Throughout the years working in Cybersecurity I’ve dealt directly or indirectly with Security Awareness Training programs multiple times. One of the common problems I’ve to solve is the fact that test phishing emails are blocked or sent to Junk due to Defender for O365 email security policies. The process below is a reliable way of fixing this issue every single time, whether you are dealing with KnowBe4, LivingSecurity or a different SAT platform.

1. Note down the IP addresses to be allowed. This can be obtained in different ways:
   • Provided by the SAT platform vendors.
   • Individual IP from the Header info of a specific Junked or Quarantined email.
2. Sign in to the Microsoft Defender console.
3. Click the Policies & rules item on the left sidebar menu under Email & collaboration.
4. Go to Threat policies > Advanced delivery under Rules.
5. Click the Phishing simulation tab and click Edit.
6. Add the IP address to Sending IP section.
7. Add the Domain address (also known as the MAIL FROM address) used in the phishing campaign into the Domains section.
8. Add the phishing domains (found in the Phishing tool: Phishing Simulator > Settings > Domains) by using *.domain.com/* wildcard syntax to Simulation URLs to allow section.
9. Click Save to complete the process.

If the above does not work, and if the emails still end up in the Quarantine, follow the steps below:

1. Find the test emails in the Quarantine and note down “Policy type”.
2. If you see Anti-spam policy, navigate to the Anti-spam inbound policy (Default) policy, select it, scroll down and click Edit allowed and blocked senders and domains.
3. Click Allowed domains and add the phishing domain.
4. Save.
5. Navigate to https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem
6. Click View spoofing activity
7. Searching for the Phishing domain and select it, review the details and make sure this is what you want to allow.
8. Select Allow to spoof and click Apply.
9. Confirm the phishing emails are being delivered to user inboxes.