HowTo: PowerShell Script for Safe Links Configuration in M365

PowerShell Script for Safe Links Configuration in Microsoft 365

Overview

This PowerShell script configures Microsoft 365 to ensure CyberHoot phishing simulation emails are delivered correctly while keeping all real security protections fully enabled.

It addresses two required configurations:

1. Advanced Delivery
   Allows CyberHoot phishing simulation emails to bypass spam and phishing filters.
2. Safe Links
   Prevents Microsoft Defender from rewriting or pre-clicking simulation URLs, eliminating false positive click reports.

Prerequisites

System Requirements

• PowerShell
  • Windows PowerShell 5.1 or later

Permissions

• Exchange Online Administrator role

PowerShell Module

• ExchangeOnlineManagement
  The script automatically installs this module if it is missing.

Quick Start

Step 1: Download and Save the Script

1. Open the script file
   CyberHoot-M365.txt
   https://cyberhoot.com/wp-content/uploads/2026/02/CyberHoot-M365.txt
2. Copy the entire contents
   • Ctrl + A, then Ctrl + C
3. Open a text editor
   • Notepad
4. Paste the script into the editor.
5. Save the file as CyberHoot-M365.ps1
   File → Save As
   File name: “CyberHoot-M365.ps1”
   Save as type: All Files

Step 2: Run the Script

Windows

1. Open PowerShell as Administrator
2. Navigate to the folder where the script was saved:

3. cd C:\Users\YourUsername\Downloads

1. Run the script:

5. .\CyberHoot-M365.ps1 -Mode Apply -Verbose

Step 3: Authenticate

When prompted:

1. Enter your Microsoft 365 admin email
   Example: admin@company.onmicrosoft.com
2. Sign in via the browser window
3. Complete MFA if required

Estimated time: two to five minutes

Step 4: Verify Configuration

Verify Advanced Delivery

1. Go to https://security.microsoft.com
2. Navigate to
   Email and collaboration → Policies and rules → Threat policies → Advanced delivery
3. Select the Phishing simulation tab
4. Confirm the following:
   • Five CyberHoot domains present
   • Four CyberHoot IP addresses present

Verify Safe Links

1. In Microsoft Defender, navigate to
   Email and collaboration → Policies and rules → Threat policies → Safe Links
2. Open CyberHoot Safe Links Exclusions
3. Confirm Do not rewrite the following URLs in email shows five CyberHoot domains

Script Modes

Apply Mode (Default)

Applies CyberHoot configuration to the tenant:

.\CyberHoot-M365.ps1 -Mode Apply -Verbose

Validate Mode

Performs a read-only check and reports missing configuration:

.\CyberHoot-M365.ps1 -Mode Validate -Verbose

Sample output:

Validation report:

Advanced Delivery:

Rule exists: False

Missing domains: 5

Missing IP ranges: 4

Safe Links:

Policy exists: False

Missing DoNotRewriteUrls: 5

Rollback Mode

Removes all CyberHoot related configuration:

.\CyberHoot-M365.ps1 -Mode Rollback -Verbose

Important Notes

• Multi vendor safe, merges without overwriting existing phishing simulation vendors
• Idempotent, safe to run multiple times
• Tenant wide configuration, no per-user setup required
• Full propagation may take up to twenty four hours, typically immediate

Frequently Asked Questions

Will this affect existing security policies?
No. Only CyberHoot entries are added. All protections remain active.

Can the script be run multiple times?
Yes. Duplicate entries are not created.

Is this per user?
No. The configuration applies tenant wide.

Required Microsoft licenses?
Microsoft Defender for Office 365 Plan 1 or Plan 2, included with:

• Microsoft 365 E5
• Microsoft 365 E3 with Defender for Office 365
• Microsoft 365 Business Premium

How do I remove everything later?
Run Rollback mode:

.\CyberHoot-M365.ps1 -Mode Rollback

Additional Documentation

📘 Complete Setup Guide
https://cyberhoot.com/wp-content/uploads/2026/02/CyberHoot-M365-Setup-Instructions.txt

Last Updated: February 2, 2025
Script Version: 2.0