HowTo: Allow-List by X-Header in Exchange 2013, 2016, or Microsoft 365

12th February 2025 | HowTo, MSP, Platform, Technology HowTo: Allow-List by X-Header in Exchange 2013, 2016, or Microsoft 365
  • Allow-Listing X-Headers is necessary in order for CyberHoot to send simulated phishing emails to bypass your mail filter. We recommend whitelisting by IP address or hostname but depending on your system setup, allow-listing by headers may be the most fitting way to ensure phishing test emails are delivered to your user’s inboxes. Follow the instructions below to allow-list our headers:

Bypassing Clutter and Spam Filtering by Email Header (Exchange 2013, 2016, and M365)

  1. Log into your mail server admin portal and select Exchange under Admin center.
  2. Click Mail flow
  3. Click Rules
  4. Click Add a rule
  5. In the new rule window, click on Create a new rule
  6. Give the rule a name, such as “CyberHoot – Bypass Clutter & Spam Filtering by Email Header”.
  7. From the Apply this rule if… drop-down menu, select The message headers… then includes any of these words.
  8. Under those boxes, you will see *Enter text… and *Enter words
    • Click *Enter text… and type in the header name: Become_More_Aware and click on save.
  9. Click *Enter words … and type in CyberHoot and click the Add button and Save button.
  10. Next, under Do the following… ensure that this field on the left is set to Modify the message properties and set the spam confidence level (SCL) is set on the right side.
  11. Add a second action under the Do the following, by clicking the + sign (add action) button.
  12. From the drop-down menu, select Modify the message properties on the left side and set a message header on the right side
  13. Click the first *Enter text…. and type  X-MS-Exchange-Organization-BypassClutter and hit save, then click the second *Enter text… and type true and hit save.
  14. Review all settings to make sure they are correct. It should look like this:
  15. Click on Next.
  16. As a best practice, we recommend leaving the other options at their default settings.
  17. Click on Finish.

Bypassing the Junk Folder (M365 mail servers ONLY)

This rule will allow only simulated phishing emails from CyberHoot to bypass the Junk folder to ensure that your users are receiving simulated phishing emails in their inboxes.

  1. Under Admin center for M365 Exchange.
  2. Click Mail flow
  3. Click Rules
  4. Click Add a rule
  5. In the new rule window, click on Create a new rule
  6. Give the rule a name, such as ”
    CyberHoot – Skip Junk Filtering”.
  7. From the Apply this rule if… drop-down menu, select The message headers… then includes any of these words.
  8. Under those boxes, you will see *Enter text… and *Enter words
    • Click *Enter text… and type in the header name: Become_More_Aware and click on save.
  9. Click *Enter words … and type in CyberHoot and click the Add button and Save button.
  10. Next, under Do the following… ensure that this field on the left is set to Modify the message properties and set the spam confidence level (SCL) is set on the right side.
  11. Add a second action under the Do the following, by clicking the + sign (add action) button.
  12. From the drop-down menu, select Modify the message properties on the left side and set a message header on the right side
  13. Click the first *Enter text…. and typeX-Forefront-Antispam-Report (this value is case sensitive)  and hit save, then click the second *Enter text… and enter “SFV:SKI;CAT:NONE;(this value is case sensitive) and hit save.
  14. Click Next
  15. On the Set rule settings page, click Next, leaving the other values at their default settings.
  16. Set the priority to directly follow the rule you created in the previous section above.
  17. Review all settings to make sure they are correct. It should look like this:
  18. Make sure all options are filled out correctly.
  19. Click Save Once you have completed this setup please allow time for the new rules to generate. Then, set up a test phishing campaign for yourself or a small group to test out your new whitelisting rule.

    Setting Advanced Delivery on Microsoft Defender to Allow Phishing Simulation

    This will configure the IP addresses and sender domains that are used by CyberHoot as part of your phishing simulation email. These email messages are delivered unfiltered..

    1. Log into Microsoft Defender.
    2. On the left side, click on Email & Collaboration then click on Policies & Rules
    3. Click on Threat policies.
    4. Click on Advanced delivery.
    5. Under Advanced delivery, click on Phishing Simulations.
    6. Click on Add, (unless you already have configured phishing simulations, otherwise click on Edit.)
    7.  Add the Domains and IP addresses listed in this document.
    8. The final screen should look something like this, but it may contain updated domain names and IP addresses.
    9. Click on Save.Once you have completed this setup please allow time for the new rules to generate. Then, set up a test phishing campaign for yourself or a small group to test out your new whitelisting rule.

If you are looking for more assistance, head to our HowTo Library, or contact support@cyberhoot.com.

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

CyberHoot Newsletter – June 2025

CyberHoot Newsletter – June 2025

CyberHoot June Newsletter: Stay Informed, Stay Secure Welcome to the June edition of CyberHoot’s newsletter,...

Read more
Make Phishing Training Count with HootPhish

Make Phishing Training Count with HootPhish

Stop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...

Read more
Apple Alert: Critical AirPlay Vulnerabilities Expose Millions to Cyber Threats

Apple Alert: Critical AirPlay Vulnerabilities Expose Millions to Cyber Threats

A recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...

Read more