Skip to content

When your MX record points to M365

Overview

This guide ensures that Cyberhook phishing simulation and training emails are successfully delivered to users' inboxes in Microsoft 365, bypassing filtering mechanisms such as Microsoft Defender for Office 365 (formerly ATP), and are not marked as threats.

Applies to environments where the MX record points directly to M365.

1. Configure Advanced Delivery

Steps:

  1. Go to the Microsoft Defender portal
  2. Navigate to: Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery
  3. Select the Phishing simulation tab
  4. Click Add
  5. Add the DKIM domain (e.g., ct-sendrig.site)
  6. Add the sending IP (e.g., 51.178.182.159)
  7. Click Save

Advanced Delivery Configuration

This ensures emails are correctly categorized as phishing simulations and not treated as threats.

Create a mail flow rule:

  1. Go to the Exchange Admin Center
  2. Navigate to: Mail Flow > Rules > Add a rule
  3. Name the rule: SUCURILABS - Bypass Defender Links
  4. Click More options
  5. Condition:
  6. Apply this rule if: The sender > IP address is… 51.178.182.159
  7. Action: Do the following: Modify the message properties > set a message header
    • Header name: X-MS-Exchange-Organization-SkipSafeLinksProcessing
    • Value: 1

  8. Click Next > Finish

    Mail Flow Rule Configuration

Validation

  • Use Threat Explorer and filter by System override source > Phishing simulation to verify email delivery through the simulation policy.
  • Confirm emails land in the inbox and are not marked as junk or phishing.