Simulated Phishing Attacks Through Office 365

pcman2002b · 2016-09-12T16:54:23.000Z

Part of our security policies dictate that we perform regular simulated phishing attacks. We use a free tool called GoPhish to perform these tests and prior to moving to Office 365 it worked flawlessly as I could bypass our email forwarders strict SPF checks with SMTP right to our on-premise Exchange server.

However, now that we’ve migrated to Office 365 it won’t be that easy. I’ve got an internal SMTP relay that handles all the SMTP traffic from internal sources and it works beautifully. However, when I attempt to send test emails from GoPhish they never show up at their destination. Obviously I’m spoofing the email address but I always use fake domains, for instance lnkdin.com instead of linkedin.com.

From the Exchange dashboard I setup that phony domain as allowed to send via the SPAM filter but that didn’t make a difference.

I can’t be the only one tasked with performing tests like this and running Office 365 or some other equally strict service provider. I mean its good that they’re catching this stuff that’s obviously fake, but there’s got to be a way I can whitelist it so I can checkup on my users. Eventually Microsoft’s filters will let something through, I’d rather cut my users’ teeth on fake attacks.

Wanted to see how others were getting around these limitations.

david-wilkins · 2016-09-12T17:09:47.000Z

We have our phishing simulator whitelisted (by IP address)

pcman2002b · 2016-09-12T17:10:48.000Z

David O.:

We have our phishing simulator whitelisted (by IP address)

Whitelisted at the SPAM filter or somewhere else within Exchange?

david-wilkins · 2016-09-12T17:11:28.000Z

Since KnowBe4 is nice enough to allow anyone to read their walkthrough, I’ll point you that direction → https://knowbe4.zendesk.com/hc/en-us/articles/203645138

pcman2002b · 2016-09-12T17:54:50.000Z

David O.:

Since KnowBe4 is nice enough to allow anyone to read their walkthrough, I’ll point you that direction → https://knowbe4.zendesk.com/hc/en-us/articles/203645138

Ah, very nice. I was able to user their documentation and tweak it to my environment. I have no whitelisted the IP address they’d see my SMTP messages coming from as well as instructed it to bypass SPAM and Clutter via that same IP. All appears to be in order but the messages still aren’t going anywhere, I can confirm that they’re leaving my SMTP relay as I see them appear and vanish from my queue.

So I checked my SMTP relay logs, cause why wouldn’t I have done that in the beginning and its saying I don’t have permission to send as that sender. I wonder how the heck I get around that one???

stu-knowbe4 · 2016-09-12T20:01:44.000Z

David O.:

Since KnowBe4 is nice enough to allow anyone to read their walkthrough, I’ll point you that direction → https://knowbe4.zendesk.com/hc/en-us/articles/203645138

Here is a link that works better:

Knowledge Base

Whitelisting Guide

Before you can begin phishing and training your users, you'll need to whitelist KnowBe4 to ensure that our training notifications and simulated phishing security tests (PSTs) successfully reach you...

Warm regards, Stu

pcman2002b · 2016-09-13T10:54:29.000Z

Stu (KnowBe4):

David O.:

Since KnowBe4 is nice enough to allow anyone to read their walkthrough, I’ll point you that direction → https://knowbe4.zendesk.com/hc/en-us/articles/203645138

Here is a link that works better:

https://knowbe4.zendesk.com/hc/en-us/articles/203645138

Warm regards, Stu

Thanks Stu, I appreciate the content in those articles being made available to everyone. I’ve implemented the suggestions contained within but am stuck now with Microsoft’s servers telling my SMTP relay that I don’t have permission to send as the phony addresses I’m using for my attacks.