Overview
This guide walks you through configuring Office 365 email whitelisting for e-learning & phishing campaigns. The process involves both automated PowerShell configuration and manual DNS record updates.
(As a platform, we do not want rights to modify Exchange Online transport rules, anti-spam policies, and email filtering configurations on Office 365 tenants for security reasons - we prefer PowerShell scripts that allow customers to maintain full control over their own email security settings while achieving the same delivery results for phishing simulations)
You can download both the Test and Deployment script here.
What the Script Does
Step 1: IP Allow List (Connection Filter)
Updates the default hosted connection filter policy to allow emails from Lupasafe IP addresses:
- IP Addresses:
141.95.84.46and45.82.191.25 - Purpose: Ensures initial connection-level filtering doesn't block Lupasafe servers
- Method: Adds IPs to the existing allow list without removing other entries
Step 2: Transport Rule (Domain + IP Security)
Creates or updates a transport rule named Lupasafe-Phishing-Simulation-Bypass with the following configuration:
Sending Domains:
- crestfallenconsulting.com
- luminarywebtech.com
- lupasafe.academy
- lupasafe.com
Security Settings:
- SCL (Spam Confidence Level): -1 (bypasses spam filtering)
- Priority: 0 (executes first)
- Condition: Email must match BOTH approved domain AND approved IP address
- Stop Rule Processing: Yes (prevents other rules from interfering)
Anti-Spoofing Protection:
By requiring both domain AND IP match, the rule prevents spoofing attacks. Only emails originating from Lupasafe servers using Lupasafe domains are allowed through.
Step 3: Advanced Delivery Policy (Phishing Simulation Override)
Configures Microsoft Defender to recognize Lupasafe as a legitimate phishing simulation provider:
- Policy Name: LupasafePhishSim
- Registers: Lupasafe domains and IPs as authorized simulation senders
- Purpose: Prevents Microsoft Defender from treating simulation emails as "High Confidence Phish"
- Important: This step may fail due to insufficient PowerShell permissions
Manual Configuration (If Step 3 Fails)
If the script cannot execute Step 3 automatically, configure manually:
- Navigate to security.microsoft.com
- Go to: Email & Collaboration → Policies & Rules → Threat Policies
- Click Advanced Delivery
- Select Phishing Simulation tab
- Add the following:
Sending Domains:
- crestfallenconsulting.com
- luminarywebtech.com
- lupasafe.academy
- lupasafe.com
Sending IPs:
- 141.95.84.46
- 45.82.191.25
Save configuration
Why All Three Steps Are Necessary
- Step 1: Allows server connection
- Step 2: Bypasses spam filtering with anti-spoofing protection
- Step 3: Prevents advanced threat protection from quarantining as phishing
Missing any step may result in simulation emails being blocked, quarantined, or flagged as suspicious.
Troubleshooting
Issue: Step 3 fails with permissions error
Cause: PowerShell session lacks Security Administrator role
Solution: Complete Step 3 manually via Microsoft Defender Portal (see above)
Issue: Emails still quarantined after running script
Check: Verify all three steps completed successfully, especially Advanced Delivery Policy