# PSaaS Allowlisting Configure email and website allowlisting to ensure phishing simulations and content reach users. # Email Allowlisting Ensure phishing emails reach inboxes by configuring your allowlisting settings. # Allowlisting - Introduction #### Allowlisting GrintOps in your Email Platform [**Allowlisting - Quick Reference - IPs, Headers & URLs**](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-quick-reference-ips-urls) Multiple allowlisting methods are listed below. Choose the method that best suits your organisation - preferred methods have been tagged. ***Microsoft/Office 365*** - [Allowlisting - Use M365 Defender to allow a Phishing Simulation](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-use-m365-defender-to-allow-a-phishing-simulation) - [M365 Direct Email Injection (API Integration To Bypass Allowlisting)](https://help.grintops.com/books/psaas-allowlisting/page/m365-direct-email-injection-api-integration-to-bypass-allowlisting) - Supplemental Allowlisting Guides (Optional): - [Allowlisting - Bypass Safe Link/Attachment Processing of M365 Advanced Threat Protection (ATP)](https://help.grintops.com/books/psaas-allowlisting/page/email-allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp) - [Allowlisting - Automatically Download Images For Emails Sent To Microsoft 365](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-automatically-download-images-for-emails-sent-to-microsoft-365) - Integrating With Microsoft's Built-In "Report Phishing" Button On Outlook - M365 With Third-Party Email Gateway/Mail Relay/ Hybrid On-Prem Exchange: - [Microsoft 365 - Enhanced Filtering For Connectors (Skiplisting)](https://help.grintops.com/books/psaas-allowlisting/page/microsoft-365-enhanced-filtering-for-connectors-skiplisting) # Allowlisting - Quick Reference - IPs, & URLs When applying allowlists to your email servers and/or email filtering solutions, please refer to the quick reference information below. Be careful not to over-allowlist and only configure what's necessary to allow GrintOps emails through. ## **Mail Server IPv4 Addresses:** ``` 135.84.80.0/24 136.143.161.0/24 136.143.184.0/24 136.143.188.0/24 165.173.129.0/24 165.173.174.0/23 165.173.180.0/24 165.173.182.0/24 ``` ***Note: If you need to provide your email filter with a subnet mask for the above IP Addresses, please use /32 for each IP.*** ## **Sending Domains:** ``` office365-webnotif.com office365-webnotif.site miro-apps.online hukum0nline.com slack-apps.online github-apps.online ``` ## **Phishing Website Domains: ``` office365-webnotif.com/* *.office365-webnotif.com/* office365-webnotif.site/* *.office365-webnotif.site/* miro-apps.online/* *.miro-apps.online/* hukum0nline.com/* *.hukum0nline.com/* slack-apps.online/* *.slack-apps.online/* github-apps.online/* *.github-apps.online/* ``` Should you have any difficulties with allowlisting, please don't hesitate to [contact us](https://grintops.com/contact-us/). # Allowlisting - Use M365 Defender to allow a Phishing Simulation To ensure GrintOps can effectively simulate phishing campaigns, you will need to allowlist our emails. **We highly recommend this method for allowlisting as it's been explicitly created by Microsoft for the purpose of conducting phishing simulations.** **Note:** If you find that website links are being re-written and lead to a "suspicious website" page after allowlisting, your organisation may need to add additional attachment and URL exemptions. To enable these exemptions please see our support article: **[Allowlisting - Bypass Safe Link/Attachment Processing of M365 Advanced Threat Protection (ATP)](https://help.grintops.com/books/psaas-allowlisting/page/email-allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp)** ## Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy **Note:** Prefer to use PowerShell? [**Use our prepared script**](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-use-m365-defender-to-allow-a-phishing-simulation) 1\. Login to Microsoft 365 Defender at the following link to go straight to the Phishing Simulation allowlisting form: **[https://security.microsoft.com/advanceddelivery?viewid=PhishingSimulation](https://security.microsoft.com/advanceddelivery?viewid=PhishingSimulation)** [![mceclip10.png](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/mceclip10.png)](https://help.grintops.com/uploads/images/gallery/2025-07/mceclip10.png) *Note: This form can also be accessed by going to [https://security.microsoft.com/](https://security.microsoft.com/) and clicking through Email & Collaboration > Policies & Rules > Threat Policies > Advanced Delivery > Phishing Simulation* 2\. Click ![Edit icon.](https://docs.microsoft.com/en-us/microsoft-365/media/m365-cc-sc-edit-icon.png?view=o365-worldwide) **Edit** or If there are no configured phishing simulations, click **Add**. 3\. On the **Edit third-party phishing simulation** flyout that opens, configure the following settings: ### **Sending Domain:** The following are examples of phishing domains that may be used: ``` office365-webnotif.com office365-webnotif.site miro-apps.online hukum0nline.com slack-apps.online github-apps.online ``` ### **Sending IP:** The following are examples of sending IP addresses that may be used in phishing simulation campaigns or email transmissions: ``` 135.84.80.0/24 136.143.161.0/24 136.143.184.0/24 136.143.188.0/24 165.173.129.0/24 165.173.174.0/23 165.173.180.0/24 165.173.182.0/24 ``` ### **Simulation URLs to allow:** The following are examples of simulation URLs that should be allowed to ensure phishing simulation emails and landing pages function properly: ``` office365-webnotif.com/* *.office365-webnotif.com/* office365-webnotif.site/* *.office365-webnotif.site/* miro-apps.online/* *.miro-apps.online/* hukum0nline.com/* *.hukum0nline.com/* slack-apps.online/* *.slack-apps.online/* github-apps.online/* *.github-apps.online/* ``` *Note: All the above domains and IP addresses are under the sole control of GrintOps. As such we can ensure that no unintended emails will originate from these IPs and domains after allowlisting occurs.* 4\. When you're finished, click Add/Save and then click Close. ***Note: Allowlisting may take up to an hour to take effect.*** **All done!** Allowlisting can be tricky... should you have any difficulties, please don't hesitate to [contact us](https://grintops.com/contact-us/). **Troubleshooting:** If you run into issues with emails continuing to go to spam/quarantine folders. You may have Microsoft Advanced Threat Protection (ATP) enabled which may require additional allowlisting. Please see our guide here to **[Bypass Safe Link/Attachment Processing of M365 ATP](https://help.grintops.com/books/psaas-allowlisting/page/email-allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp)**. ## PowerShell Allowlisting Script Want to automate the deployment of GrintOps allowlisting? Use our prepared PowerShell script below. ### Step 1. Ensure Exchange Online V3 For Powershell Is Installed ```powershell Install-Module -Name ExchangeOnlineManagement -Force ``` ### Step 2. Connect Exchange Online For Powershell To Your Microsoft 365 Tenant **Note:** Please replace the value YOUR-ADMIN-EMAIL with the M365 administrator email that you wish to sign in with. ```powershell Import-Module ExchangeOnlineManagement Connect-ExchangeOnline ` -UserPrincipalName YOUR-ADMIN-EMAIL ` -ShowProgress:$false ` -LoadCmdletHelp # optional: if you want Get-Help for EXO cmdlets ``` ### Step 3. Create The Phishing Simulation Allowlist Policies And Configurations **Note:** If you've white-labelled GrintOps , make sure to replace the grintops.com and learn.grintops.com domains with your white-labelled domains. ```powershell # 1. Create the override policy New-PhishSimOverridePolicy -Name PhishSimOverridePolicy # 2. Confirm it’s there Get-PhishSimOverridePolicy # 3. Create the override rule pointing to the allowlisted domains & IPs New-ExoPhishSimOverrideRule ` -Name PhishSimOverrideRule ` -Policy PhishSimOverridePolicy ` -Domains office365-webnotif.com, office365-webnotif.site, miro-apps.online, hukum0nline.com, slack-apps.online, github-apps.online ` -SenderIpRanges: 135.84.80.0/24 , 136.143.161.0/24 , 136.143.184.0/24 , 136.143.188.0/24 , 165.173.129.0/24 , 165.173.174.0/23 , 165.173.180.0/24, 165.173.182.0/24 # 4. Allowlist the phishing website URLs in Defender’s tenant allow/block list New-TenantAllowBlockListItems ` -Allow ` -ListType Url ` -ListSubType AdvancedDelivery ` -Entries office365-webnotif.com/*, office365-webnotif.site/*, *.miro-apps.online/*,hukum0nline.com/*,*.slack-apps.online/*,github-apps.online/*` -NoExpiration # 5. Verify your rule Get-ExoPhishSimOverrideRule ``` # Allowlisting - Automatically Download Images For Emails Sent To Microsoft 365
Would you like to have images automatically download for simulated phishing and notification emails sent by GrintOps? In this support article we'll walk through the allowlisting process to add GrintOpsmanaged domains to the Outlook Safelist Collection, ensuring images are automatically downloaded. This has the added benefit of ensuring the email view metric in simulated phishing campaigns is accurate. However, the email view metric isn't essential to the success of campaigns, and as a result, this guidance is purely optional and can be added at your own discretion. **Note:** The guidance in this article builds upon Microsoft guidance on **[configuring the safelist collection on an Microsoft 365 mailbox](https://learn.microsoft.com/en-us/defender-office-365/configure-junk-email-settings-on-exo-mailboxes#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox)**. Please refer to this article to learn more about mailbox safelist collections. **Table Of Contents:**
- [**Prerequisites**](https://help.grintops.com/books/allowlisting/page/allowlisting-automatically-download-images-for-emails-sent-to-microsoft-365#bkmrk-prerequisites) - [**Step 1: Connect to Exchange Online PowerShell**](https://help.grintops.com/books/allowlisting/page/allowlisting-automatically-download-images-for-emails-sent-to-microsoft-365#bkmrk-step-1%3A-connect-to-e) - [**Step 2: Define the Domains to Add**](https://help.grintops.com/books/allowlisting/page/allowlisting-automatically-download-images-for-emails-sent-to-microsoft-365#bkmrk-step-2%3A-define-the-d) - [**Step 3: Add Domains to All Mailboxes**](https://help.grintops.com/books/allowlisting/page/allowlisting-automatically-download-images-for-emails-sent-to-microsoft-365#bkmrk-step-3%3A-add-domains-) - [**Step 4: Verify the Changes**](https://help.grintops.com/books/allowlisting/page/allowlisting-automatically-download-images-for-emails-sent-to-microsoft-365#bkmrk-step-4%3A-verify-the-c) - [**Additional Notes**](https://help.grintops.com/books/allowlisting/page/allowlisting-automatically-download-images-for-emails-sent-to-microsoft-365#bkmrk-additional-notes)
## **Prerequisites**
- **Exchange Online PowerShell Module**: Ensure you have the Exchange Online PowerShell module installed. If not, install it using the following command: ```powershell Install-Module -Name ExchangeOnlineManagement ``` - **Administrative Privileges**: You must have the necessary permissions to modify mailbox configurations across your organization.
## **Step 1: Connect to Exchange Online PowerShell** Open PowerShell with administrative privileges and connect to Exchange Online: ```powershell Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName your_admin_account@yourdomain.com ``` **Note:** Replace `your_admin_account@yourdomain.com` with your admin username. ## **Step 2: Define the Domains to Add** Create an array containing the [**GrintOps domains**](https://help.grintops.com/books/allowlisting/page/allowlisting-quick-reference-ips-headers-urls) you wish to add to the Safe Senders list: ```powershell $domains = @( 'office365-webnotif.com', 'office365-webnotif.site', 'miro-apps.online', 'ukum0nline.com', 'slack-apps.online', 'github-apps.online' ) ``` **Note:** If you've setup white-labelling, we recommend adding your white-labelled domain to the list. ## **Step 3: Add Domains to All Mailboxes** Run the following command to add the specified domains to the Safe Senders list for all users: **The following is an example of how to add domains to the Safe Senders list for all mailboxes:** ```powershell # Fetch all mailboxes once $mailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited # Add each domain one at a time for every mailbox foreach ($domain in $domains) {   foreach ($mbx in $mailboxes) {       Set-MailboxJunkEmailConfiguration `           -Identity $mbx.Identity `           -TrustedSendersAndDomains @{ Add = $domain }   }   # Pause for 1 second before moving to the next domain   Write-Host "Added '$domain' to TrustedSendersAndDomains for all mailboxes."   Start-Sleep -Seconds 1 } ``` **Explanation:**
- `Get-Mailbox -ResultSize Unlimited`: Retrieves all mailboxes in your organization. - `foreach { ... }`: Iterates over each domain and then each mailbox retrieved. - `Set-MailboxJunkEmailConfiguration`: Updates the junk email settings for the specified mailbox. - `-TrustedSendersAndDomains @{Add=$domain}`: Adds the specified domain to the existing Safe Senders list without overwriting it.
## **Step 4: Verify the Changes** To confirm that the domains have been added, you can check the Safe Senders list of a specific mailbox: ```powershell Get-MailboxJunkEmailConfiguration -Identity user@domain.com | Select-Object -ExpandProperty TrustedSendersAndDomains ``` **Note:** Replace `user@domain.com` with the email address of a user in your organization. ## **Additional Notes**
- **Processing Time**: Depending on the number of mailboxes, this operation may take some time. - **Error Handling**: If you encounter any errors, ensure that you have the necessary permissions and that all domain names are correctly specified. - **Maintenance**: If you need to remove domains in the future, you can modify the `Set-MailboxJunkEmailConfiguration` command accordingly:
```powershell Set-MailboxJunkEmailConfiguration -Identity $_.Identity -TrustedSendersAndDomains @{Remove=$domains} ```
# Microsoft 365 Direct Email Injection - Setup Guide GrintOps can integrate directly with Microsoft 365 through the Graph API. Using this API we can inject simulated phishing and notification emails directly into employee inboxes, bypassing the need for traditional email allowlisting! **Important Note:** This guide should only be followed if you **haven't** set up **[platform white-labeling](https://help.grintops.com/books/psaas-allowlisting/page/platform-white-labelling)**. If you have, please follow this **[setup guide](https://help.grintops.com/books/psaas-allowlisting/page/microsoft-365-direct-email-injection-for-white-labelled-tenants-setup-guide).** To leverage direct email injection functionality, please follow the below steps: 1. Login to your account and navigate **Platform Settings > Email Delivery Settings** 2. Click the 'New Integration' button for the 'Microsoft 365 Direct Email Injection' Service Provider. [![WhatsApp Image 2025-07-17 at 23.29.54_841330d6.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-23-29-54-841330d6.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-23-29-54-841330d6.jpg) 3. Provide a unique name for the Microsoft 365 integration and then click the 'Sign in with Microsoft' button. [![WhatsApp Image 2025-07-17 at 23.33.11_f8924996.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-23-33-11-f8924996.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-23-33-11-f8924996.jpg) 4. If your browser doesn't have an active Microsoft/Azure AD session, you'll be prompted to login via the Microsoft login portal. Once signed in, you'll be prompted to authorise the GrintOps Email Connector to access several APIs within your Microsoft/Azure AD account. Click **'Accept'** to authorise the access. *Note: Access to all scopes is required to successfully setup the integration. Click **[here](https://help.grintops.com/books/psaas-allowlisting/page/microsoft-365-direct-email-injection-setup-guide)** to understand in further detail what information we're accessing. Consenting on behalf of your organization is optional.* [![WhatsApp Image 2025-07-17 at 23.28.47_5830d239.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-23-28-47-5830d239.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-23-28-47-5830d239.jpg) 5. Once authorized, you'll be immediately redirected to the GrintOps Mail Servers page and notified on the status of the integration and that you now need to provide Admin Consent. From here you can choose one of two options. You can either: \- Automatically provide Admin Consent by authorizing a permissions upgrade in a similar dialog box to that shown in Step 4 (completing the setup). \- Proceed with Steps 6-10 to do this manually. ***What is Admin Consent?** With Microsoft there are two types of permissions: Delegate and Application.* Delegate permissions are used when an application needs to act on behalf of a user. On the other hand, Application permissions are used when an application needs to access resources without a signed-in user. These permissions allow the application to act autonomously, accessing the specified resources at a broader level, with higher privileges than delegate permissions. By providing Admin Consent, the GrintOps Email Connector is upgraded from Delegate to Application Permissions, which is necessary to perform Direct Email Injection. ![](https://help.caniphish.com/hc/article_attachments/10097913425679) 6. If proceeding with the manual approach, go to the Azure home page: [https://portal.azure.com/](https://portal.azure.com/) 7. Click on or search for Enterprise Applications: ![](https://help.caniphish.com/attachments/token/xNJP3wCNnFjYR7Z9wzEIt8MHs/?name=image.png) 8. Click on the "GrintOpsEmail Connector" Application. 9. Click on the Permissions tab on the left 10. Click the "Grant admin consent for GrintOps" button to upgrade the Mail.ReadWrite and User.Read.All permissions from Delegated to Application. [![WhatsApp Image 2025-07-17 at 23.32.58_c58f5309.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-23-32-58-c58f5309.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-23-32-58-c58f5309.jpg) **All done!** You can now select this as a email provider when scheduling phishing campaigns, bypassing the need to setup email allowlisting. To do this, either make this new mail server your default or click the 'Show Advanced Options' link on the initial setup page when creating a new campaign: ![](https://help.caniphish.com/hc/article_attachments/8549002296591) ## Appendix: Additional Information on Microsoft API Scopes We'll be accessing APIs that allow us to read and write information to employee inboxes. Additionally, we'll read information from employee Microsoft profiles so we can determine which email address is associated to which Microsoft profile and then find the corresponding Inbox folder. The below table outlines the scopes we're accessing in detail: **user.read.all** Provides GrintOps with access to read the profiles of all users within the Azure AD tenant for the Microsoft 365 account. **mail.readwrite** Provides GrintOps with access to read and write to employee mailboxes. This is necessary so we can find the location of the Inbox folder and then inject the necessary simulated phishing email. **offline\_access** Allows GrintOps to maintain access to the mentioned scopes above. This is necessary so GrintOps can periodically refresh its access token to prevent expiry every 90 minutes. ## Frequently Asked Questions **What happens if a user doesn't exist within the Microsoft 365 Tenant?** If the user is sent a simulated phishing email, an error will appear next to their email address within the affected campaign, making a note of the issue. If the user is sent a notification, then a fallback to use GrintOps email servers will occur to ensure the notification is still sent. # Microsoft 365 - Enhanced Filtering For Connectors (Skiplisting) Are you using Microsoft 365 in conjunction with a third-party secure email gateway, email relay, or on-prem/hybrid exchange system? If so, this can pose a problem with our **[traditional Microsoft 365 allowlisting guidance](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-use-m365-defender-to-allow-a-phishing-simulation)**. When third-party email infrastructure is used in a relay-based configuration with Microsoft 365, Microsoft 365 loses all visibility on the source IP address that emails actually originate from (because the source IP address of all emails gets overwritten by the IP address of the third-party email relay). To counteract this, you need to activate Enhanced Filtering For Connectors (Skiplisting) within Microsoft 365. A depiction of this problem and how skiplisting solves the problem is provided below for your benefit: **Traditional Microsoft 365 Email Routing Setup (No Third-Party Infrastructure):** [![WhatsApp Image 2025-07-17 at 23.41.14_ad9af71d.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-23-41-14-ad9af71d.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-23-41-14-ad9af71d.jpg) **Third-Party Email Infrastructure With Microsoft 365:** [![WhatsApp Image 2025-07-17 at 23.45.19_1339defb.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-23-45-19-1339defb.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-23-45-19-1339defb.jpg) **Third-Party Email Infrastructure With Microsoft 365 With Skiplisting Implemented:** [ ![WhatsApp Image 2025-07-17 at 23.43.15_1ef8f5a2.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/Wbfwhatsapp-image-2025-07-17-at-23-43-15-1ef8f5a2.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/Wbfwhatsapp-image-2025-07-17-at-23-43-15-1ef8f5a2.jpg) Skiplisting allows you to filter email based on the actual source of messages that arrive over a Microsoft 365 email connector. Skiplisting skips the source IP addresses of the connector and looks back in the routing path to determine the actual source of the incoming messages. Supplementary information on what skiplisting can be found below: - **[https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors)** - **[https://security.microsoft.com/skiplisting](https://security.microsoft.com/skiplisting)** ## How To Implement Skiplisting Within Microsoft 365 **Note:** If you've setup Direct Email Injection, Skiplisting isn't required **Prerequisite:** Your email relay must be configured as an **[Inbound Connector within Microsoft 365](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow)**. To implement skiplisting within your Microsoft 365 tenant, please follow the below guidance. 1. In the **[Microsoft 365 Admin Center](https://admin.cloud.microsoft/)**, go to Security > Email & Collaboration > Policies & Rules > Threat Policies > Enhanced Filtering. Or just go here: **[https://security.microsoft.com/skiplisting](https://security.microsoft.com/skiplisting)** 2. On the Enhanced Filtering for Connectors page, select the inbound connector that you want to configure by simply clicking on it. ![](https://help.caniphish.com/hc/article_attachments/12204076075023) 3. In the flyout pane that appears you have two options. Please select the option that is most applicable to your email routing setup: - **Automatically detect and skip the last IP address (Recommended):** This approach is simple, easy, and also applicable to the overwhelming majority of email routing setups. Essentially Microsoft will just detect and skip the last IP address in the email routing chain, allowing it to successfully detect the true source IP address of emails. - **Skip these IP addresses that are associated with the connector:** Should only be used in complex email routing setups where there are multiple email gateways which are relaying emails multiple times (e.g. Source Email Server > Email Relay > Email Relay > Microsoft 365). In cases such as these, you can manually specify the IP address of these email relays and Microsoft will skip them. 4. **Important:** Once one of the above options is selected, you can specify who this configuration should apply to. To ensure there are no email deliverability issues with your greater organization, please test this configuration with a subset of users before applying it to your entire organization. Once testing has concluded, then update this configuration and apply it to everyone. 5. Click **Save**! ![](https://help.caniphish.com/hc/article_attachments/12204076075535) **Important:** Once Skiplisting is implemented, you still need to implement **[Allowlisting within Microsoft 365](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-use-m365-defender-to-allow-a-phishing-simulation)**. Additionally, if you're using a third-party secure email gateway, you also need to implement allowlisting within the third-party gateway! Please see our **[Allowlisting Introduction](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-introduction)** for a detailed list of allowlisting guidance for dozens of different third-party secure email gateway vendors. If you run into any issues, please feel free to contact the GrintOps team for support! # Email Allowlisting - Bypass Safe Link/Attachment Processing of M365 Advanced Threat Protection (ATP) In order for GrintOps emails to function correctly, there are two sections that require additional rules to bypass Microsoft's Advanced Threat Protection system. - [Step 1. Bypass ATP Attachments Scanning](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp-ezN#bkmrk-step-1.-bypass-atp-a-1) - [Step 2. Bypass ATP Safe Link Scanning](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp-ezN#bkmrk-step-2.-bypass-atp-s) - [Defender for Office 365 Plan 1 - ATP Link Bypass Rule](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp-ezN#bkmrk-step-2.-plan-1---mai) - [Defender for Office 365 Plan 2 - ATP Link Rewriting Bypass Rule](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp-ezN#bkmrk-step-2.-plan-2---thr) *Note: As a precaution, we recommend waiting 1 hour after enabling these bypass policies to begin testing.* ## Step 1. Bypass ATP Attachments Scanning To bypass **ATP Attachment Processing,** set up the following mail flow rule: 1. Log into the Microsoft 365 (formerly Office 365) portal and select "**Admin centers**" > "**Exchange**". ![](https://help.caniphish.com/hc/article_attachments/7690664861327) 2. Select "**Mail flow**" to expand the settings menu then select "**Rules**". ![](https://help.caniphish.com/hc/article_attachments/7690679496847) 3. Click "**Add a rule**". ![ATP - Attachment Bypass Rule - IP addresses - New Rule.png](https://help.caniphish.com/hc/article_attachments/10060859811471) 4. Click "**Create a new rule**". ![](https://help.caniphish.com/hc/article_attachments/7690657754127) 5. Give the rule a name, e.g., "**Bypass ATP Attachment Processing - IP Address**". [![mceclip0 (1).png](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/mceclip0-1.png)](https://help.grintops.com/uploads/images/gallery/2025-07/mceclip0-1.png) 6. Under "Apply this rule if" select "**The Sender...**" **>** "**IP address is in any of these ranges or exactly matches**" [![mceclip1.png](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/vYxmceclip1.png)](https://help.grintops.com/uploads/images/gallery/2025-07/vYxmceclip1.png) 7. Then enter each of GrintOps IP addresses, clicking the "**Add**" button for each. (A complete list of our IP addresses can be found **[here](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-quick-reference-ips-urls)**.) Then hit "**Save".** [![mceclip2.png](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/mceclip2.png)](https://help.grintops.com/uploads/images/gallery/2025-07/mceclip2.png) 8. Under "\*Do the following" select "**Modify the message properties...**" > "**set a message header**". [![WhatsApp Image 2025-07-17 at 22.50.58_cceff991.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-22-50-58-cceff991.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-22-50-58-cceff991.jpg) 9. Edit the properties of this by selecting the "**Enter text"** buttons: ![](https://help.caniphish.com/hc/article_attachments/7690854830351) Use the following entries: Set the message header to "**X-MS-Exchange-Organization-SkipSafeAttachmentProcessing**" and set the value to "**1**". **![](https://help.caniphish.com/hc/article_attachments/7690860824207)** 10. Click "**Next**". 11. Leave all settings in "**Set rule settings**" as their default values and click "**Next**". ![](https://help.caniphish.com/hc/article_attachments/7690870091663) 12. Review your settings and click "**Finish**". [![WhatsApp Image 2025-07-17 at 22.37.35_f530fe42.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-22-37-35-f530fe42.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-22-37-35-f530fe42.jpg) ## Step 2. Bypass ATP Safe Link Scanning **Note: The next rule to implement is dependent on whether you use Defender for Office 365 (ATP) Plan 1 or Plan 2.** - **If you use Plan 1**, please ONLY implement the [**Mail Flow Rule (ATP Link Bypass)**](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp-ezN#bkmrk-step-2.-plan-1---mai). - **If you use Plan 2**, please ONLY implement the **[Threat Policy (Safe Link Bypass)](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp-ezN#bkmrk-step-2.-plan-2---thr)**. **Do not implement BOTH rules below as they will interfere with each other.** If you do not know which Defender plan you have, simply follow the guide for **[Plan 2](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp-ezN#bkmrk-step-2.-plan-2---thr).** If the **Safe Links** policy (on step 4) is **not available**, you have **[Plan 1](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp-ezN#bkmrk-step-2.-plan-1---mai).** ### Step 2. Plan 1 - Mail Flow Rule (ATP Link Bypass) To bypass **ATP Link Processing,** set up the following mail flow rule: 1. Log into the Microsoft 365 (formerly Office 365) portal and select "**Admin centers**" > "**Exchange**". ![](https://help.caniphish.com/hc/article_attachments/7690664861327) 2. Select "**Mail flow**" to expand the settings menu then select "**Rules**". ![](https://help.caniphish.com/hc/article_attachments/7690679496847) 3. Click "**Add a rule**". ![](https://help.caniphish.com/hc/article_attachments/7690665956495) 4. Click "**Create a new rule**".![](https://help.caniphish.com/hc/article_attachments/7690657754127) 5. Give the rule a name, e.g. "**Bypass ATP Link Processing - GrintOps IP Address**". [![mceclip0 (1).png](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/Wvrmceclip0-1.png)](https://help.grintops.com/uploads/images/gallery/2025-07/Wvrmceclip0-1.png) 6. Under "Apply this rule if" select "**The Sender**" **>** "**IP address is in any of these ranges or exactly matches**". [![WhatsApp Image 2025-07-17 at 22.46.50_1ae896ca.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-22-46-50-1ae896ca.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-22-46-50-1ae896ca.jpg) 7. Then enter each of GrintOps IP addresses, clicking the "**Add**" button for each. (A complete list of our IP addresses can be found **[here](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-quick-reference-ips-urls)**.) Then hit "**Save".** [![mceclip2.png](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/RiCmceclip2.png)](https://help.grintops.com/uploads/images/gallery/2025-07/RiCmceclip2.png) 8. Under "\*Do the following" select "**Modify the message properties...**" > "**set a message header**". [![WhatsApp Image 2025-07-17 at 22.43.47_6d1bfc05.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-22-43-47-6d1bfc05.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-22-43-47-6d1bfc05.jpg) 9. Edit the properties of this by selecting the "**Enter text"** buttons: ![](https://help.caniphish.com/hc/article_attachments/7690716690959) Use the following entries: Set the message header to "**X-MS-Exchange-Organization-SkipSafeLinksProcessing**" set the value to"**1**". ![](https://help.caniphish.com/hc/article_attachments/7690717134095) 10. Click "**Next**". 11. Leave all settings in "**Set rule settings**" as their default values and click "**Next**". ![](https://help.caniphish.com/hc/article_attachments/7690717646351) 12. Review your settings and click "**Finish**". [![WhatsApp Image 2025-07-17 at 22.37.35_bdae2dc8.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-22-37-35-bdae2dc8.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-22-37-35-bdae2dc8.jpg) ### Step 2. Plan 2 - Threat Policy (Safe Link Bypass) 1. Visit your **Microsoft 365 Admin Center** and click **"Security**" to open the **Microsoft 365 Defender** page. 2. Click "**Policies & rules**" **>** "**Threat policies**" ![](https://help.caniphish.com/hc/article_attachments/6676244903055) 3. Click **Safe Links** ![](https://help.caniphish.com/hc/article_attachments/6676245464207) 4. Either edit the existing ATP Link Policy and click "**Edit policy**" or click the "**Create**" button to make a new one and call it something descriptive (e.g. GrintOps Safe Link Bypass). Once done, click Next. [![WhatsApp Image 2025-07-17 at 22.38.19_a097b961.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-22-38-19-a097b961.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-22-38-19-a097b961.jpg) 5. Ensure the policy includes all employees within your organisation. If you have a group that can be used for this, then select the group or simply select the domain that your employees have all their email addresses under (as shown in the example below). Once done, click Next. [![mceclip4.png](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/mceclip4.png)](https://help.grintops.com/uploads/images/gallery/2025-07/mceclip4.png) 6. Leave all items as default but select the Manage 0 Urls hyperlink under the "Do not rewrite URLs..." field. Then click to add URLs: ![](https://help.caniphish.com/hc/article_attachments/6676285281935) 7. Finally, in the "**Do not rewrite the following URLs**" section, add domains that GrintOps use for phishing landing pages. Please see our [Allowlisting - Quick Reference](https://help.grintops.com/books/phishing-simulation-as-a-service-psaas/page/email-allowlisting-quick-reference-ips-urls) article for a full list of our landing page domains. Each landing page domain needs to be added. Note: Each domain must be added using the format **\*.\[rootdomain\]/\*** so if you are adding the domain "office365-webnotif.com.com", you need to enter **\*.office365-webnotif.com/\*** **The following are examples of phishing website domains:** ``` office365-webnotif.com office365-webnotif.site miro-apps.online hukum0nline.com slack-apps.online github-apps.online koprabymandri.com ``` Click Next and then Select **Submit**. And you're all done! These changes may take up to an hour to take effect. # Platform White-Labelling White-labelling GrintOps is designed to be fast and easy. By white-labelling, you'll be able to use your own domain, logos, banners and hide any GrintOps specific content. This article will guide you through the various steps involved to get GrintOps fully white-labelled: - [**Getting Started**](https://help.grintops.com/books/psaas-allowlisting/page/platform-white-labelling#bkmrk-getting-started "Getting Started") - **[Initial Setup & Domain Mapping](https://help.grintops.com/books/psaas-allowlisting/page/platform-white-labelling#bkmrk-initial-setup-%26-doma)** - **[Configure DNS Settings](https://help.grintops.com/books/psaas-allowlisting/page/platform-white-labelling#bkmrk-configure-dns-settin)** - **[Configure Platform Appearance](https://help.grintops.com/books/psaas-allowlisting/page/platform-white-labelling#bkmrk-configure-platform-a)** - **[Review & Save](https://help.grintops.com/books/psaas-allowlisting/page/platform-white-labelling#bkmrk-review-%26-publish)** - [**Allowlisting**](https://help.grintops.com/books/psaas-allowlisting/page/platform-white-labelling#bkmrk-allowlisting) - **[Try it out!](https://help.grintops.com/books/psaas-allowlisting/page/platform-white-labelling#bkmrk-try-it-out%21)** ## Getting Started To get started you need an active GrintOps account with Administrative privileges (if you don't have an active account, **click here** to get started). 1\. Login to your GrintOps account and traverse to the Platform Settings page 2\. Go to **Appearance Settings > White-Label Configuration** and toggle the switch from 'No' to 'Yes' ![](https://help.caniphish.com/hc/article_attachments/11393017889039) 3\. Click Configure ## Initial Setup & Domain Mapping 4\. Input the Domain Name and Brand Name you want your users to see. Additionally, choose whether to hide any GrintOps branded resources [![WhatsApp Image 2025-07-17 at 23.53.11_ac620d59.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-23-53-11-ac620d59.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-23-53-11-ac620d59.jpg) 5\. Click Next ## Configure DNS Settings 6\. GrintOps will dynamically generate the DNS records required to setup white-labelling. These records will need to be placed on your DNS server and **it may take up to 5 minutes before we can verify this**. Click 'Validate Records' to have GrintOps attempt to validate these records exist. Once all records have a Status of Verified, you can proceed with clicking Next. **CNAME Records #1-2:** Point the mapped domain to GrintOps web servers. When users type the domain into their browser, they'll connect to GrintOps infrastructure. **CNAME Record #3:** GrintOps will generate a publicly signed certificate for the mapped domain. When users connect to your white-labelled domain, GrintOps will present a trusted certificate. [![WhatsApp Image 2025-07-17 at 23.54.33_a6e2476f.jpg](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/whatsapp-image-2025-07-17-at-23-54-33-a6e2476f.jpg)](https://help.grintops.com/uploads/images/gallery/2025-07/whatsapp-image-2025-07-17-at-23-54-33-a6e2476f.jpg) ## Configure Platform Appearance 7\. Upload your own branded logos, banners and favicon to customise the appearance of GrintOps. Simply choose a file on your desktop, select the relevant dropdown depending on the image type and click the Upload button. Do this for every image type to ensure only your own branded images are shown. Click Next once complete. ![mceclip6.png](https://help.caniphish.com/hc/article_attachments/5289755404943) ![mceclip7.png](https://help.caniphish.com/hc/article_attachments/5289814350607) ## Review & Publish 8\. Review all the information provided is correct and click Publish. **Technical Note:** You may experience issues where your browser displays a certificate error when browsing to the newly configured white-label. This issue is due to your browser caching certificates that are trusted by CAs and is typically alleviated within 5-10 minutes. In some cases it can take up to an hour. To try and get around this, you can use a browser that you don't normally use (which will receive an update of trusted certificates upon load). ## Allowlisting Once white-labelling has been setup, please ensure you update your allowlisting settings. GrintOps will begin using the white-labelled domain for the delivery of notifications, scheduled reports and security awareness training material. These emails will appear to come from: - <insert-white-labelled-domain (e.g. training.example.com) - learn.<insert-whitelabelled-domain> (e.g. learn.training.example.com) Please see our [**allowlisting guidance**](https://help.grintops.com/books/psaas-allowlisting/page/allowlisting-quick-reference-ips-urls) to ensure these domains are added where necessary to the existing allowlisted domain. ## Try it out! 9\. Type the domain mapped during the white-labelling setup into your browsers URL address bar and begin using your white-labelled version of GrintOps! An example of a white-labeled account login page for a brand called "Cloud Support Help" An example of a white-labeled GrintOps account for a brand called "Cloud Support Help" An example of a white-labeled learner dashboard for a brand called "Cloud Support Help" [![image.png](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/URDimage.png)](https://help.grintops.com/uploads/images/gallery/2025-07/URDimage.png) An example of the default educational page after a user falls for a phishing email for a brand called "Cloud Support Help" ## Frequently Asked Questions **Will my customers see GrintOps pricing and subscription plans once white-labelling is setup?** No. The only user who will see links to our pricing and checkout pages will be the Platform Super Admin, any lower privileged roles (i.e. Platform Admin/User/Reporter) will have these links hidden. **Is there anything that can't be white-labelled?** Yes. We cannot white-label certain things within our platform - for example, our Knowledgebase cannot be white-labelled. If something cannot be white-labelled, then we hide it from view for any users who are not Platform Super Admins. **I have multiple customers with multiple GrintOps accounts. Do I need to setup white-labelling each time I onboard a new customer?** No. We have built-in functionality on the Customer Management Page which allows you to seamlessly duplicate the white-labelled configuration you've setup on one customer tenant, to another customer tenant. Speeding up the time for onboarding. # Microsoft 365 Direct Email Injection (For White-Labelled Tenants) - Setup Guide GrintOps can integrate directly with Microsoft 365 through the Graph API. Using this API we can inject simulated phishing and notification emails directly into employee inboxes using a technique known as Direct Email Injection (DMI for short), bypassing the need for traditional email allowlisting! **Important Note:** This guide should only be followed if you **have** set up **[platform white-labeling](https://help.grintops.com/books/psaas-allowlisting/page/platform-white-labelling)**. If you haven't, please follow this **[setup guide](https://help.grintops.com/books/psaas-allowlisting/page/microsoft-365-direct-email-injection-setup-guide).** Additionally, please ensure you're accessing GrintOps through your white-labelled domain (there is server-side logic which determines which DMI integration to present, based on the domain in-use). **Table of Contents** - [**Step 1. Create An App Registration In Microsoft**](https://help.grintops.com/books/psaas-allowlisting/page/microsoft-365-direct-email-injection-for-white-labelled-tenants-setup-guide#bkmrk-step-1.-create-an-ap-1) - [**Step 2. Configure Direct Email Injection In GrintOps**](https://help.grintops.com/books/psaas-allowlisting/page/microsoft-365-direct-email-injection-for-white-labelled-tenants-setup-guide#bkmrk-step-2.-configure-di) - [**Frequently Asked Questions**](https://help.grintops.com/books/psaas-allowlisting/page/microsoft-365-direct-email-injection-for-white-labelled-tenants-setup-guide#bkmrk-frequently-asked-que) ## **Step 1. Create An App Registration In Microsoft** 1.1. Login to the Microsoft Azure account linked to your Microsoft 365 Tenant: [https://portal.azure.com/](https://portal.azure.com/) 1.2. In the search bar at the top of the page, search for "App registrations" and click on the corresponding Service. ![](https://help.caniphish.com/hc/article_attachments/10740845223311) 1.3. Click "New Registration" to create a new App Registration: **![](https://help.caniphish.com/hc/article_attachments/10740845224207)** 1.4. Provide the app with a unique and distinguishable name (e.g. GrintOps DMI Connector), leave the other options on their default setting (as shown below) and then click the **Register** button: ![](https://help.caniphish.com/hc/article_attachments/10740849322767) 1.5. While on the Overview page, copy the Application ID and Tenant ID values to your clipboard or a text editor as you'll need them later: ![](https://help.caniphish.com/hc/article_attachments/10740909999887) 1.6. Click on the "Manage" > "API permissions" tab on the left: ![](https://help.caniphish.com/hc/article_attachments/10741110667535) 1.7. Click the "Add a permission" button: ![](https://help.caniphish.com/hc/article_attachments/10741063548943) 1.8. Click the "Microsoft Graph" API: ![](https://help.caniphish.com/hc/article_attachments/10741063549199) 1.9. Click "Application permissions": ![](https://help.caniphish.com/hc/article_attachments/10741063549839) 1.10. In the search box type in: "Mail.ReadWrite" and then expand the "Mail" permission, selecting the "Mail.ReadWrite" permission. ![](https://help.caniphish.com/hc/article_attachments/10742706513423) 1.11. Now, change the search to look for: "User.Read.All" and then expand the "User" permission, selecting the "User.Read.All" permission. ![](https://help.caniphish.com/hc/article_attachments/10742689952783) 1.12. Click the "Add permissions" at the bottom of the page to add the two permissions we've selected: ![](https://help.caniphish.com/hc/article_attachments/10742689953295) 1.13. Confirm that both the permissions appear in the API Permissions table: ![](https://help.caniphish.com/hc/article_attachments/10742706514191) 1.14. You'll notice that a warning dialog appears next to each permission which is indicating that admin consent hasn't yet been granted. This is required to allow these permissions to work effectively. Click the "Grant admin consent..." button directly above the table. After, you'll notice the Status will indicate access has been granted. ![](https://help.caniphish.com/hc/article_attachments/10742689954447) 1.15. Now change to the "Manage" > "Certificates & secrets" tab: ![](https://help.caniphish.com/hc/article_attachments/10742706514831) 1.16. Click the "New client secret" button: ![](https://help.caniphish.com/hc/article_attachments/10742706514959) 1.17. In the dialog that appears on the right of your screen, provide the secret with a descriptive name (e.g. "GrintOps DMI Connector Secret") and an expiration date - we recommend the maximum of 730 days (upon expiration you need to provision a new secret). Then click "Add": ![](https://help.caniphish.com/hc/article_attachments/10742689955343) 1.18. Your secret will now appear in the Client secrets table. Copy the Value of your newly created secret to your clipboard or text editor: ![](https://help.caniphish.com/hc/article_attachments/10742689955471) ## Step 2. Configure Direct Email Injection In GrintOps 2.1. Login to your GrintOps account and traverse to the **[Email Delivery Providers](https://caniphish.com/User/MailServices)** page. This can be found in **Platform Settings > Email Delivery Settings** 2.2. Click on the **New Integration** button for the "Microsoft 365 Direct Email Injection" integration: ![](https://help.caniphish.com/hc/article_attachments/10742781985295) 2.3. In the popup that appears, enter the following values and then click **Save**: - Integration Name: Provide a unique and distinguishable name for this integration (e.g. "M365 DMI Connector") - Application ID: Paste the value that you copied in Step 1.5. - Tenant ID: Paste the value that you copied in Step 1.5. - Client Secret: Paste the value that you copied in Step 1.18. ![](https://help.caniphish.com/hc/article_attachments/10742781985679) 2.4. The newly created Integration should now appear in the Mail Integrations table. Test that the integration is functioning by clicking the "Test DMI Connectivity" button: ![](https://help.caniphish.com/hc/article_attachments/10742781986063) 2.5. In the popup that appears, enter the email address that you would like a test email to be sent to, and then click the Test Connectivity button. This test will confirm that GrintOps has sufficient privileges to insert emails into user account inboxes, and also that the provided email address can be located within the linked Microsoft 365 account. ![](https://help.caniphish.com/hc/article_attachments/10742781986319) 2.6. If you're presented with a success notification, you're all done! As a final and optional step, you can set the new integration to be your default mail server. This means it will be selected by default whenever a new phishing campaign is created. ![](https://help.caniphish.com/hc/article_attachments/10742781986575) **Important Note: If you use M365 Safe Link/Attachment Processing, you'll need to implement rules to bypass this scanning. Please see our [Bypass Safe Link/Attachment Processing for M365](https://help.grintops.com/books/psaas-allowlisting/page/email-allowlisting-bypass-safe-linkattachment-processing-of-m365-advanced-threat-protection-atp) knowledgebase article.** ## Frequently Asked Questions **What happens if a user doesn't exist within the Microsoft 365 Tenant?** If the user is sent a simulated phishing email, an error will appear next to their email address within the affected campaign, making a note of the issue. If the user is sent a notification, then a fallback to use GrintOps email servers will occur to ensure the notification is still sent. # Website Allowlisting Allowlist phishing websites used for phishing simulations. # Phishing Website Allowlisting Introduction GrintOps invests significant effort into ensuring our phishing websites work without issue. However, depending on the security tools in use, specific issues may arise when attempting to use our phishing websites for simulated phishing purposes. In the list below, we outline some of the security solutions that may be in-use and whether any allowlisting is needed: - Google Safe Browsing: **No action required** - Microsoft Smart Screen: **No action required** - Microsoft Defender for Endpoint (Web Protection): [**Allowlisting required**](https://help.grintops.com/books/psaas-allowlisting/page/allowlist-phishing-websites-in-microsoft-defender-for-endpoint) - McAfee/Trellix Web Control: **No action required** - Palo Alto Networks PAN-OS And Prisma Access: **Allowlisting required** - Sophos Web Protection: **Allowlisting required** - Cisco Umbrella: **Allowlisting required** - Fortinet FortiGate: **Allowlisting required** - VIPRE Endpoint Security: **Allowlisting recommended** If you're using a web filtering solution outside those listed above, and you're experiencing issues, please **[contact the GrintOps team](https://grintops.com/contact-us/)**. # Allowlist Phishing Websites in Microsoft Defender for Endpoint If your organization uses Microsoft Defender for Endpoint, Microsoft Defender XDR, or other **[Microsoft Web Protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-protection-overview?view=o365-worldwide)** products, your employees may experience issues with loading our simulated phishing websites. Either a red blocked screen, or a little pop-up from Windows Defender may when attempting to load our simulated phishing websites. **Windows Defender Blocked Popup** ![](https://help.caniphish.com/hc/article_attachments/9527345306255) **Microsoft SmartScreen Blocked Screen** ![mdefender-red.png](https://help.caniphish.com/hc/article_attachments/7269043196303) The reason access is blocked is due to the category Microsoft has marked these domains under. To allowlist GrintOps Phishing websites, please follow the below guide. ## Allowlisting GrintOps Phishing Websites It's possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it's applied to the device group in question. To define a custom indicator, follow these steps: 1. In the Microsoft Defender portal, go to Settings > Endpoints > Indicators > URL/Domain > Add Item. (Or click here - [https://security.microsoft.com/securitysettings/endpoints/custom\_ti\_indicators?childviewid=url](https://security.microsoft.com/securitysettings/endpoints/custom_ti_indicators?childviewid=url)) ![](https://help.caniphish.com/hc/article_attachments/9527298310671) 2. **The following are examples of GrintOps phishing website domains to be added under the "Manage URLs to Not Rewrite" section.** One-by-one, enter the following GrintOps phishing website domains with an expiration of your choosing and ensuring the "Allow" action is specified for all devices in your organization: - - [![Screenshot 2025-07-17 113630.png](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/oZAscreenshot-2025-07-17-113630.png)](https://help.grintops.com/uploads/images/gallery/2025-07/oZAscreenshot-2025-07-17-113630.png) **![](https://help.caniphish.com/hc/article_attachments/9527345309327) ![](https://help.caniphish.com/hc/article_attachments/9527298315663)** [![mceclip6.png](https://help.grintops.com/uploads/images/gallery/2025-07/scaled-1680-/mceclip6.png)](https://help.grintops.com/uploads/images/gallery/2025-07/mceclip6.png) All done! It takes time for Microsoft to propogate these changes so please wait 1-2 hours for this policy to take effect.