS C:WINDOWSsystem32> Write-Output “Finished!”
Sign out of the m365 account in your browser (you can go to admin.microsoft.com and sign out)
