HowTo: Avanan Allow-Listing in Microsoft M365

21st June 2025 | HowTo, MSP, Platform, Technology HowTo: Avanan Allow-Listing in Microsoft M365

This HowTo article explains how to configure Avanan’s Allow Listing rules to allow Attack Phishing tests to reach end users in Microsoft M365 environments.

Warning: CyberHoot supports fake email Attack-Phishing for customers.  Please keep in mind this approach uses negative reinforcement to reduce click rates in employees.  To be successful, always pair with Positive Reinforcement, educational, and realistic HootPhish phishing simulations for the best Affect and Effect on end users.

1. Access the Microsoft Security Dashboard for the client (can be done via CIPP), and follow the steps at this link https://cyberhoot.com/howto/howto-whitelist-by-x-header-in-exchange-2013-2016-or-microsoft-365/ but use the IP’s and domains below.  Please Note: You do NOT need the “url” section mentioned at the link

IP Address’s to Allow:
23.20.251.170/32
52.7.191.238/32
52.6.6.155/32
18.213.175.22/32
18.210.65.168/32
54.159.125.85/32
54.225.129.23/32
3.234.113.11/32
54.175.87.114/32

Domain Names to Allow:
docunotice.com
messagecenters.net
securedinbox.net
notificationhub.net
secure-access.info
login-updates.com
updateportals.com
accountverifies.com
auth-check.page

For a detailed view of the Avanan screens, see the images on the next page.

 

2. Connection Filter Allow

Next you will want to add these IP’s instead (always leave Avanan IPs)

23.20.251.170/32
52.7.191.238/32
52.6.6.155/32
18.213.175.22/32
18.210.65.168/32
54.159.125.85/32
54.225.129.23/32
3.234.113.11/32
54.175.87.114/32

Mail Flow Rule for Avanan

  1. Log into ADMIN.MICROSOFT.COM -> eXCHANGE PORTAL
  2. Create a New Exchange Mail flow Rule ABOVE Avanan Protect named “Avanan Cyberhoot (IPs)”
  3. Sender ip addresses belong to one of these ranges: ‘54.240.125.36/32’ or ‘54.240.125.37/32’

YOU HAVE TO CHANGE THE VALUE TO MATCH THE AVANAN PORTAL IP – e.g. tenantname becomes <shortname>  for <Tenant Full Name> — set message header ‘X-CLOUD-SEC-AV-INFO’ with the value ‘tenantname,google_mail,inline’ 

 

3. Enable and Stop Processing more Rules as shown below.

4. Click on Rule

5. Edit Settings

6. Change Priority to 0

7. Save. The rule should now be at the top

8. Click on rule

9. “enable or disable rule” slider to enabled.  it will now show enabled

Powershell Script for Safe Senders

  1. Open powershell on your computer
  2. paste in the text contained at this link: PowerShell-Script-to-add-CyberHoot-Phishing-Domains-to-all-Users-Safe-Senders-Lists-5.txt
  3. Click enter
  4. Authenticate to the client’s m365 GA account
  5. It will slowly run through a list of all their users
  6. Once completed you should see PS C:WINDOWSsystem32> Write-Output “Finished!”

Sign out of the m365 account in your browser (you can go to admin.microsoft.com and sign out)

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

The Ransomware an AI Model Built Without Trying

The Ransomware an AI Model Built Without Trying

Researchers went looking for a fake photo upscaler and found something stranger: a ransomware kit an AI model...

Read more
CyberHoot Goes Fully Passwordless: Native Passkey Support Arrives for Administrators

CyberHoot Goes Fully Passwordless: Native Passkey Support Arrives for Administrators

For four years, CyberHoot has argued the same thing on its blog: passwords are major weak link. They get reused,...

Read more
Don’t Score an Own Goal: Outsmart World Cup 2026 Scams

Don’t Score an Own Goal: Outsmart World Cup 2026 Scams

The 2026 FIFA World Cup kicked off on June 11th across the United States, Canada, and Mexico. Six million fans...

Read more