HowTo: Avanan Allow-Listing in Microsoft O365

This HowTo article explains how to configure Avanan’s Allow Listing rules to allow Attack Phishing tests to reach end users in Microsoft O365 environments.

Warning: CyberHoot supports fake email Attack-Phishing for customers.  Please keep in mind this approach uses negative reinforcement to reduce click rates in employees.  To be successful, always pair with Positive Reinforcement, educational, and realistic HootPhish phishing simulations for the best Affect and Effect on end users.

1. Access the Microsoft Security Dashboard for the client (can be done via CIPP), and follow the steps at this link https://cyberhoot.com/howto/howto-whitelist-by-x-header-in-exchange-2013-2016-or-microsoft-365/ but use the IP’s and domains below.  Please Note: You do NOT need the “url” section mentioned at the link

IP Address’s to Allow:
3.212.253.236/32
34.235.208.123/32
44.209.10.205/32
52.200.160.242/32
54.164.218.52/32
54.240.125.36/32
54.240.125.37/32

Domain Names to Allow:
cyberhoot.com
ch-security-alert.com
ch-password-reset.com
ch-login-created.com
ch-contact-us.com
ch-account-2fa.com

For a detailed view of the Avanan screens, see the images on the next page.

2. Connection Filter Allow

Next you will want to add these IP’s instead (always leave Avanan IPs)

3.212.253.236/32
34.235.208.123/32
44.209.10.205/32
52.200.160.242/32
54.164.218.52/32
54.240.125.36/32
54.240.125.37/32

Mail Flow Rule for Avanan

1. Log into ADMIN.MICROSOFT.COM -> eXCHANGE PORTAL
2. Create a New Exchange Mail flow Rule ABOVE Avanan Protect named “Avanan Cyberhoot (IPs)”
3. Sender ip addresses belong to one of these ranges: ‘54.240.125.36/32’ or ‘54.240.125.37/32’

YOU HAVE TO CHANGE THE VALUE TO MATCH THE AVANAN PORTAL IP – e.g. tenantname becomes <shortname>  for <Tenant Full Name> — set message header ‘X-CLOUD-SEC-AV-INFO’ with the value ‘tenantname,google_mail,inline’ 

3. Enable and Stop Processing more Rules as shown below.

4. Click on Rule

5. Edit Settings

6. Change Priority to 0

7. Save. The rule should now be at the top

8. Click on rule

9. “enable or disable rule” slider to enabled.  it will now show enabled

Powershell Script for Safe Senders

1. Open powershell on your computer
2. paste in the text contained at this link: cyberhoot.com/wp-content/uploads/2023/08/PowerShell-Script-to-add-CyberHoot-Phishing-Domains-to-all-Users-Safe-Senders-Lists-4.txt
3. Click enter
4. Authenticate to the client’s m365 GA account
5. It will slowly run through a list of all their users
6. Once completed you should see PS C:WINDOWSsystem32> Write-Output “Finished!”

Sign out of the m365 account in your browser (you can go to admin.microsoft.com and sign out)