How to Whitelist Phishing Simulation Emails in Microsoft 365

Introduction

To ensure phishing simulation emails are delivered successfully to your users—and not mistakenly flagged or filtered by security systems—it's critical to properly configure Microsoft 365 and any third-party email services. Follow the steps below to allowlist IP addresses, bypass spam filters, and configure advanced delivery settings for smooth simulation testing.

Whitelisting Steps

1. Allowlist to Sending IP Address in Microsoft 365

1. Sign in to the Microsoft 365 Defender portal.
2. Navigate to Email & Collaboration → Policies & rules → Threat policies.
3. Under Policies, click Anti-spam.
4. Click on Connection filter policy in the Name column.
5. Select Edit connection filter policy.
6. In the field labeled Always allow messages from the following IP addresses or address range, enter the phishing simulation’s IP address.
7. Check the box for Turn on safe list.
8. Click Save.

2. Bypass Clutter and Spam Filtering

1. Sign in to the Exchange Admin Center.

2. Go to Mail flow → Rules.
3. Select Add a rule (+) → Create a new rule.
4. Name the rule (e.g., “Bypass spam filtering by IP address”).
5. Under Apply this rule if, select:
   • The sender → IP address is any of these ranges or exactly matches.
   • Enter the IP address, click Add, then Save.
6. Under Do the following, choose:
   • Modify the message properties → Set the spam confidence level (SCL).
   • Set SCL to Bypass spam filtering, then click Save.
7. Click Next to proceed through the remaining steps and Finish the rule creation.

3. Configure the Advanced Delivery Policy

Even after allowlisting, Microsoft 365 may still block phishing simulation emails flagged as “high confidence phishing.” To avoid this:

1. Sign in to the Microsoft 365 Defender portal.
2. Go to Email & Collaboration → Policies & rules → Advanced Delivery.
3. Click the Phishing Simulation tab.
   • If simulations are already configured, click Edit.
   • If not, click Add.
4. In the Add Third Party Phishing Simulations menu:
   • Under Domain, enter the sending domain(s) and press Enter.
   • Under Sending IP, enter the simulation IP and press Enter.
   • Under Simulation URLs to allow, enter your landing page domains in the format: exampledomain.com/* and press Enter.
5. Click Save or Add, depending on the configuration status.
6. Click Close.

Additional Notes for Third-Party Email Gateways

If your organization uses services like Proofpoint, Mimecast, or Barracuda, be sure to follow their specific allowlisting documentation. Even with Microsoft 365 configured correctly, third-party filters may block or sandbox your simulation emails.

Helpful links:

• Proofpoint Allowlisting Documentation
• Mimecast Allowlisting Documentation
• Barracuda Allowlisting Documentation

Final Checklist

• IP address allowlisted in Microsoft 365
• Spam filters bypassed via mail flow rule
• Advanced delivery policy configured
• Simulation domains and landing URLs added
• Third-party filters updated (if applicable)

Need assistance with implementation? Contact our team—we're happy to help ensure your phishing simulations are seamless and successful.