Bypassing Microsoft Defender for Phishing Tests with Advanced Delivery

Recently, I faced a issue when trying to implement an external phishing test provider for our organization. Despite having properly configured both connectors and transport rules that should have allowed these simulated phishing emails to reach our users' inboxes, the messages were consistently being quarantined by Microsoft Defender.

The most frustrating part? I could see in the message trace logs that my transport rules were being applied, but the emails still ended up in quarantine rather than the inbox. Something was clearly overriding my rules.

Investigation

Upon examining one of the quarantined messages, I noticed it was being flagged as "Phish / High" with detection technologies showing "URL malicious reputation, Advanced filter" as the reason. The delivery action was set to "Blocked" and the location showed "Quarantine."

I performed a thorough assessment of our transport and connector rules to verify they were enabled and active. Everything looked correct - the rules were properly configured to allow messages from the specific sender IP addresses used by our phishing test provider. Yet Microsoft Defender was still intercepting and quarantining these messages before they could reach their intended recipients.

The Root Cause

After investigation, I discovered an important security mechanism in Microsoft 365: messages identified as high confidence phishing are always quarantined, regardless of any transport rules or safe sender configurations.

This is actually by design - Microsoft specifically blocks quarantine bypass mail flow rules on any email flagged as "High Confidence Phish." Even if your transport rule is configured correctly to allow the sender IP or domain, high confidence phishing detections take precedence over these rules, this was a snippet of the message in mail explorer:


The Solution: Advanced Delivery Policy

Fortunately, Microsoft has created a specific solution for this exact scenario. The Advanced Delivery policy is designed to allow legitimate phishing simulations to bypass the normal security controls.

Here's how I configured it:

  1. I navigated to the Microsoft Defender portal at https://security.microsoft.com
  2. Went to Email & Collaboration > Policies & Rules > Threat Policies > Advanced Delivery
  3. Selected the Phishing Simulation tab
  4. Clicked "Add" to configure a new simulation

In the configuration screen, I added:

  • Sending Domain: The domain used by our phishing test provider
  • Sending IP: The IP addresses our phishing test provider sends from
  • Simulation URLs: The landing page URLs used in our simulations, using wildcards

Once this was configured, our phishing test emails began flowing properly to user inboxes instead of being quarantined, below are the values used:

Transport/Connectors Setup 

Lets start with the connector, this is from a Partner Organization to Office 365 then the settings are:

Identify the partner organization by verifying that messages are coming from these IP address ranges: 12.44.88.125,34.11.88.252

Reject messages if they aren't encrypted using Transport Layer Security (TLS)

Then we have Transport Rules which are setup as below, this may need to be spit into two rules:

Sender ip addresses belong to one of these ranges: '12.44.88.125' or '34.11.88.252'

Set audit severity level to 'Low'
and Set the spam confidence level (SCL) to '-1'
and set message header 'X-MS-Exchange-OrganizationSkipSafeAttachmentProcessing' with the value '1'
and set message header 'X-MS-Exchange-Organization-SkipSafeLinksProcessing' with the value '1'

Why does this overrides Transport Rules?

Transport rules alone aren't sufficient because Microsoft has implemented "secure by default" protections that always quarantine high confidence phishing messages, regardless of other rules. The Advanced Delivery policy is specifically designed to create exceptions for legitimate phishing simulations and includes these critical bypass mechanisms:

  • Bypasses filters in Defender for Office 365
  • Bypasses Safe Links blocking (URLs are still wrapped, but not blocked)
  • Bypasses Safe Attachments scanning
  • Prevents system alerts from being triggered for these simulations

Conclusion

Phishing simulations are a critical part of security awareness training, but they only work if the emails actually reach your users. Understanding Microsoft's security architecture and using the right solution - Advanced Delivery policy - ensures your simulations will be delivered as intended while maintaining the overall security posture.

Previous Post Next Post

نموذج الاتصال