It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Using Microsoft 365 Defender with Barracuda PhishLine

  • Last updated on

Note:
This article applies to organizations that do NOT use Barracuda Essentials or other non-Microsoft email protection product.
If you point your MX records directly at Microsoft Office 365 or turn on Microsoft's Secure By Default feature, be sure to follow the instructions in this article.

Background

Microsoft 365 Defender now includes Microsoft ZAP (Zero-hour purge), which scans emails for phishing content to protect email systems from potential phishing attacks. This includes legitimate, simulated phishing attacks used for training from Barracuda PhishLine and other providers. In addition, Microsoft 365 Defender no longer honors overrides for the Outlook Safe Senders list or IP Allow List (connection filtering). This article describes how to use Microsoft's Advanced Delivery Policy so you can successfully use Barracuda PhishLine along with Microsoft 365 Defender.

 Using Microsoft 365 Defender, or Secure By Default, can result in:

  • On the front end – Intended campaign email recipients do not receive phishing campaign messages. Instead, campaign emails are sent to the recipients' Junk folders or to a system mailbox for administrators.    
  • On the back end – Microsoft interrogates external links in campaign emails, resulting in clicks in the campaign. These are clicks made by a machine, not by human interaction, but are attributed to the email recipient. This skews your campaign results. 

Following the instructions in the next section to achieve the following results, enabling Barracuda PhishLine to operate without interference from Microsoft 365 Defender. Links in this section lead to Microsoft documentation. 

*Note that you cannot  bypass malware filtering or ZAP for malware.

Configuring the Advanced Delivery Policy in Microsoft 365 Defender

These instructions are based on Microsoft's instructions, with information specific to Barracuda PhishLine added. 

To configure the Advanced Delivery Policy in Microsoft 365 Defender:

  1. Log into the Microsoft 365 Defender Advanced Delivery page (https://security.microsoft.com/advanceddelivery).
  2. On the Advanced delivery page, select the Phishing simulation tab, and then do one of the following:
    • First configuration (if there are no configured phishing simulations): Click Add.
    • Subsequent configurations (if there are configured phishing simulations present): Click Edit.
  3. On the Edit third-party phishing simulation window that opens, configure the following settings:
    Required to ensure addressees receive incoming campaign email:
    • Sending Domains (Required): The 5321.MailFrom address (also known as the MAIL FROM address, P1 sender, or envelope sender) is the email address used in the SMTP transmission of the message.
      Expand this setting and enter at least one email address domain (e.g., example.com). Click inside the text box, enter a domain name, then press Enter or select the value displayed below the box. You can repeat this step as many times as necessary, to add up to 10 entries.
      To determine the domain(s) to enter, look for the MAIL FROM address, P1 sender, or envelope sender you use in the SMTP transmission of a campaign message. This email address is typically recorded in the Return-Path header field in the message header. When setting up your Barracuda PhishLine email campaign, you selected this domain for the Email Account for Sending setting in the Content section of the campaign, as described in Creating and Generating an Email Campaign.
    • Sending IP (Required): Expand this setting and enter the IP addresses listed below. Click inside the text box, enter a domain name, then press Enter or select the value displayed below the box. You can repeat this step as many times as necessary, to add up to 10 entries. 
      • 64.132.201.93
      • 74.203.211.13
      • 207.67.44.189
      • 64.132.201.82
      • 74.203.211.2
      • 207.67.44.178

    Note: There must be a match between at least one Sending domain and one Sending IP, but no association between values is maintained. 


    Required to ensure URLs present in simulation messages are not blocked:

    • Simulation URLs to allow (Optional): Expand this setting and enter specific domains that are part of your phishing simulation campaign and should not be blocked or detonated. Click inside the text box, enter a domain name, then press Enter or select the value displayed below the box. You can repeat this step as many times as necessary, to add up to 10 entries. 
      Sample entry: neverclick.net/*
      Tips for entries:
      • Do not enter http:// or https:// at the beginning of the domain. 
      • Do end each domain with /*.  
      • If you are using a custom subdomain, specify it as part of the domain.  Sample entry: subdomain.neverclick.net/*
      • To remove an existing value, locate the value, then click Remove MSremove.png .
  4. To complete the process:

    • First configuration: Click Add, then click Close.
      Subsequent configuration: Click Save, then click Close.

For additional information, refer to the following Barracuda Campus articles:

For more information on Microsoft 365 Defender, refer to the following Microsoft articles:

 

Last updated on