This work instruction describes how to configure the correct whitelisting for each phishing simulation in Microsoft 365 Defender (Exchange Online / Defender for Office 365). The sending IP details are the same for every simulation. The mail domain and the landing domain (the link in the email) differ per simulation and must be updated each time.

1. Data for this simulation

Fill in the table below before performing the steps. The fixed values do not need to be changed.

Note on the simulation URL: you do not need to enter the full URL including query string (such as ?rid=…). The path up to the question mark is sufficient. Microsoft recommends the wildcard form *.domain.tld/*, so that all subdomains and paths are allowed.

2. Whitelist the IP addresses (Connection Filter Policy)

Go directly to: https://security.microsoft.com/antispam
Or via the menu: Email & collaboration → Policies & rules → Threat policies → Anti-spam.

1. On the Anti-spam policies page, open the Connection filter policy (Default).
2. Click Edit connection filter policy.
3. Under Always allow messages from the following IP addresses or address range, add the following values:
   • 81.24.12.198
   • 136.175.108.0/24
4. Click Save.

Note: these two IP values are fixed and only need to be set up once for the first simulation. Verify per simulation that they are still present.

3. Exclude domain and URL from Safe Links

Go to: https://security.microsoft.com/safelinksv2
Or via the menu: Email & collaboration → Policies & rules → Threat policies → Safe Links.

1. Open the Safe Links policy that applies to the target audience.
2. Go to URL & click protection settings and, under Do not rewrite the following URLs in email, click Manage URLs.
3. Add the landing domain of this simulation in wildcard form:
   *./*  (e.g. *.webmailportal.net/*)
4. Optionally also add the mail domain in the same form:
   *./*  (e.g. *.deservicedesk.com/*)
5. Click Save and save the policy.

4. Configure Advanced Delivery (Phishing Simulation)

Go directly to: https://security.microsoft.com/advanceddelivery?viewid=PhishingSimulation
Or via the menu: Email & collaboration → Policies & rules → Threat policies → Advanced delivery → Phishing simulation tab.

1. Click Edit (or Add if no configuration exists yet).
2. Fill in the following fields:

   Field in Defender	Value to enter
   Sending domain	the mail domain of this simulation (e.g. deservicedesk.com)
   Sending IP	81.24.12.198 (optionally also 136.175.108.0/24)
   Simulation URLs to allow	*./* (e.g. *.webmailportal.net/*)

3. Click Save and then Close.

5. Checklist per simulation

• Mail domain added in Advanced Delivery → Sending domain
• Sending IP 81.24.12.198 present in Advanced Delivery
• Connection filter policy contains 81.24.12.198 and 136.175.108.0/24
• Landing domain added in Safe Links under “Do not rewrite URLs” (*.domain/*)
• Landing domain added in Advanced Delivery → Simulation URLs to allow (*.domain/*)
• Test email received from the simulation environment and the link works without warnings

6. Things to watch out for

• Use the wildcard form: enter URLs as *.domain.tld/*. This also covers subdomains and query strings (e.g. ?rid=…).
• Do not enter https://: in the Microsoft fields you only enter the domain/path, not the https:// scheme.
• Propagation time: changes can take up to about an hour before they are active. Plan the simulation accordingly.
• Clean up afterwards: after the simulation, remove the mail domain and the landing domain from Advanced Delivery and Safe Links so the exceptions do not stay in place unnecessarily. The fixed IP details can remain for future simulations.
• Mail flow via an external gateway? Then also check the configuration of Enhanced Filtering for Connectors in Exchange Online; otherwise Defender will not see the original sending IP.