Mastering Configuration in Defender for Office 365 - Part Two

Published Apr 29 2021 10:00 AM 48K Views
Microsoft

This blog is part two of a three-part series detailing the journey we’re on to simplify the configuration of threat protection capabilities in Office 365 to enable best-in class protection for our customers.

 

In the previous blog in this series, we described how we have made it easier for customers to understand configurations gaps in their environment with recently launched features including Preset Security Policies, Configuration Analyzer, and Override Alerts. In this blog, we’ll take a closer look at additional capabilities we are enabling in the product as we continue forward on our journey to block malicious emails from being delivered to end users.

 

Note: This blog has been updated to reflect changes to release dates. 

 

Secure by Default: Tackling the Legacy Override Problem

One of the challenges we are addressing is the legacy override problem. As we covered in the first blog, legacy overrides are tenant level or user level configuration that instruct Office 365 to deliver mail even when the system has determined that the message is suspicious or contains malicious content. As a result of these aging and overly permissive overrides, we get poorly protected pockets with the organization and enable malicious emails to be delivered to end users.

 

To combat this, we here at Microsoft believe it’s critical to keep our customers “secure by default”. We have determined that legacy overrides such as allowed sender and allowed domain lists in anti-spam policies and Safe Senders in Outlook tend to be too broad and cause more harm than good. As a security service, we believe it’s imperative that we act on your behalf to prevent your users from being compromised. That means these legacy overrides are no longer honored for email messages we believe are malicious. We already apply this approach with malware messages and now we are extending it to messages with high confidence phish verdicts. Our data also indicates that the false positive rate (good messages marked as bad) for high confidence phishing messages is extremely low, adding to our conviction about this approach.

 

This feels like a critical step, given how dangerous and voluminous phishing messages have become. To learn more about the current threat landscape, please check out our annual security intelligence report, the Microsoft Digital Defense Report.

 

Ensuring that users cannot interact with malicious emails

As part of our secure by default focus, we’ve also taken additional steps to eliminate the risk of email borne threats. Essentially, when Microsoft is confident that an email contains malicious content, we will not deliver the message to users, regardless of tenant configuration. These messages will be delivered to quarantine, not the junk folder. (In the junk folder, there is always the risk that the user might inadvertently release them to the inbox).

 

Only admins can manage malware or high confidence phish messages that are quarantined, because our data indicates that a user is 30 times more likely to click a malicious link in messages in the junk email folder versus quarantine.

 

Rolling out these secure by default changes

We’ve taken a very deliberate approach to rolling out these changes in phases to ensure customers are not surprised and there are no negative side effects. We began to rollout Secure by Default for high confidence phishing messages by the override type starting in December of last year.

Today, we’re at a point in our Secure by Default journey where the following overrides are not honored for malicious emails (malware or high confidence phish emails):

 

  • Allowed sender lists or allowed domain lists (anti-spam policies)
  • Outlook Safe Senders
  • IP Allow List (connection filtering)

 

In addition, all malicious emails are delivered to quarantine by default.

Learn more about how we are keeping customers secure by visiting our documentation.

 

The Next Phase of Secure by Default rollout – Tackling transport rules

In August, we will extend Secure by Default to cover high confidence phishing messages for the remaining legacy override type, Exchange mail flow rules (also known as transport rules or ETRs).

 

ETRs represent roughly 60% of the high confidence phish message override volume we see, making this phase essential in achieving our Secure by Default goal for customers. For more on ETRs, check out our documentation on mail flow rules.

 

While ETRs represent a large problem space, it is complicated by the fact that customers and vendors have come to rely on it as a way to achieve two specific scenarios where the ‘override’ of malicious messages is quite deliberate and intentional.

 

  1. Phish simulation campaigns: These are messages that Defender for Office 365 routinely detects as being malicious, so customers put ETR rules in place to direct the system to not block delivery of these messages to end users.
  2. Security Operations mailboxes: These are special mailboxes customers setup to support the ability for end users to report malicious emails to SecOps teams.

In both these cases, customers do legitimately want the malicious emails delivered to achieve a very specific business goal.

 

So, in our effort to eliminate the unintentional ETR overrides of malicious emails, we needed to first make sure there was a safe way for customers to achieve the above two goals without having to rely on ETRs as a blunt instrument.

 

Introducing Advanced Delivery for Phishing Simulations and Security Operations Mailboxes

As we covered above, there are special scenarios where security teams may want to explicitly direct that high confidence phish are delivered.

 

  • Third-party phish simulations
  • Security operations mailbox

 

Customers have asked us for a method to explicitly configure message delivery for these scenarios and for the ability to view and filter these messages across our admin experiences. In July, we will launch the new Advanced Delivery capability for these scenarios, providing a method for security admins to explicitly configure for these in-product.

 

Figure 1: Configuring Third-Party Phishing Simulation Campaigns with Advanced Delivery.Figure 1: Configuring Third-Party Phishing Simulation Campaigns with Advanced Delivery.

 

With Advanced Delivery, we will ensure messages configured as part of these scenarios are handled correctly across the product. The protection filters will respect these configurations and not block these messages. And we will also show off these messages with the appropriate annotations in all of the reporting, investigation and security experiences in the product, so security teams and admins are not confused about the true nature of these messages.

 

Since these do not represent a real threat to your organization, we will, for example, not flag the messages as malicious and inadvertently remove them from your inbox, and we’ll skip things like triggering alerts, detonation, and automated investigations. However, admins will have the ability to filter, analyze and understand messages delivered due to these special scenarios.

 

Figure 2: Configuring Security Operations Mailboxes with Advanced Delivery.Figure 2: Configuring Security Operations Mailboxes with Advanced Delivery.

 

It will be important for customers who are utilizing ETRs to configure third-party party phishing simulation campaigns or delivery for security operation mailboxes today to start configuring these with the new Advanced Delivery policy when the feature is launched in July.

After the last phase of Secure by Default is enabled in August, Defender for Office 365 will no longer deliver high confidence phish, regardless of any explicit ETRs.

 

To learn more about the new advanced delivery policy, learn more on Microsoft Docs.

 

Making it easy for customers

This new way of handling phishing simulations from 3rd party vendors and security operations mailboxes is cleaner and offers a great deal of predictability for security teams. We’ve seen numerous occasions where security admins and SecOps members have been stirred into action inadvertently because of lack of clarity in this regard. This new capability above eliminates all that confusion.

 

Most significantly, this feature makes it easier for security and messaging admins to rest assured that their ETR rules cannot impact the protection of their users, and prevents them from having to manually inspect all of their ETR rules (a daunting task) to guarantee that.

 

Stay tuned...

We covered here additional changes we’ve made to help customers understand configuration gaps and the capabilities we’ve launched to eliminate the legacy override problem. In the next blog, we will share details about additional features we are building to further eliminate the configuration gap problem in the case where customers may be unaware of security policy features available to them and have not turned these on.

 

Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.

49 Comments
Respected Contributor

@Sundeep_Saini where is part 3?

Microsoft

@Dean Gross We are planning to publish part three in June. Thanks for checking out the blog series!

Occasional Visitor

Love to see it. Secure by Default is the way to go.

New Contributor

Regarding Advanced Delivery and third party phish simulations -  Will there still be a need to bypass safe links/safe attachments via transport rule for these applications or does Advanced Delivery handle that as well?

Microsoft

@mtilson Yes, Advanced Delivery will handle this! When you configure a third-party phish simulation with the Advanced Delivery policy, you will no longer need to manually bypass Safe Links/ Safe Attachments via transport rule. Advanced Delivery will automatically skip detonation and blocking of URLs/attachments for messages that are part of a configured third-party phish simulation campaign.

Occasional Visitor

So what happens to our current ETR's we use in Mail flow rules? I am a little confused what my steps need to be not to cause disruption to what policies and rules we use now. Thanks for any additional insight.

Microsoft

@stevo2360 Existing ETRs can continue to exist or be used but after the last phase of Secure by Default is enabled (target: July) for mail flow rules (ETRs), Defender for Office 365: 

  • Will no longer deliver messages with high confidence phish (or malware) verdicts, regardless of any explicit ETRs. These messages will be quarantined. We will still continue to honor ETRs and deliver messages if they are not high confidence phish or malware verdicts. Note: Secure by default does not apply when the domain's MX record does not point to Office 365 (third-party filter).
  • Will no longer recommend ETRs as a method to configure third-party phishing simulations and/or Security Operation Mailbox message delivery.

We recommend that mail flow rules that were specifically created to define third-party phishing simulation campaigns or to direct messages to Security Operations (SecOps) mailboxes be removed once you configure your third-party phishing simulation and/or SecOps Mailboxes with the new advanced delivery policy when the feature rolls out (target: mid-June). Recommend completing this activity by early July before the last phase of Secure by Default is enabled.

New Contributor

Hi,

 

Very interesting read! Can you help me understand what the best approach would be for the following scenarios?

 

1. We have some system mailboxes for ticketing systems where we need to ensure that mails are not blocked because of "Junk detection" but we still would want to block Spoof/Phishing mails. Right now the only real option seems to be to go with an ETR and set the SCL -1 which is allowing more than we want to. Is there a way to only disable the Junk Filter to avoid False/Positives in a scenario like this where we can not filter by senders?

2. Is there any information what exactly qualifies ad "high confidence phish"? Did not find anything so far.

3. The filtering stack diagram is great!  Is there also any overview which parts are excluded for example when setting SCL -1 in a ETR? Or when working with allowed IPs in the Connection Filter.

Microsoft

@BlaaaBlaaBla 

  1. You can create a custom Anti-Spam policy with less aggressive settings for Spam and bulk and scope it to just those mailboxes.
  2. High Confidence Phish is a phishing message that could take malicious action on your tenant. It's not something that is just annoying or just suspicious -- it's a message that we know is malicious similar to malware. These are commonly phishing emails that are attempting to harm your business through credential theft or business email compromise.
  3. After Secure by Default rollout is completed, SCL-1 ETRs and IP allows will filter out bulk verdict, spam verdict, spoof detection verdict and those phishing verdicts that are suspicious but not deemed malicious.
Visitor

I am really interested about this part :

Rolling out these secure by default changes

We’ve taken a very deliberate approach to rolling out these changes in phases to ensure customers are not surprised and there are no negative side effects. We began to rollout Secure by Default for high confidence phishing messages by the override type starting in December of last year.

Today, we’re at a point in our Secure by Default journey where the following overrides are not honored for malicious emails (malware or high confidence phish emails):

 

  • Allowed sender lists or allowed domain lists (anti-spam policies)
  • Outlook Safe Senders
  • IP Allow List (connection filtering)

 

Does this mean, that if i have in IP allow list or allowed sender a domain, user whatever and Microsoft will judge this message as high confidence spam, this messages will be quarantined? or did I misunderstood this?

Microsoft

@Kubho208 Yes, this is the correct understanding but for high confidence phish not spam. We no longer honor IP allow list or allowed sender/domain in the case of high confidence phish verdicts as part of Secure by Default. The message will be quarantined. 

Senior Member

When can I expect to see the Advanced Filter option in our Tenant? As of today that option is not visible in the location that is stated in online documentation. 

 

 

 

Microsoft

@BrandonDBC I expect customers will see the new advanced delivery feature in their tenants by mid-next week. I have submitted an updated to communications via admin message center post so customers get the updated timeline. Thanks for your patience! Looking forward to getting this feature out to customers soon!

 

UPDATE (9-July): Advanced Delivery GA was delayed until end of July. Thanks for your patience. You can get the latest status via our message center posts:

  • MC256473, (Updated) Microsoft Defender for Office 365: Introducing Advanced Delivery for Phishing Simulations and SecOps Mailboxes
  • MC265759, (Updated) Microsoft Defender for Office 365: Extending Secure by Default for Exchange Transport Rules (ETRs)
Senior Member

@Sundeep_Saini 

 

What if the detection is wrong and i know it is not a high confidence phishing attack.

 

How do i white list the sender?

 

Thanks

Visitor

Is this by default to all excahnge online plans or any specific license is requried? Thanks, 

Microsoft

@Ma-tth In the case of false positives, admins should use the submission portal to report messages whenever they believe a message has the wrong verdict so that the filter can improve organically. You can also continue to utilize the overrides (ETRs, user/tenant allows, IP allows) to whitelist senders but we will no longer honor in the case of messages we believe are malicious (specifically malware or high confidence phish verdicts). These messages will be quarantined.

 

Additional details on admin submissions and quarantined messages here:

Admin submissions - Office 365 | Microsoft Docs

Manage quarantined messages and files as an admin - Office 365 | Microsoft Docs

Microsoft

@ayalalex Yes, confirming that Advanced Delivery will be available for all SKUs (EOP, MDO P1, MDO P2) and Secure by Default applies to all SKUs (EOP, MDO P1, MDO P2) as well.

Occasional Visitor

@Sundeep_Saini thank you for these informative posts and all the links and additional info. I have a question that indirectly relates to these changes.

 

We have a ticketing system set up to send from our 365 mailboxes, so the sender address looks like an internal address from our company. The ticketing system uses SMTP2GO to relay all emails sent from it, to both external customers and our internal users.  SMTP2GO emails seem to be automatically marked as High Confidence Spam ( not phish ) by the spam filter ( I think based on the fact that their origin is New Zealand / outside our country ), so the filter wants to send them to Junk.

 

We have an ETR which bypasses the spam filter based on the specific IP addresses that SMTP2GO uses. As I understand, this particular ETR will not be affected by these changes because it's for spam, not phishing, however, I wanted to ask if we should be doing this differently, or if there's a way to migrate this and other ETRs from the old Exchange Admin Center into the newer 365 Defender systems. Or, how can I contribute to telling the spam filters that SMTP2GO isn't automatically High Confidence Spam? I've already submitted several messages a long time ago, and it continues to mark them as HCS.

Regular Visitor

Most third-party phishing simulation tool, altering reporting feature in outlook, it reports to them, instead report to admin or Microsoft engineer,  it's remove default options dropdown <Junk><Phishing><Not Junk><Option><Help>

My understanding, need primarily the default " Report Message" option and need combine third-party reporting mechanism for  analytics with that toll. Is there a any settings we have to configure at Tennent level. (something like integrate both option from backend)

@Sundeep_Saini 

Microsoft

@IT_Admin_8794 That is correct, we would still continue to honor the ETR in the example you mentioned. However, recommend that you use Admin Submissions to submit this to Microsoft so filters can improve organically. Learn more here Admin submissions - Office 365 | Microsoft Docs. We are also working on an enhancement to the tenant allow block list where you could add a partial allow for this. This should be available later this year.  

Microsoft

@Km_MSN To learn about settings you can configure in regards to your question, please see User reported message settings - Office 365 | Microsoft Docs.

Regular Visitor

Thanks Saini, worth to have a option add mailbox from outside "My organization's mailbox", which can use analytical purpose of Third-party reporting use for training users.

Microsoft

@Sundeep_Saini - will this change (blocking HPISH by default regardless of transport rule) affect outbound / internal mail, or is this strictly going to affect inbound mail from senders outside the organization. 

Microsoft

@Rotshak Secure by Default applies to inbound mail.

Senior Member

@Sundeep_Saini 

I'm a bit worried about this change and the timing. Our tenant still doesn't have the 'Advanced Delivery' option available, and the 'New-SecOpsOverridePolicy' command isn't included in the Security & Compliance Center PowerShell module version 2.0.5 (latest version online)

 

So that leaves us with no option to prepare for this upcoming change during summer break. I'm leaving for PTO now, and hope this won't break our SecOps mailboxes over the course of my holiday, and the service we offer to our customers. Hopefully we'll get enough time to implement. ETA is august?

Microsoft

@Tomsan We appreciate your patience. We are targeting worldwide release of Advanced Delivery by the end of July. Once Advanced Delivery is released (based on actual date), we will ensure customers have 4 weeks to complete migration to the new feature before we start the rollout of Secure by Default for ETRs. Based on the current estimate for Advanced Delivery, this means we will start rollout of Secure by Default end of August and complete in September. We are keeping the following message center posts updated with timeline:

 

  • MC256473, (Updated) Microsoft Defender for Office 365: Introducing Advanced Delivery for Phishing Simulations and SecOps Mailboxes
  • MC265759, (Updated) Microsoft Defender for Office 365: Extending Secure by Default for Exchange Transport Rules (ETRs)
Occasional Visitor

The new Advanced Delivery functionality finally arrived in my tenant today.  However, I'm finding that the configuration options are not sufficient.  We use the Proofpoint Security Awareness Training module (formerly Wombat).  Their official documentation lists 2 IP addresses and 137 domains.  However, your configuration only allows for adding up to 10 domains.  Am I missing something?

 

My testing shows that without listing the domain being used in the simulation email the simulated phish is quarantined.

 

This seems to be a big gap that needs a solution.

New Contributor

I have the same issue as @Trey_Contello. We should either be able to enter all the domains or enter only the IPs.

New Contributor

Looks like improvement coming in September to use the DKIM domain that can help address the domain limitation. 

"Microsoft Defender for Office 365: DomainKeys Identified Mail (DKIM) support for Advanced Delivery

We're adding support for DomainKeys Identified Mail (DKIM) domains to our advanced delivery feature, enabling administrators to use DKIM domains in addition to sending domains to configure their third-party phishing simulations."
Microsoft 365 Roadmap | Microsoft 365

Regular Visitor

Referring to Configure third-party phishing simulations in the advanced delivery policy; like Cofense Phish ME simulation having over 100 sending domains. But here we can add up to 10 entries. Do we have any other option here, including X-ID field scanning

Occasional Visitor

I just read through the DKIM Support for Advanced Delivery article.  It sounds like it will address the issue.  However, I'm curious about the timing.  As stated above "in our effort to eliminate the unintentional ETR overrides of malicious emails, we needed to first make sure there was a safe way for customers to achieve the above two goals without having to rely on ETRs as a blunt instrument."  As of now, it does not seem to me that Microsoft has achieved that requirement.

 

If DKIM Support for Advanced Delivery is not available when ETR's are removed, then my understanding is that Microsoft will be sabotaging the ability of customers to run simulated Phishing campaigns.  It is commendable that there will be a solution in the future.  Will it arrive before my simulated phishing campaigns are crippled?  

 

I appreciate Microsoft's efforts here, but is Microsoft working with the vendors that provide solutions in this space to provide clear documentation and information to their customers?  I'm referring to Knowbe4, Proofpoint, Cofense, etc.  Do those vendors have updated KB's posted on their support sites telling customers how do deal with this change?  It seems a bit obvious that Microsoft should be taking the lead here, but I'm not finding any vendor specific documentation dealing with this change anywhere.

 

I would appreciate Microsoft updating us on this question/issue.  As an MSP, I run a lot of Phishing simulations with a lot of Office 365 customers, and don't want to be crippled because Microsoft's "solution" does not meet the needs of their customers.  Anything to contribute @Sundeep_Saini?

Microsoft

Edit: 9/10/21. To clarify, partner outreach to several major phishing simulation vendors was completed (not all). We will continue to evaluate solution and are open to engaging with phishing simulation vendors on their phishing simulation solution and how to best configure with Defender for Office for their customers.

-----------

Hello @TreyContello -- Yes, Microsoft has worked with vendors across the industry in preparation for the release of Advanced Delivery. We provided pre-release documentation to all several major phishing simulation vendors and we invited them to meet with us and provide feedback. This allowed for design feedback as well as provided the phishing simulation vendors with time to plan for the change as well as update documentation/communication to their respective customers.

As noted in a couple of the above comments, we are adding one additional secure option for phishing simulation vendors - the ability to specify a DKIM domain. This is targeted to roll out in September (Please see M365 Roadmap item: Feature ID 82083).

 

For example, if specifying 10 sending domains doesn’t meet a phishing simulation vendor's needs, they could instead sign all of their messages with a particular phishing simulation vendor DKIM domain. The security admin (end user customer) would then have the option to enter either sending domain or phish sim vendor's DKIM domain via the new advanced delivery policy based on the phishing simulation vendor's guidance. The DKIM domain creates another secure option giving customers the flexibility to utilize sending domains and/or DKIM domains. In order for this option to work, the phishing simulation vendor will need to implement DKIM domain in their phishing simulation offerings to customers.

 

Adding @Jenelle Sujat @Km_MSN for questions along similar thread -- Confirming that advanced delivery requires a message match on at least 1 sending domain and at least sending IP and that each field has a limit of 10 entries. Several design options were vetted before landing on this solution. The DKIM domain option mentioned above is another option for phishing simulation vendors that will release in September.

Occasional Visitor

So, my understanding is that we're going to be in a bit of a bind due to this change.  The vendors have not yet released any updated documentation.  So I can't load the 137 domains that I need to load because of the limitation of 10.  The workaround DKIM solution won't be ready for a couple of months yet, and then will be useful only if it is adopted and enabled by the vendors.

 

That leaves us MSP's and our customers stuck in the middle with no real solution.  Or am I missing something?

 

Is there anything more you can share?  Are the vendors that you partnered with aware of this?  

Microsoft

@TreyContello Recommend reaching out the phishing simulation vendor for updated guidance. We have provided this guidance to the phishing simulation vendors as mentioned above and are open to working with them to build out the guidance.

Senior Member

Hi @Sundeep_Saini,


Thank you for your articles on this feature. 

I have a few follow up questions in regards to this feature working with third party mail filters.

 

-In the documentation it mentions setting up Enhanced Filtering for connectors (also known as skip listing). Will this advanced delivery feature work if skip listing has been implemented correctly?

- The documentation also goes on to say "If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering." My understanding is that ETR/mail flow rules will become legacy overrides and will no longer be honored. Would you be able to clarifying the reason they were mentioned here in the documentation?  

 

- Lastly, when will the existing ETR stop functioning or when would you be able to confirmation a date as the status on the road map currently says 'rolling out'?

 

Thank you in advanced for your response!

Senior Member

@Sundeep_Saini I have similar concerns as @Ian_Finn. We have customers using Proofpoint in front of EXO / Defender and have configured Enhanced Filtering for them. The way I understand it, the new Advanced Delivery / Secure by Default features will potentially  junk / quarantine emails that hit ETRs that were created for Proofpoint. Is the recommendation to disable Enhanced Filtering in these scenarios?

Microsoft

Hi @Ian_Finn 

 

  1. Yes, Advanced Delivery will work regardless of skip listing or where mx record points.
  2. This is the case where a customer is utilizing a third-party filter and does not want to apply Microsoft Defender for Offic 365 filtering. If your domain's MX record doesn't point to Office 365 (messages are routed somewhere else first), Secure by Default will not apply and the ETRs will continued to be honored.
  3. Please note, ETRs will continue to be available and function as intended, but in the case of high confidence phish verdicts, those messages will be sent to quarantine. ETRs can still be used as previously done for other verdicts like spam, normal confidence phish. 
Microsoft

@MatthewSilcox We still recommend enabling Enhanced Filtering. This connector setting helps us undersatnd that there is another 3rd party filter between us and the the sender. Please see my comments above. Advanced Delivery is still available in the example you mentioned. Also note, Secure by Default will not apply if their MX record does not point to Office 365.  

Senior Member

Hi @Sundeep_Saini,

 

Just to clarify, you said advanced delivery works regardless of skip listing or where mx record points. Does that mean this feature will work with any third-party filter without additional configuration? I would just like to know exactly what options are available to have Advanced Delivery function correctly with third-party filters.

 

My understanding was one of the below options were required but it would be great if you could confirm. 

1. Have your domain MX record point to Office365

2. Set up Enhanced Filtering for connectors (skip listing)

 

Thanks again!

 

Microsoft

@Ian_Finn Yes, confirming advanced delivery is available regardless of any third party filtering or where MX record points. You would just need to configure settings in the new advanced delivery policy for you third-party phishing simulation or delivery for a security operation mailbox. 

 

Mx record only matters for Secure by Default. Secure by Default only applies when Mx record points to Office 365.

Senior Member

Hi @Sundeep_Saini,

 

Thank you for that confirmation. 

 

After testing this in environments with a third party filter, it seems that some emails are still being scanned. Is there any way to identify/confirm if Advanced Delivery is being applied? Previously with mail flow rules you could determine this through the message events.

 

Is there is set date for when ETRs will no longer deliver case of high confidence phish verdicts?

 

Established Member

Hi, @Sundeep_Saini I use a phishing simulation solution that use over 130 domains that they own and are individually DKIM registered, will this new DKIM functionality allow me to whitelist all domains or just the 10?

Established Member

@Sundeep_Saini have you had the chance to look into my query,?

 

Thanks in advance.

Microsoft

Hi @Simon Khera, The DKIM domain enhancement to Advanced Delivery is expected to release at the end of September. (Please see M365 Roadmap item: Feature ID 82083). As mentioned in my above response to a similar question: If specifying 10 sending domains doesn’t meet a phishing simulation vendor's needs, they could instead sign all of their messages with a phishing simulation vendor DKIM domain. The limit on the domain field is still 10 (can be a mix of P1 sending domains and DKIM domains). The security admin (end user customer) would then have the option to enter either sending domain or the one phish sim vendor's DKIM domain via the new advanced delivery policy based on the phishing simulation vendor's guidance. The DKIM domain creates another secure option giving customers the flexibility to utilize sending domains and/or DKIM domains. In order for this option to work, the phishing simulation vendor will need to implement DKIM domain in their phishing simulation offerings to customers. We will continue to evaluate the solution and welcome engaging and collaborating with phishing simulation vendors on their specific phishing simulation campaign needs and how to best configure in Defender for Office 365 with security in mind.

 

Please stay tuned for more info. We will be releasing a message center post for the upcoming release with additional details shortly.

Microsoft

Hi @Ian_Finn please submit a support ticket for the team to investigate and look into the details. Secure by Default for ETRs rollout has begun and will complete by end of September. Please see message center post MC265759 for details.

Established Member

Thanks @Sundeep_Saini however this does not help us as our provider own all of their domains and all emails are DKIM registered to their own domain along with having DMARC and SPF, surely this is the correct way of setting up these Phish emails rather than sending from one domain? 

Occasional Visitor

For all those of you who like us have had our Phishing testing completely destroyed by Microsoft which in turn messed up some of our mandatory compliance testing we do as a Health Care organization I present the solution we used to get around this boneheaded move of Microsoft's.

 

Since there was no way to get Microsoft to allow the mail from our Phishing Provider, KnowBe4, within the limited confines of the new system I decided to just let Microsoft quarantine them all and then use some Powershell to release the ones that I wanted.  This can be run manually or as part of a regular timed script .  You only need to make changes to to the two variables on likes 5 ($HoursBack), which dictates how far back in the quarantine the scripts looks, and line 8 ($MessageIDFilter), which dictates how to match the MessageID field which for us being KnowBe4 looks like "*@psm.knowbe4.com*".

 

Hope this helps others in the mess.

 

$i = 0
$SetSize = 1000

# Set how many hours back you wish the script to look.
$HoursBack = -1

# Set the MessageID filter you wish to use. (Example "*@psm.knowbe4.com*" for KnowBe4)
$MessageIDFilter = "*@psm.knowbe4.com*"

While ($SetSize -gt 0) {
	
	$i++
	$CurrentSet = Get-QuarantineMessage -StartReceivedDate (Get-Date).AddHours($HoursBack) -EndReceivedDate (Get-Date) -Page $i -PageSize 1000
	$FilteredSet = $CurrentSet | Where-Object {$_.MessageID -like $MessageIDFilter}
	Write-Host "Round $($i): CurrentSet = $($CurrentSet.count) and FilteredSet = $($FilteredSet.count) - Releasing Messages"
	$FilterCount = 0
	$FilteredSet | % {
		$FilterCount++
		$FilterPercentage = $FilterCount / $FilteredSet.count * 100
		$FilterPercentage = [math]::Round($FilterPercentage, 2)
		Write-Progress -Activity "Releasing Messages: $($FilterCount) - Round: $($i)" -Status "$($FilterPercentage)% Complete:" -PercentComplete $FilterPercentage
		Release-QuarantineMessage -ReleaseToAll -Identity $_.Identity}
	$SetSize = $CurrentSet.count
}
Occasional Visitor

Hi,

 

Thanks for a very interesting post and even more interesting comments! 

 

Q for @Sundeep_Saini: Is there a way to verify that the DKIM support for Advanced Delivery Policy (feature ID Feature ID 82083) is activated for a specific customer? I noticed the text in the top of the "Edit third party phishing simulations" window now mention DKIM - does that mean it's avaliable to use?

Microsoft

Hi @Rikardz, the DKIM support for Advanced Delivery Policy (Feature ID 82083) was launched 1st week of October and is available to tenants worldwide. Rollout to gov clouds is still in progress and will complete by end of month. Since you see the mention of DKIM - I believe you do indeed have it enabled for your tenant. If you run into any issues, please open up a support case. I believe you are all set! 

%3CLINGO-SUB%20id%3D%22lingo-sub-2326280%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2326280%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%26nbsp%3Bwhere%20is%20part%203%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2355509%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2355509%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%26nbsp%3BWe%20are%20planning%20to%20publish%20part%20three%20in%20June.%20Thanks%20for%20checking%20out%20the%20blog%20series!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2356811%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2356811%22%20slang%3D%22en-US%22%3E%3CP%3ELove%20to%20see%20it.%26nbsp%3B%3CEM%3ESecure%20by%20Default%3C%2FEM%3E%20is%20the%20way%20to%20go.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2361079%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2361079%22%20slang%3D%22en-US%22%3E%3CP%3ERegarding%20Advanced%20Delivery%20and%20third%20party%20phish%20simulations%20-%26nbsp%3B%20Will%20there%20still%20be%20a%20need%20to%20bypass%20safe%20links%2Fsafe%20attachments%20via%20transport%20rule%20for%20these%20applications%20or%20does%20Advanced%20Delivery%20handle%20that%20as%20well%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2361137%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2361137%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F592439%22%20target%3D%22_blank%22%3E%40mtilson%3C%2FA%3E%26nbsp%3BYes%2C%20Advanced%20Delivery%20will%20handle%20this!%20When%20you%20configure%20a%20third-party%20phish%20simulation%20with%20the%20Advanced%20Delivery%20policy%2C%20you%20will%20no%20longer%20need%20to%20manually%20bypass%20Safe%20Links%2F%20Safe%20Attachments%20via%20transport%20rule.%20Advanced%20Delivery%20will%20automatically%20skip%20detonation%20and%20blocking%20of%20URLs%2Fattachments%20for%20messages%20that%20are%20part%20of%20a%20configured%20third-party%20phish%20simulation%20campaign.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2362061%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2362061%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20what%20happens%20to%20our%20current%20ETR's%20we%20use%20in%20Mail%20flow%20rules%3F%20I%20am%20a%20little%20confused%20what%20my%20steps%20need%20to%20be%20not%20to%20cause%20disruption%20to%20what%20policies%20and%20rules%20we%20use%20now.%20Thanks%20for%20any%20additional%20insight.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2362643%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2362643%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1056189%22%20target%3D%22_blank%22%3E%40stevo2360%3C%2FA%3E%26nbsp%3BExisting%20ETRs%20can%20continue%20to%20exist%20or%20be%20used%20but%20after%20the%20last%20phase%20of%20Secure%20by%20Default%20is%20enabled%20(target%3A%20July)%20for%20mail%20flow%20rules%20(ETRs)%2C%20Defender%20for%20Office%20365%3A%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWill%20no%20longer%20deliver%20messages%20with%20high%20confidence%20phish%20(or%20malware)%20verdicts%2C%20regardless%20of%20any%20explicit%20ETRs.%20These%20messages%20will%20be%20quarantined.%20We%20will%20still%20continue%20to%20honor%20ETRs%20and%20deliver%20messages%20if%20they%20are%20not%20high%20confidence%20phish%20or%20malware%20verdicts.%20Note%3A%20Secure%20by%20default%20does%20not%20apply%20when%20the%20domain's%20MX%20record%20does%20not%20point%20to%20Office%20365%20(third-party%20filter).%3C%2FLI%3E%0A%3CLI%3EWill%20no%20longer%20recommend%20ETRs%20as%20a%20method%20to%20configure%20third-party%20phishing%20simulations%20and%2For%20Security%20Operation%20Mailbox%20message%20delivery.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EWe%20recommend%20that%20mail%20flow%20rules%20that%20were%20specifically%20created%20to%20define%20third-party%20phishing%20simulation%20campaigns%20or%20to%20direct%20messages%20to%20Security%20Operations%20(SecOps)%20mailboxes%20be%20removed%20once%20you%20configure%20your%20third-party%20phishing%20simulation%20and%2For%20SecOps%20Mailboxes%20with%20the%20new%20advanced%20delivery%20policy%20when%20the%20feature%20rolls%20out%20(target%3A%20mid-June).%20Recommend%20completing%20this%20activity%20by%20early%20July%20before%20the%20last%20phase%20of%20Secure%20by%20Default%20is%20enabled.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2391017%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2391017%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EVery%20interesting%20read!%20Can%20you%20help%20me%20understand%20what%20the%20best%20approach%20would%20be%20for%20the%20following%20scenarios%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20We%20have%20some%20system%20mailboxes%20for%20ticketing%20systems%20where%20we%20need%20to%20ensure%20that%20mails%20are%20not%20blocked%20because%20of%20%22Junk%20detection%22%20but%20we%20still%20would%20want%20to%20block%20Spoof%2FPhishing%20mails.%20Right%20now%20the%20only%20real%20option%20seems%20to%20be%20to%20go%20with%20an%20ETR%20and%20set%20the%20SCL%20-1%20which%20is%20allowing%20more%20than%20we%20want%20to.%20Is%20there%20a%20way%20to%20only%20disable%20the%20Junk%20Filter%20to%20avoid%20False%2FPositives%20in%20a%20scenario%20like%20this%20where%20we%20can%20not%20filter%20by%20senders%3F%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20Is%20there%20any%20information%20what%20exactly%20qualifies%20ad%20%22high%20confidence%20phish%22%3F%20Did%20not%20find%20anything%20so%20far.%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20The%20filtering%20stack%20diagram%20is%20great!%26nbsp%3B%20Is%20there%20also%20any%20overview%20which%20parts%20are%20excluded%20for%20example%20when%20setting%20SCL%20-1%20in%20a%20ETR%3F%20Or%20when%20working%20with%20allowed%20IPs%20in%20the%20Connection%20Filter.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2410457%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2410457%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1064677%22%20target%3D%22_blank%22%3E%40BlaaaBlaaBla%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EYou%20can%20create%20a%20custom%20Anti-Spam%20policy%20with%20less%20aggressive%20settings%20for%20Spam%20and%20bulk%20and%20scope%20it%20to%20just%20those%20mailboxes.%3C%2FLI%3E%0A%3CLI%3EHigh%20Confidence%20Phish%20is%20a%20phishing%20message%20that%20could%20take%20malicious%20action%20on%20your%20tenant.%20It's%20not%20something%20that%20is%20just%20annoying%20or%20just%20suspicious%20--%20it's%20a%20message%20that%20we%20know%20is%20malicious%20similar%20to%20malware.%20These%20are%20commonly%20phishing%20emails%20that%20are%20attempting%20to%20harm%20your%20business%20through%20credential%20theft%20or%20business%20email%20compromise.%3C%2FLI%3E%0A%3CLI%3EAfter%20Secure%20by%20Default%20rollout%20is%20completed%2C%20SCL-1%20ETRs%20and%20IP%20allows%20will%20filter%20out%20bulk%20verdict%2C%20spam%20verdict%2C%20spoof%20detection%20verdict%20and%20those%20phishing%20verdicts%20that%20are%20suspicious%20but%20not%20deemed%20malicious.%3C%2FLI%3E%0A%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2461726%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2461726%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20really%20interested%20about%20this%20part%20%3A%3C%2FP%3E%3CP%3ERolling%20out%20these%20secure%20by%20default%20changes%3C%2FP%3E%3CP%3EWe%E2%80%99ve%20taken%20a%20very%20deliberate%20approach%20to%20rolling%20out%20these%20changes%20in%20phases%20to%20ensure%20customers%20are%20not%20surprised%20and%20there%20are%20no%20negative%20side%20effects.%20We%20began%20to%20rollout%20Secure%20by%20Default%20for%20high%20confidence%20phishing%20messages%20by%20the%20override%20type%20starting%20in%20December%20of%20last%20year.%3C%2FP%3E%3CP%3EToday%2C%20we%E2%80%99re%20at%20a%20point%20in%20our%20Secure%20by%20Default%20journey%20where%20the%20following%20overrides%20are%20not%20honored%20for%20malicious%20emails%20(malware%20or%20high%20confidence%20phish%20emails)%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EAllowed%20sender%20lists%20or%20allowed%20domain%20lists%20(anti-spam%20policies)%3C%2FLI%3E%3CLI%3EOutlook%20Safe%20Senders%3C%2FLI%3E%3CLI%3EIP%20Allow%20List%20(connection%20filtering)%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20mean%2C%20that%20if%20i%20have%20in%20IP%20allow%20list%20or%20allowed%20sender%20a%20domain%2C%20user%20whatever%20and%20Microsoft%20will%20judge%20this%20message%20as%20high%20confidence%20spam%2C%20this%20messages%20will%20be%20quarantined%3F%20or%20did%20I%20misunderstood%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2463462%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2463462%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1061665%22%20target%3D%22_blank%22%3E%40Kubho208%3C%2FA%3E%26nbsp%3BYes%2C%20this%20is%20the%20correct%20understanding%20but%20for%20high%20confidence%20phish%20not%20spam.%20We%20no%20longer%20honor%20IP%20allow%20list%20or%20allowed%20sender%2Fdomain%20in%20the%20case%20of%20high%20confidence%20%3CSTRONG%3Ephish%3C%2FSTRONG%3E%20verdicts%20as%20part%20of%20Secure%20by%20Default.%20The%20message%20will%20be%20quarantined.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2493238%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2493238%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20can%20I%20expect%20to%20see%20the%20Advanced%20Filter%20option%20in%20our%20Tenant%3F%20As%20of%20today%20that%20option%20is%20not%20visible%20in%20the%20location%20that%20is%20stated%20in%20online%20documentation.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2500669%22%20slang%3D%22en-US%22%3EBetreff%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2500669%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20if%20the%20detection%20is%20wrong%20and%20i%20know%20it%20is%20not%20a%26nbsp%3Bhigh%20confidence%20phishing%20attack.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20i%20white%20list%20the%20sender%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2502545%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2502545%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1091760%22%20target%3D%22_blank%22%3E%40Ma-tth%3C%2FA%3E%26nbsp%3BIn%20the%20case%20of%20false%20positives%2C%20admins%20should%20use%20the%20submission%20portal%20to%20report%20messages%20whenever%20they%20believe%20a%20message%20has%20the%20wrong%20verdict%20so%20that%20the%20filter%20can%20improve%20organically.%20You%20can%20also%20continue%20to%20utilize%20the%20overrides%20(ETRs%2C%20user%2Ftenant%20allows%2C%20IP%20allows)%20to%20whitelist%20senders%20but%20we%20will%20no%20longer%20honor%20in%20the%20case%20of%20messages%20we%20believe%20are%20malicious%20(specifically%20malware%20or%20high%20confidence%20phish%20verdicts).%20These%20messages%20will%20be%20quarantined.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdditional%20details%20on%20admin%20submissions%20and%20quarantined%20messages%20here%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fadmin-submission%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAdmin%20submissions%20-%20Office%20365%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fmanage-quarantined-messages-and-files%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20quarantined%20messages%20and%20files%20as%20an%20admin%20-%20Office%20365%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2502572%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2502572%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1092209%22%20target%3D%22_blank%22%3E%40ayalalex%3C%2FA%3E%26nbsp%3BYes%2C%20confirming%20that%20Advanced%20Delivery%20will%20be%20available%20for%20all%20SKUs%20(EOP%2C%20MDO%20P1%2C%20MDO%20P2)%20and%20Secure%20by%20Default%20applies%20to%20all%20SKUs%20(EOP%2C%20MDO%20P1%2C%20MDO%20P2)%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2503017%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2503017%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%26nbsp%3Bthank%20you%20for%20these%20informative%20posts%20and%20all%20the%20links%20and%20additional%20info.%20I%20have%20a%20question%20that%20indirectly%20relates%20to%20these%20changes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20ticketing%20system%20set%20up%20to%20send%20from%20our%20365%20mailboxes%2C%20so%20the%20sender%20address%20looks%20like%20an%20internal%20address%20from%20our%20company.%20The%20ticketing%20system%20uses%20SMTP2GO%20to%20relay%20all%20emails%20sent%20from%20it%2C%20to%20both%20external%20customers%20and%20our%20internal%20users.%26nbsp%3B%20SMTP2GO%20emails%20seem%20to%20be%20automatically%20marked%20as%20High%20Confidence%20Spam%20(%20not%20phish%20)%20by%20the%20spam%20filter%20(%20I%20think%20based%20on%20the%20fact%20that%20their%20origin%20is%20New%20Zealand%20%2F%20outside%20our%20country%20)%2C%20so%20the%20filter%20wants%20to%20send%20them%20to%20Junk.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20an%20ETR%20which%20bypasses%20the%20spam%20filter%20based%20on%20the%20specific%20IP%20addresses%20that%20SMTP2GO%20uses.%20As%20I%20understand%2C%20this%20particular%20ETR%20will%20not%20be%20affected%20by%20these%20changes%20because%20it's%20for%20spam%2C%20not%20phishing%2C%20however%2C%20I%20wanted%20to%20ask%20if%20we%20should%20be%20doing%20this%20differently%2C%20or%20if%20there's%20a%20way%20to%20migrate%20this%20and%20other%20ETRs%20from%20the%20old%20Exchange%20Admin%20Center%20into%20the%20newer%20365%20Defender%20systems.%20Or%2C%20how%20can%20I%20contribute%20to%20telling%20the%20spam%20filters%20that%20SMTP2GO%20isn't%20automatically%20High%20Confidence%20Spam%3F%20I've%20already%20submitted%20several%20messages%20a%20long%20time%20ago%2C%20and%20it%20continues%20to%20mark%20them%20as%20HCS.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2505399%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2505399%22%20slang%3D%22en-US%22%3E%3CP%3EMost%26nbsp%3B%3CSPAN%3Ethird-party%20phishing%20simulation%20tool%2C%20altering%20reporting%20feature%20in%20outlook%2C%20it%20reports%20to%20them%2C%20instead%20report%20to%20admin%20or%20Microsoft%20engineer%2C%26nbsp%3B%26nbsp%3Bit's%20remove%20default%20options%20dropdown%20%3CJUNK%3E%3CPHISHING%3E%3CNOT%20junk%3D%22%22%3E%3CHELP%3E%3C%2FHELP%3E%3C%2FNOT%3E%3C%2FPHISHING%3E%3C%2FJUNK%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMy%20understanding%2C%20need%20primarily%26nbsp%3Bthe%20default%20%22%20Report%20Message%22%20option%20and%20need%20combine%20third-party%26nbsp%3Breporting%20mechanism%26nbsp%3Bfor%26nbsp%3B%26nbsp%3Banalytics%26nbsp%3Bwith%20that%20toll.%20Is%20there%20a%20any%20settings%20we%20have%20to%20configure%20at%20Tennent%26nbsp%3Blevel.%20(something%20like%20integrate%26nbsp%3Bboth%20option%20from%20backend)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2509035%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2509035%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1092264%22%20target%3D%22_blank%22%3E%40IT_Admin_8794%3C%2FA%3E%26nbsp%3BThat%20is%20correct%2C%20we%20would%20still%20continue%20to%20honor%20ETR%20in%20the%20example%20you%20mentioned.%20However%2C%20recommend%20that%20you%20use%20Admin%20Submissions%20to%20submit%20this%20to%20Microsoft%20so%20filters%20can%20improve%20organically.%20Learn%20more%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fadmin-submission%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAdmin%20submissions%20-%20Office%20365%20%7C%20Microsoft%20Docs%3C%2FA%3E.%20We%20are%20also%20working%20on%20an%20enhancement%20to%20the%20tenant%20allow%20block%20list%20where%20you%20could%20add%20a%20partial%20allow%20for%20this.%20This%20should%20be%20available%20later%20this%20year.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2509054%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2509054%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1003813%22%20target%3D%22_blank%22%3E%40Km_MSN%3C%2FA%3E%26nbsp%3BTo%20learn%20about%20settings%20you%20can%20configure%20in%20regards%20to%20your%20question%2C%20please%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fuser-submission%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUser%20reported%20message%20settings%20-%20Office%20365%20%7C%20Microsoft%20Docs%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2509110%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2509110%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Saini%2C%20worth%20to%20have%20a%20option%20add%20mailbox%20from%20outside%20%22%3CSTRONG%3EMy%20organization's%20mailbox%22%2C%20%3C%2FSTRONG%3Ewhich%20can%20use%20analytical%26nbsp%3Bpurpose%20of%26nbsp%3BThird-party%20reporting%20use%20for%20training%20users.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2529460%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2529460%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%26nbsp%3B-%20will%20this%20change%20(blocking%20HPISH%20by%20default%20regardless%20of%20transport%20rule)%20affect%20outbound%20%2F%20internal%20mail%2C%20or%20is%20this%20strictly%20going%20to%20affect%20inbound%20mail%20from%20senders%20outside%20the%20organization.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2530887%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2530887%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F361660%22%20target%3D%22_blank%22%3E%40Rotshak%3C%2FA%3E%26nbsp%3BSecure%20by%20Default%20applies%20to%20inbound%20mail.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2531558%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2531558%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20a%20bit%20worried%20about%20this%20change%20and%20the%20timing.%20Our%20tenant%20still%20doesn't%20have%20the%20'Advanced%20Delivery'%20option%20available%2C%20and%20the%20'%3CSPAN%3ENew-SecOpsOverridePolicy'%20command%20isn't%20included%20in%20the%26nbsp%3BSecurity%20%26amp%3B%20Compliance%20Center%20PowerShell%20module%20version%202.0.5%20(latest%20version%20online)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESo%20that%20leaves%20us%20with%20no%20option%20to%20prepare%20for%20this%20upcoming%20change%20during%20summer%20break.%20I'm%20leaving%20for%20PTO%20now%2C%20and%20hope%20this%20won't%20break%20our%20SecOps%20mailboxes%20over%20the%20course%20of%20my%20holiday%2C%20and%20the%20service%20we%20offer%20to%20our%20customers.%20Hopefully%20we'll%20get%20enough%20time%20to%20implement.%20ETA%20is%20august%3F%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2533220%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2533220%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1099413%22%20target%3D%22_blank%22%3E%40Tomsan%3C%2FA%3E%26nbsp%3BWe%20appreciate%20your%20patience.%20We%20are%20targeting%20worldwide%20release%20of%20Advanced%20Delivery%20by%20the%20end%20of%20July.%20Once%20Advanced%20Delivery%20is%20released%20(based%20on%20actual%20date)%2C%20we%20will%20ensure%20customers%20have%204%20weeks%20to%20complete%20migration%20to%20the%20new%20feature%20before%20we%20start%20the%20rollout%20of%20Secure%20by%20Default%20for%20ETRs.%20Based%20on%20the%20current%20estimate%20for%20Advanced%20Delivery%2C%20this%20means%20we%20will%20start%20rollout%20of%20Secure%20by%20Default%20end%20of%20August%20and%20complete%20in%20September.%20We%20are%20keeping%20the%20following%20message%20center%20posts%20updated%20with%20timeline%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EMC256473%2C%3C%2FSTRONG%3E%20(Updated)%20Microsoft%20Defender%20for%20Office%20365%3A%20Introducing%20Advanced%20Delivery%20for%20Phishing%20Simulations%20and%20SecOps%20Mailboxes%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EMC265759%2C%3C%2FSTRONG%3E%20(Updated)%20Microsoft%20Defender%20for%20Office%20365%3A%20Extending%20Secure%20by%20Default%20for%20Exchange%20Transport%20Rules%20(ETRs)%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2494348%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2494348%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F493434%22%20target%3D%22_blank%22%3E%40BrandonDBC%3C%2FA%3E%26nbsp%3BI%20expect%20customers%20will%20see%20the%20new%20advanced%20delivery%20feature%20in%20their%20tenants%20by%20mid-next%20week.%20I%20have%20submitted%20an%20updated%20to%20communications%20via%20admin%20message%20center%20post%20so%20customers%20get%20the%20updated%20timeline.%20Thanks%20for%20your%20patience!%20Looking%20forward%20to%20getting%20this%20feature%20out%20to%20customers%20soon!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUPDATE%20(9-July)%3A%20Advanced%20Delivery%20GA%20was%20delayed%20until%20end%20of%20July.%20Thanks%20for%20your%20patience.%20You%20can%20get%20the%20latest%20status%20via%20our%20message%20center%20posts%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EMC256473%2C%3C%2FSTRONG%3E%20(Updated)%20Microsoft%20Defender%20for%20Office%20365%3A%20Introducing%20Advanced%20Delivery%20for%20Phishing%20Simulations%20and%20SecOps%20Mailboxes%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EMC265759%2C%3C%2FSTRONG%3E%20(Updated)%20Microsoft%20Defender%20for%20Office%20365%3A%20Extending%20Secure%20by%20Default%20for%20Exchange%20Transport%20Rules%20(ETRs)%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2595476%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2595476%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20new%20Advanced%20Delivery%20functionality%20finally%20arrived%20in%20my%20tenant%20today.%26nbsp%3B%20However%2C%20I'm%20finding%20that%20the%20configuration%20options%20are%20not%20sufficient.%26nbsp%3B%20We%20use%20the%20Proofpoint%20Security%20Awareness%20Training%20module%20(formerly%20Wombat).%26nbsp%3B%20Their%20official%20documentation%20lists%202%20IP%20addresses%20and%20137%20domains.%26nbsp%3B%20However%2C%20your%20configuration%20only%20allows%20for%20adding%20up%20to%2010%20domains.%26nbsp%3B%20Am%20I%20missing%20something%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20testing%20shows%20that%20without%20listing%20the%20domain%20being%20used%20in%20the%20simulation%20email%20the%20simulated%20phish%20is%20quarantined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20seems%20to%20be%20a%20big%20gap%20that%20needs%20a%20solution.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2597889%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2597889%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20same%20issue%20as%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1115964%22%20target%3D%22_blank%22%3E%40Trey_Contello%3C%2FA%3E.%20We%20should%20either%20be%20able%20to%20enter%20all%20the%20domains%20or%20enter%20only%20the%20IPs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2597898%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2597898%22%20slang%3D%22en-US%22%3E%3CP%3ELooks%20like%20improvement%20coming%20in%20September%20to%20use%20the%20DKIM%20domain%20that%20can%20help%20address%20the%20domain%20limitation.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%22%3CSPAN%3EMicrosoft%20Defender%20for%20Office%20365%3A%20DomainKeys%20Identified%20Mail%20(DKIM)%20support%20for%20Advanced%20Delivery%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22c-paragraph-3%22%3EWe're%20adding%20support%20for%20DomainKeys%20Identified%20Mail%20(DKIM)%20domains%20to%20our%20advanced%20delivery%20feature%2C%20enabling%20administrators%20to%20use%20DKIM%20domains%20in%20addition%20to%20sending%20domains%20to%20configure%20their%20third-party%20phishing%20simulations.%22%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmicrosoft-365%2Froadmap%3Ffilters%3D%26amp%3Bsearchterms%3Ddkim%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20365%20Roadmap%20%7C%20Microsoft%20365%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2601843%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2601843%22%20slang%3D%22en-US%22%3E%3CP%3EReferring%20to%20Configure%20third-party%20phishing%20simulations%20in%20the%20advanced%20delivery%20policy%3B%20like%20Cofense%20Phish%20ME%20simulation%20having%20over%20100%20sending%20domains.%20But%20here%20we%20can%20add%20up%20to%2010%20entries.%20Do%20we%20have%20any%20other%20option%20here%2C%20including%20X-ID%20field%20scanning%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2606586%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2606586%22%20slang%3D%22en-US%22%3E%3CP%3EI%20just%20read%20through%20the%20DKIM%20Support%20for%20Advanced%20Delivery%20article.%26nbsp%3B%20It%20sounds%20like%20it%20will%20address%20the%20issue.%26nbsp%3B%20However%2C%20I'm%20curious%20about%20the%20timing.%26nbsp%3B%20As%20stated%20above%26nbsp%3B%22%3CSPAN%3Ein%20our%20effort%20to%20eliminate%20the%20unintentional%20ETR%20overrides%20of%20malicious%20emails%2C%20we%20needed%20to%20first%20make%20sure%20there%20was%20a%20safe%20way%20for%20customers%20to%20achieve%20the%20above%20two%20goals%20without%20having%20to%20rely%20on%20ETRs%20as%20a%20blunt%20instrument.%22%26nbsp%3B%20As%20of%20now%2C%20it%20does%20not%20seem%20to%20me%20that%20Microsoft%20has%20achieved%20that%20requirement.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20DKIM%20Support%20for%20Advanced%20Delivery%20is%20not%20available%20when%20ETR's%20are%20removed%2C%20then%20my%20understanding%20is%20that%20Microsoft%20will%20be%20sabotaging%20the%20ability%20of%20customers%20to%20run%20simulated%20Phishing%20campaigns.%26nbsp%3B%20It%20is%20commendable%20that%20there%20will%20be%20a%20solution%20in%20the%20future.%26nbsp%3B%20Will%20it%20arrive%20before%20my%20simulated%20phishing%20campaigns%20are%20crippled%3F%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20appreciate%20Microsoft's%20efforts%20here%2C%20but%20is%20Microsoft%20working%20with%20the%20vendors%20that%20provide%20solutions%20in%20this%20space%20to%20provide%20clear%20documentation%20and%20information%20to%20their%20customers%3F%26nbsp%3B%20I'm%20referring%20to%20Knowbe4%2C%20Proofpoint%2C%20Cofense%2C%20etc.%26nbsp%3B%20Do%20those%20vendors%20have%20updated%20KB's%20posted%20on%20their%20support%20sites%20telling%20customers%20how%20do%20deal%20with%20this%20change%3F%26nbsp%3B%20It%20seems%20a%20bit%20obvious%20that%20Microsoft%20should%20be%20taking%20the%20lead%20here%2C%20but%20I'm%20not%20finding%20any%20vendor%20specific%20documentation%20dealing%20with%20this%20change%20anywhere.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20would%20appreciate%20Microsoft%20updating%20us%20on%20this%20question%2Fissue.%26nbsp%3B%20As%20an%20MSP%2C%20I%20run%20a%20lot%20of%20Phishing%20simulations%20with%20a%20lot%20of%20Office%20365%20customers%2C%20and%20don't%20want%20to%20be%20crippled%20because%20Microsoft's%20%22solution%22%20does%20not%20meet%20the%20needs%20of%20their%20customers.%26nbsp%3B%20Anything%20to%20contribute%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2607247%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2607247%22%20slang%3D%22en-US%22%3E%3CP%3ESo%2C%20my%20understanding%20is%20that%20we're%20going%20to%20be%20in%20a%20bit%20of%20a%20bind%20due%20to%20this%20change.%26nbsp%3B%20The%20vendors%20have%20not%20yet%20released%20any%20updated%20documentation.%26nbsp%3B%20So%20I%20can't%20load%20the%20137%20domains%20that%20I%20need%20to%20load%20because%20of%20the%20limitation%20of%2010.%26nbsp%3B%20The%20workaround%20DKIM%20solution%20won't%20be%20ready%20for%20a%20couple%20of%20months%20yet%2C%20and%20then%20will%20be%20useful%20only%20if%20it%20is%20adopted%20and%20enabled%20by%20the%20vendors.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20leaves%20us%20MSP's%20and%20our%20customers%20stuck%20in%20the%20middle%20with%20no%20real%20solution.%26nbsp%3B%20Or%20am%20I%20missing%20something%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20anything%20more%20you%20can%20share%3F%26nbsp%3B%20Are%20the%20vendors%20that%20you%20partnered%20with%20aware%20of%20this%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2607446%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2607446%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1119641%22%20target%3D%22_blank%22%3E%40TreyContello%3C%2FA%3E%26nbsp%3B%3CSPAN%3ERecommend%20reaching%20out%20the%20phishing%20simulation%20vendor%20for%20updated%20guidance.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EWe%20have%20provided%20this%20guidance%20to%20the%20phishing%20simulation%20vendors%20as%20mentioned%20above%20and%20are%20open%20to%20working%20with%20them%20to%20build%20out%20the%20guidance.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2626743%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2626743%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThank%20you%20for%20your%20articles%20on%20this%20feature.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20few%20follow%20up%20questions%20in%20regards%20to%20this%20feature%20working%20with%20third%20party%20mail%20filters.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-In%20the%20documentation%20it%20mentions%20setting%20up%20Enhanced%20Filtering%20for%20connectors%26nbsp%3B(also%20known%20as%20skip%20listing).%20Will%20this%20advanced%20delivery%20feature%20work%20if%20skip%20listing%20has%20been%20implemented%20correctly%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E-%20The%20documentation%20also%20goes%20on%20to%20say%20%22%3CSPAN%3EIf%20you%20don't%20want%20Enhanced%20Filtering%20for%20Connectors%2C%20use%20mail%20flow%20rules%20(also%20known%20as%20transport%20rules)%20to%20bypass%20Microsoft%20filtering%20for%20messages%20that%20have%20already%20been%20evaluated%20by%20third-party%20filtering.%22%20My%20understanding%20is%20that%20ETR%2Fmail%20flow%20rules%20will%20become%20legacy%20overrides%20and%20will%20no%20longer%20be%20honored.%20Would%20you%20be%20able%20to%20clarifying%20the%20reason%20they%20were%20mentioned%20here%20in%20the%20documentation%3F%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Lastly%2C%20when%20will%20the%20existing%20ETR%20stop%20functioning%20or%20when%20would%20you%20be%20able%20to%20confirmation%20a%20date%20as%20the%20status%20on%20the%20road%20map%20currently%20says%20'rolling%20out'%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advanced%20for%20your%20response!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2628190%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2628190%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%26nbsp%3BI%20have%20similar%20concerns%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1123692%22%20target%3D%22_blank%22%3E%40Ian_Finn%3C%2FA%3E.%20We%20have%20customers%20using%20Proofpoint%20in%20front%20of%20EXO%20%2F%20Defender%20and%20have%20configured%20Enhanced%20Filtering%20for%20them.%20The%20way%20I%20understand%20it%2C%20the%20new%20Advanced%20Delivery%20%2F%20Secure%20by%20Default%20features%20will%20potentially%26nbsp%3B%20junk%20%2F%20quarantine%20emails%20that%20hit%20ETRs%20that%20were%20created%20for%20Proofpoint.%20Is%20the%20recommendation%20to%20disable%20Enhanced%20Filtering%20in%20these%20scenarios%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2628203%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2628203%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1123692%22%20target%3D%22_blank%22%3E%40Ian_Finn%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EYes%2C%20Advanced%20Delivery%20will%20work%20regardless%20of%20skip%20listing%20or%20where%20mx%20record%20points.%3C%2FLI%3E%0A%3CLI%3EThis%20is%20the%20case%20where%20a%20customer%20is%20utilizing%20a%20third-party%20filter%20and%20does%20not%20want%20to%20apply%20Microsoft%20Defender%20for%20Offic%20365%20filtering.%20If%20your%20domain's%20MX%20record%20doesn't%20point%20to%20Office%20365%20(messages%20are%20routed%20somewhere%20else%20first)%2C%20Secure%20by%20Default%20will%20not%20apply%20and%20the%20ETRs%20will%20continued%20to%20be%20honored.%3C%2FLI%3E%0A%3CLI%3EPlease%20note%2C%20ETRs%20will%20continue%20to%20be%20available%20and%20function%20as%20intended%2C%20but%20in%20the%20case%20of%20high%20confidence%20phish%20verdicts%2C%20those%20messages%20will%20be%20sent%20to%20quarantine.%20ETRs%20can%20still%20be%20used%20as%20previously%20done%20for%20other%20verdicts%20like%20spam%2C%20normal%20confidence%20phish.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2628383%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2628383%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1009947%22%20target%3D%22_blank%22%3E%40MatthewSilcox%3C%2FA%3E%26nbsp%3BWe%20still%20recommend%20enabling%20Enhanced%20Filtering.%20This%20connector%20setting%20helps%20us%20undersatnd%20that%20there%20is%20another%203rd%20party%20filter%20between%20us%20and%20the%20the%20sender.%20Please%20see%20my%20comments%20above.%20Advanced%20Delivery%20is%20still%20available%20in%20the%20example%20you%20mentioned.%20Also%20note%2C%20Secure%20by%20Default%20will%20not%20apply%20if%20their%20MX%20record%20does%20not%20point%20to%20Office%20365.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2633302%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2633302%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1123692%22%20target%3D%22_blank%22%3E%40Ian_Finn%3C%2FA%3E%26nbsp%3BYes%2C%20confirming%20advanced%20delivery%20is%20available%20regardless%20of%20any%20third%20party%20filtering%20or%20where%20MX%20record%20points.%20You%20would%20just%20need%20to%20configure%20settings%20in%20the%20new%20advanced%20delivery%20policy%20for%20you%20third-party%20phishing%20simulation%20or%20delivery%20for%20a%20security%20operation%20mailbox.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMx%20record%20only%20matters%20for%20Secure%20by%20Default.%20Secure%20by%20Default%20only%20applies%20when%20Mx%20record%20points%20to%20Office%20365.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2307134%22%20slang%3D%22en-US%22%3EMastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2307134%22%20slang%3D%22en-US%22%3E%3CP%3E%3CEM%3EThis%20blog%20is%20part%20two%20of%20a%20three-part%20series%20detailing%20the%20journey%20we%E2%80%99re%20on%20to%20simplify%20the%20configuration%20of%20threat%20protection%20capabilities%20in%20Office%20365%20to%20enable%20best-in%20class%20protection%20for%20our%20customers.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-office%2Fmastering-configuration-in-defender-for-office-365-part-one%2Fba-p%2F2300064%22%20target%3D%22_blank%22%3Eprevious%20blog%3C%2FA%3E%20in%20this%20series%2C%20we%20described%20how%20we%20have%20made%20it%20easier%20for%20customers%20to%20understand%20configurations%20gaps%20in%20their%20environment%20with%20recently%20launched%20features%20including%20Preset%20Security%20Policies%2C%20Configuration%20Analyzer%2C%20and%20Override%20Alerts.%20In%20this%20blog%2C%20we%E2%80%99ll%20take%20a%20closer%20look%20at%20additional%20capabilities%20we%20are%20enabling%20in%20the%20product%20as%20we%20continue%20forward%20on%20our%20journey%20to%20block%20malicious%20emails%20from%20being%20delivered%20to%20end%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3ENote%3A%20This%20blog%20has%20been%20updated%20to%20reflect%20changes%20to%20release%20dates.%20%3C%2FPRE%3E%0A%3CH2%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%20id%3D%22toc-hId--471488850%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%20id%3D%22toc-hId-2016023983%22%3ESecure%20by%20Default%3A%20Tackling%20the%20Legacy%20Override%20Problem%3C%2FH2%3E%0A%3CP%3EOne%20of%20the%20challenges%20we%20are%20addressing%20is%20the%20legacy%20override%20problem.%20As%20we%20covered%20in%20the%20first%20blog%2C%20legacy%20overrides%20are%20tenant%20level%20or%20user%20level%20configuration%20that%20instruct%20Office%20365%20to%20deliver%20mail%20even%20when%20the%20system%20has%20determined%20that%20the%20message%20is%20suspicious%20or%20contains%20malicious%20content.%20As%20a%20result%20of%20these%20aging%20and%20overly%20permissive%20overrides%2C%20we%20get%20poorly%20protected%20pockets%20with%20the%20organization%20and%20enable%20malicious%20emails%20to%20be%20delivered%20to%20end%20users.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20combat%20this%2C%20we%20here%20at%20Microsoft%20believe%20it%E2%80%99s%20critical%20to%20keep%20our%20customers%20%E2%80%9Csecure%20by%20default%E2%80%9D.%20We%20have%20determined%20that%20legacy%20overrides%20such%20as%20allowed%20sender%20and%20allowed%20domain%20lists%20in%20anti-spam%20policies%20and%20Safe%20Senders%20in%20Outlook%20tend%20to%20be%20too%20broad%20and%20cause%20more%20harm%20than%20good.%20As%20a%20security%20service%2C%20we%20believe%20it%E2%80%99s%20imperative%20that%20we%20act%20on%20your%20behalf%20to%20prevent%20your%20users%20from%20being%20compromised.%20%3CSTRONG%3EThat%20means%20these%20legacy%20overrides%20are%20no%20longer%20honored%20for%20email%20messages%20we%20believe%20are%20malicious%3C%2FSTRONG%3E.%20We%20already%20apply%20this%20approach%20with%20malware%20messages%20and%20now%20we%20are%20extending%20it%20to%20messages%20with%20high%20confidence%20phish%20verdicts.%20Our%20data%20also%20indicates%20that%20the%20false%20positive%20rate%20(good%20messages%20marked%20as%20bad)%20for%20high%20confidence%20phishing%20messages%20is%20extremely%20low%2C%20adding%20to%20our%20conviction%20about%20this%20approach.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20feels%20like%20a%20critical%20step%2C%20given%20how%20dangerous%20and%20voluminous%20phishing%20messages%20have%20become.%20To%20learn%20more%20about%20the%20current%20threat%20landscape%2C%20please%20check%20out%20our%20annual%20security%20intelligence%20report%2C%20the%20%3CA%20href%3D%22https%3A%2F%2Fquery.prod.cms.rt.microsoft.com%2Fcms%2Fapi%2Fam%2Fbinary%2FRWxPuf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Digital%20Defense%20Report%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%20id%3D%22toc-hId-208569520%22%3EEnsuring%20that%20users%20cannot%20interact%20with%20malicious%20emails%3C%2FH2%3E%0A%3CP%3EAs%20part%20of%20our%20secure%20by%20default%20focus%2C%20we%E2%80%99ve%20also%20taken%20additional%20steps%20to%20eliminate%20the%20risk%20of%20email%20borne%20threats.%20Essentially%2C%20when%20Microsoft%20is%20confident%20that%20an%20email%20contains%20malicious%20content%2C%20we%20will%20not%20deliver%20the%20message%20to%20users%2C%20regardless%20of%20tenant%20configuration.%20These%20messages%20will%20be%20delivered%20to%20quarantine%2C%20not%20the%20junk%20folder.%20(In%20the%20junk%20folder%2C%20there%20is%20always%20the%20risk%20that%20the%20user%20might%20inadvertently%20release%20them%20to%20the%20inbox).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnly%20admins%20can%20manage%20malware%20or%20high%20confidence%20phish%20messages%20that%20are%20quarantined%2C%20because%20our%20data%20indicates%20that%20a%20user%20is%2030%20times%20more%20likely%20to%20click%20a%20malicious%20link%20in%20messages%20in%20the%20junk%20email%20folder%20versus%20quarantine.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%20id%3D%22toc-hId--1598884943%22%3ERolling%20out%20these%20secure%20by%20default%20changes%3C%2FH2%3E%0A%3CP%3EWe%E2%80%99ve%20taken%20a%20very%20deliberate%20approach%20to%20rolling%20out%20these%20changes%20in%20phases%20to%20ensure%20customers%20are%20not%20surprised%20and%20there%20are%20no%20negative%20side%20effects.%20We%20began%20to%20rollout%20Secure%20by%20Default%20for%20high%20confidence%20phishing%20messages%20by%20the%20override%20type%20starting%20in%20December%20of%20last%20year.%3C%2FP%3E%0A%3CP%3EToday%2C%20we%E2%80%99re%20at%20a%20point%20in%20our%20Secure%20by%20Default%20journey%20where%20the%20following%20overrides%20are%20not%20honored%20for%20malicious%20emails%20(malware%20or%20high%20confidence%20phish%20emails)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAllowed%20sender%20lists%20or%20allowed%20domain%20lists%20(anti-spam%20policies)%3C%2FLI%3E%0A%3CLI%3EOutlook%20Safe%20Senders%3C%2FLI%3E%0A%3CLI%3EIP%20Allow%20List%20(connection%20filtering)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%2C%20all%20malicious%20emails%20are%20delivered%20to%20quarantine%20by%20default.%3C%2FP%3E%0A%3CP%3ELearn%20more%20about%20how%20we%20are%20keeping%20customers%20secure%20by%20visiting%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fsecure-by-default%3Fview%3Do365-worldwide%23%3A~%3Atext%3DSecurity%252FSecOps%2520mailboxes%253A%2520dedicated%2520mailboxes%2520used%2520by%2520security%2520teams%2Cthe%2520third-party%2520filter%2520will%2520manage%2520the%2520mail%2520filtering.%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%20id%3D%22toc-hId-888627890%22%3EThe%20Next%20Phase%20of%20Secure%20by%20Default%20rollout%20%E2%80%93%20Tackling%20transport%20rules%3C%2FH2%3E%0A%3CP%3EIn%20August%2C%20we%20will%20extend%20Secure%20by%20Default%20to%20cover%20high%20confidence%20phishing%20messages%20for%20the%20remaining%20legacy%20override%20type%2C%20Exchange%20mail%20flow%20rules%20(also%20known%20as%20transport%20rules%20or%20ETRs).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EETRs%20represent%20roughly%2060%25%20of%20the%20high%20confidence%20phish%20message%20override%20volume%20we%20see%2C%20making%20this%20phase%20essential%20in%20achieving%20our%20Secure%20by%20Default%20goal%20for%20customers.%20For%20more%20on%20ETRs%2C%20check%20out%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fuse-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocumentation%20on%20mail%20flow%20rules%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20ETRs%20represent%20a%20large%20problem%20space%2C%20it%20is%20complicated%20by%20the%20fact%20that%20customers%20and%20vendors%20have%20come%20to%20rely%20on%20it%20as%20a%20way%20to%20achieve%20two%20specific%20scenarios%20where%20the%20%E2%80%98override%E2%80%99%20of%20malicious%20messages%20is%20quite%20deliberate%20and%20intentional.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EPhish%20simulation%20campaigns%3A%20These%20are%20messages%20that%20Defender%20for%20Office%20365%20routinely%20detects%20as%20being%20malicious%2C%20so%20customers%20put%20ETR%20rules%20in%20place%20to%20direct%20the%20system%20to%20not%20block%20delivery%20of%20these%20messages%20to%20end%20users.%3C%2FLI%3E%0A%3CLI%3ESecurity%20Operations%20mailboxes%3A%20These%20are%20special%20mailboxes%20customers%20setup%20to%20support%20the%20ability%20for%20end%20users%20to%20report%20malicious%20emails%20to%20SecOps%20teams.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EIn%20both%20these%20cases%2C%20customers%20do%20legitimately%20want%20the%20malicious%20emails%20delivered%20to%20achieve%20a%20very%20specific%20business%20goal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%2C%20in%20our%20effort%20to%20eliminate%20the%20unintentional%20ETR%20overrides%20of%20malicious%20emails%2C%20we%20needed%20to%20first%20make%20sure%20there%20was%20a%20safe%20way%20for%20customers%20to%20achieve%20the%20above%20two%20goals%20without%20having%20to%20rely%20on%20ETRs%20as%20a%20blunt%20instrument.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%20id%3D%22toc-hId--918826573%22%3EIntroducing%20Advanced%20Delivery%20for%20Phishing%20Simulations%20and%20Security%20Operations%20Mailboxes%3C%2FH2%3E%0A%3CP%3EAs%20we%20covered%20above%2C%20there%20are%20special%20scenarios%20where%20security%20teams%20may%20want%20to%20explicitly%20direct%20that%20high%20confidence%20phish%20are%20delivered.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThird-party%20phish%20simulations%3C%2FLI%3E%0A%3CLI%3ESecurity%20operations%20mailbox%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECustomers%20have%20asked%20us%20for%20a%20method%20to%20explicitly%20configure%20message%20delivery%20for%20these%20scenarios%20and%20for%20the%20ability%20to%20view%20and%20filter%20these%20messages%20across%20our%20admin%20experiences.%20In%20July%2C%20we%20will%20launch%20the%20new%20Advanced%20Delivery%20capability%20for%20these%20scenarios%2C%20providing%20a%20method%20for%20security%20admins%20to%20explicitly%20configure%20for%20these%20in-product.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22phishsim2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F276863i7CE5E8AFACFDE751%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22phishsim2.png%22%20alt%3D%22Figure%201%3A%20Configuring%20Third-Party%20Phishing%20Simulation%20Campaigns%20with%20Advanced%20Delivery.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%201%3A%20Configuring%20Third-Party%20Phishing%20Simulation%20Campaigns%20with%20Advanced%20Delivery.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20Advanced%20Delivery%2C%20we%20will%20ensure%20messages%20configured%20as%20part%20of%20these%20scenarios%20are%20handled%20correctly%20across%20the%20product.%20The%20protection%20filters%20will%20respect%20these%20configurations%20and%20not%20block%20these%20messages.%20And%20we%20will%20also%20show%20off%20these%20messages%20with%20the%20appropriate%20annotations%20in%20all%20of%20the%20reporting%2C%20investigation%20and%20security%20experiences%20in%20the%20product%2C%20so%20security%20teams%20and%20admins%20are%20not%20confused%20about%20the%20true%20nature%20of%20these%20messages.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESince%20these%20do%20not%20represent%20a%20real%20threat%20to%20your%20organization%2C%20we%20will%2C%20for%20example%2C%20not%20flag%20the%20messages%20as%20malicious%20and%20inadvertently%20remove%20them%20from%20your%20inbox%2C%20and%20we%E2%80%99ll%20skip%20things%20like%20triggering%20alerts%2C%20detonation%2C%20and%20automated%20investigations.%20However%2C%20admins%20will%20have%20the%20ability%20to%20filter%2C%20analyze%20and%20understand%20messages%20delivered%20due%20to%20these%20special%20scenarios.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22secops%20mbx.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F276862i66A06173C47A4684%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22secops%20mbx.png%22%20alt%3D%22Figure%202%3A%20Configuring%20Security%20Operations%20Mailboxes%20with%20Advanced%20Delivery.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFigure%202%3A%20Configuring%20Security%20Operations%20Mailboxes%20with%20Advanced%20Delivery.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20will%20be%20important%20for%20customers%20who%20are%20utilizing%20ETRs%20to%20configure%20third-party%20party%20phishing%20simulation%20campaigns%20or%20delivery%20for%20security%20operation%20mailboxes%20today%20to%20start%20configuring%20these%20with%20the%20new%20Advanced%20Delivery%20policy%20when%20the%20feature%20is%20launched%20in%20July.%3C%2FP%3E%0A%3CP%3EAfter%20the%20last%20phase%20of%20Secure%20by%20Default%20is%20enabled%20in%20August%2C%20Defender%20for%20Office%20365%20will%20no%20longer%20deliver%20high%20confidence%20phish%2C%20regardless%20of%20any%20explicit%20ETRs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20learn%20more%20about%20the%20new%20advanced%20delivery%20policy%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fconfigure-advanced-delivery%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Elearn%20more%20on%20Microsoft%20Docs.%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%20id%3D%22toc-hId-1568686260%22%3EMaking%20it%20easy%20for%20customers%3C%2FH2%3E%0A%3CP%3EThis%20new%20way%20of%20handling%20phishing%20simulations%20from%203%3CSUP%3Erd%3C%2FSUP%3E%20party%20vendors%20and%20security%20operations%20mailboxes%20is%20cleaner%20and%20offers%20a%20great%20deal%20of%20predictability%20for%20security%20teams.%20We%E2%80%99ve%20seen%20numerous%20occasions%20where%20security%20admins%20and%20SecOps%20members%20have%20been%20stirred%20into%20action%20inadvertently%20because%20of%20lack%20of%20clarity%20in%20this%20regard.%20This%20new%20capability%20above%20eliminates%20all%20that%20confusion.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMost%20significantly%2C%20this%20feature%20makes%20it%20easier%20for%20security%20and%20messaging%20admins%20to%20rest%20assured%20that%20their%20ETR%20rules%20cannot%20impact%20the%20protection%20of%20their%20users%2C%20and%20prevents%20them%20from%20having%20to%20manually%20inspect%20all%20of%20their%20ETR%20rules%20(a%20daunting%20task)%20to%20guarantee%20that.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%20id%3D%22toc-hId--238768203%22%3EStay%20tuned...%3C%2FH2%3E%0A%3CP%3EWe%20covered%20here%20additional%20changes%20we%E2%80%99ve%20made%20to%20help%20customers%20understand%20configuration%20gaps%20and%20the%20capabilities%20we%E2%80%99ve%20launched%20to%20eliminate%20the%20legacy%20override%20problem.%20In%20the%20next%20blog%2C%20we%20will%20share%20details%20about%20additional%20features%20we%20are%20building%20to%20further%20eliminate%20the%20configuration%20gap%20problem%20in%20the%20case%20where%20customers%20may%20be%20unaware%20of%20security%20policy%20features%20available%20to%20them%20and%20have%20not%20turned%20these%20on.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20you%20have%20questions%20or%20feedback%20about%20Microsoft%20Defender%20for%20Office%20365%3F%20Engage%20with%20the%20community%20and%20Microsoft%20experts%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMDOForum%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDefender%20for%20Office%20365%20forum%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2307134%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EThis%20blog%20is%20part%20two%20of%20a%20three-part%20series%20on%20simplifying%20configuration%20of%20threat%20protection%20in%20Office%20365.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22config%20teaser%202.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F276864i0F9174C4C07255EC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22config%20teaser%202.png%22%20alt%3D%22config%20teaser%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2307134%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAwareness%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EConfiguration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMastering%20Configuration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPrevention%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecure%20Posture%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2674020%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2674020%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20that%20confirmation.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20testing%20this%20in%20environments%20with%20a%20third%20party%20filter%2C%20it%20seems%20that%20some%20emails%20are%20still%20being%20scanned.%20Is%20there%20any%20way%20to%20identify%2Fconfirm%20if%20Advanced%20Delivery%20is%20being%20applied%3F%20Previously%20with%20mail%20flow%20rules%20you%20could%20determine%20this%20through%20the%20message%20events.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20there%20is%20set%20date%20for%20when%20ETRs%20will%20no%20longer%20deliver%26nbsp%3Bcase%20of%20high%20confidence%20phish%20verdicts%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2630027%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2630027%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20to%20clarify%2C%20you%20said%20advanced%20delivery%20works%20regardless%20of%20skip%20listing%20or%20where%20mx%20record%20points.%20Does%20that%20mean%20this%20feature%20will%20work%20with%20any%20third-party%20filter%20without%20additional%20configuration%3F%26nbsp%3B%3CSPAN%3EI%20would%20just%20like%20to%20know%20exactly%20what%20options%20are%20available%20to%20have%20Advanced%20Delivery%20function%20correctly%20with%20third-party%20filters.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20understanding%20was%20one%20of%20the%20below%20options%20were%20required%20but%20it%20would%20be%20great%20if%20you%20could%20confirm.%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Have%20your%20domain%20MX%20record%20point%20to%20Office365%3C%2FP%3E%3CP%3E2.%26nbsp%3BSet%20up%26nbsp%3B%3CSPAN%3EEnhanced%20Filtering%20for%20connectors%26nbsp%3B(skip%20listing)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2717084%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2717084%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%26nbsp%3BI%20use%20a%20phishing%20simulation%20solution%20that%20use%20over%20130%20domains%20that%20they%20own%20and%20are%20individually%20DKIM%20registered%2C%20will%20this%20new%20DKIM%20functionality%20allow%20me%20to%20whitelist%20all%20domains%20or%20just%20the%2010%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2728190%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2728190%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%26nbsp%3Bhave%20you%20had%20the%20chance%20to%20look%20into%20my%20query%2C%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2607016%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2607016%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-spoiler-container%22%3E%3CA%20class%3D%22lia-spoiler-link%22%20href%3D%22%23%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%20target%3D%22_blank%22%3ESpoiler%3C%2FA%3E%3CNOSCRIPT%3E(Highlight%20to%20read)%3C%2FNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-border%22%3E%3CDIV%20class%3D%22lia-spoiler-content%22%3EEdit%3A%209%2F10%2F21.%20To%20clarify%2C%20partner%20outreach%20to%20%3CSTRONG%3Eseveral%3C%2FSTRONG%3E%20major%20phishing%20simulation%20vendors%20was%20complete%20(not%20all).%20We%20will%20continue%20to%20evaluate%20solution%20and%20are%20open%20to%20engaging%20with%20phishing%20simulation%20vendors%20on%20their%20phishing%20simulation%20solution%20and%20how%20to%20best%20configure%20with%20Defender%20for%20Office%20for%20their%20customers.%3C%2FDIV%3E%3CNOSCRIPT%3E%3CDIV%20class%3D%22lia-spoiler-noscript-container%22%3E%3CDIV%20class%3D%22lia-spoiler-noscript-content%22%3EEdit%3A%209%2F10%2F21.%20To%20clarify%2C%20partner%20outreach%20to%20several%20major%20phishing%20simulation%20vendors%20was%20complete%20(not%20all).%20We%20will%20continue%20to%20evaluate%20solution%20and%20are%20open%20to%20engaging%20with%20phishing%20simulation%20vendors%20on%20their%20phishing%20simulation%20solution%20and%20how%20to%20best%20configure%20with%20Defender%20for%20Office%20for%20their%20customers.%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FNOSCRIPT%3E%3C%2FDIV%3E%3C%2FDIV%3E%0A%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1119641%22%20target%3D%22_blank%22%3E%40TreyContello%3C%2FA%3E%20--%20Yes%2C%20Microsoft%20has%20worked%20with%20vendors%20across%20the%20industry%20in%20preparation%20for%20the%20release%20of%20Advanced%20Delivery.%20We%20provided%20pre-release%20documentation%20to%20%3CSTRIKE%3Eall%3C%2FSTRIKE%3E%20several%26nbsp%3Bmajor%20phishing%20simulation%20vendors%20and%20we%20invited%20them%20to%20meet%20with%20us%20and%20provide%20feedback.%20This%20allowed%20for%20design%20feedback%20as%20well%20as%20provided%20the%20phishing%20simulation%20vendors%20with%20time%20to%20plan%20for%20the%20change%20as%20well%20as%20update%20documentation%2Fcommunication%20to%20their%20respective%20customers.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20noted%20in%20a%20couple%20of%20the%20above%20comments%2C%20we%20are%20adding%20one%20additional%20secure%20option%20for%20phishing%20simulation%20vendors%20-%20the%20ability%20to%20specify%20a%20DKIM%20domain.%20This%20is%20targeted%20to%20roll%20out%20in%20September%20(Please%20see%20M365%20Roadmap%20item%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmicrosoft-365%2Froadmap%3Ffilters%3D%26amp%3Bsearchterms%3D82083%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EFeature%20ID%2082083%3C%2FA%3E).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20if%20specifying%2010%20sending%20domains%20doesn%E2%80%99t%20meet%20a%20phishing%20simulation%20vendor's%20needs%2C%20they%20could%20instead%20sign%20all%20of%20their%20messages%20with%20a%20particular%20phishing%20simulation%20vendor%20DKIM%20domain.%20The%20security%20admin%20(end%20user%20customer)%20would%20then%20have%20the%20option%20to%20enter%20either%20sending%20domain%20or%20phish%20sim%20vendor's%20DKIM%20domain%20via%20the%20new%20advanced%20delivery%20policy%20based%20on%20the%20phishing%20simulation%20vendor's%20guidance.%20The%20DKIM%20domain%20creates%20another%20secure%20option%20giving%20customers%20the%20flexibility%20to%20utilize%20sending%20domains%20and%2For%20DKIM%20domains.%20In%20order%20for%20this%20option%20to%20work%2C%20the%20phishing%20simulation%20vendor%20will%20need%20to%20implement%20DKIM%20domain%20in%20their%20phishing%20simulation%20offerings%20to%20customers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdding%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F208414%22%20target%3D%22_blank%22%3E%40Jenelle%20Sujat%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1003813%22%20target%3D%22_blank%22%3E%40Km_MSN%3C%2FA%3E%26nbsp%3Bfor%20questions%20along%20similar%20thread%20--%20Confirming%20that%20advanced%20delivery%20requires%20a%20message%20match%20on%20at%20least%201%20sending%20domain%20and%20at%20least%20sending%20IP%20and%20that%20each%20field%20has%20a%20limit%20of%2010%20entries.%20Several%20design%20options%20were%20vetted%20before%20landing%20on%20this%20solution.%20The%20DKIM%20domain%20option%20mentioned%20above%20is%20another%20option%20for%20phishing%20simulation%20vendors%20that%20will%20release%20in%20September.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2740492%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2740492%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F185466%22%20target%3D%22_blank%22%3E%40Simon%20Khera%3C%2FA%3E%2C%26nbsp%3BThe%20DKIM%20domain%20enhancement%20to%20Advanced%20Delivery%20is%20expected%20to%20release%20at%20the%20end%20of%20September.%26nbsp%3B(Please%20see%20M365%20Roadmap%20item%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmicrosoft-365%2Froadmap%3Ffilters%3D%26amp%3Bsearchterms%3D82083%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EFeature%20ID%2082083%3C%2FA%3E).%20As%20mentioned%20in%20my%20above%20response%20to%20a%20similar%20question%3A%20If%20specifying%2010%20sending%20domains%20doesn%E2%80%99t%20meet%20a%20phishing%20simulation%20vendor's%20needs%2C%20t%3CU%3Ehey%20could%20instead%20sign%20all%20of%20their%20messages%20with%20a%26nbsp%3Bphishing%20simulation%20vendor%20DKIM%20domain%3C%2FU%3E.%20The%20limit%20on%20the%20domain%20field%20is%20still%2010%20(can%20be%20a%20mix%20of%20P1%20sending%20domains%20and%20DKIM%20domains).%20The%20security%20admin%20(end%20user%20customer)%20would%20then%20have%20the%20option%20to%20enter%20either%20sending%20domain%20or%20the%20one%20phish%20sim%20vendor's%20DKIM%20domain%20via%20the%20new%20advanced%20delivery%20policy%20based%20on%20the%20phishing%20simulation%20vendor's%20guidance.%20The%20DKIM%20domain%20creates%20another%20secure%20option%20giving%20customers%20the%20flexibility%20to%20utilize%20sending%20domains%20and%2For%20DKIM%20domains.%20In%20order%20for%20this%20option%20to%20work%2C%20the%20phishing%20simulation%20vendor%20will%20need%20to%20implement%20DKIM%20domain%20in%20their%20phishing%20simulation%20offerings%20to%20customers.%20We%20will%20continue%20to%20evaluate%20the%20solution%20and%20welcome%20engaging%20and%20collaborating%20with%20phishing%20simulation%20vendors%20on%20their%20specific%20phishing%20simulation%20campaign%20needs%20and%20how%20to%20best%20configure%20in%20Defender%20for%20Office%20365%20with%20security%20in%20mind.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPlease%20stay%20tuned%20for%20more%20info.%20We%20will%20be%20releasing%20a%20message%20center%20post%20for%20the%20upcoming%20release%20with%20additional%20details%20shortly.%20%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2740535%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2740535%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1123692%22%20target%3D%22_blank%22%3E%40Ian_Finn%3C%2FA%3E%26nbsp%3Bplease%20submit%20a%20support%20ticket%20for%20the%20team%20to%20investigate%20and%20look%20into%20the%20details.%20Secure%20by%20Default%20for%20ETRs%20rollout%20has%20begun%20and%20will%20complete%20by%20end%20of%20September.%20Please%20see%20message%20center%20post%26nbsp%3B%3CSTRONG%3EMC265759%26nbsp%3B%3C%2FSTRONG%3Efor%20details.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2745637%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2745637%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%26nbsp%3Bhowever%20this%20does%20not%20help%20us%20as%20our%20provider%20own%20all%20of%20their%20domains%20and%20all%20emails%20are%20DKIM%20registered%20to%20their%20own%20domain%20along%20with%20having%20DMARC%20and%20SPF%2C%20surely%20this%20is%20the%20correct%20way%20of%20setting%20up%20these%20Phish%20emails%20rather%20than%20sending%20from%20one%20domain%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2802670%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2802670%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20all%20those%20of%20you%20who%20like%20us%20have%20had%20our%20Phishing%20testing%20completely%20destroyed%20by%20Microsoft%20which%20in%20turn%20messed%20up%20some%20of%20our%20mandatory%20compliance%20testing%20we%20do%20as%20a%20Health%20Care%20organization%20I%20present%20the%20solution%20we%20used%20to%20get%20around%20this%20boneheaded%20move%20of%20Microsoft's.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20there%20was%20no%20way%20to%20get%20Microsoft%20to%20allow%20the%20mail%20from%20our%20Phishing%20Provider%2C%20KnowBe4%2C%20within%20the%20limited%20confines%20of%20the%20new%20system%20I%20decided%20to%20just%20let%20Microsoft%20quarantine%20them%20all%20and%20then%20use%20some%20Powershell%20to%20release%20the%20ones%20that%20I%20wanted.%26nbsp%3B%20This%20can%20be%20run%20manually%20or%20as%20part%20of%20a%20regular%20timed%20script%20.%26nbsp%3B%20You%20only%20need%20to%20make%20changes%20to%20to%20the%20two%20variables%20on%20likes%205%20(%24HoursBack)%2C%20which%20dictates%20how%20far%20back%20in%20the%20quarantine%20the%20scripts%20looks%2C%20and%20line%208%20(%24MessageIDFilter)%2C%20which%20dictates%20how%20to%20match%20the%20MessageID%20field%20which%20for%20us%20being%20KnowBe4%20looks%20like%20%22*%40psm.knowbe4.com*%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%20others%20in%20the%20mess.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24i%20%3D%200%0A%24SetSize%20%3D%201000%0A%0A%23%20Set%20how%20many%20hours%20back%20you%20wish%20the%20script%20to%20look.%0A%24HoursBack%20%3D%20-1%0A%0A%23%20Set%20the%20MessageID%20filter%20you%20wish%20to%20use.%20(Example%20%22*%40psm.knowbe4.com*%22%20for%20KnowBe4)%0A%24MessageIDFilter%20%3D%20%22*%40psm.knowbe4.com*%22%0A%0AWhile%20(%24SetSize%20-gt%200)%20%7B%0A%20%0A%20%24i%2B%2B%0A%20%24CurrentSet%20%3D%20Get-QuarantineMessage%20-StartReceivedDate%20(Get-Date).AddHours(%24HoursBack)%20-EndReceivedDate%20(Get-Date)%20-Page%20%24i%20-PageSize%201000%0A%20%24FilteredSet%20%3D%20%24CurrentSet%20%7C%20Where-Object%20%7B%24_.MessageID%20-like%20%24MessageIDFilter%7D%0A%20Write-Host%20%22Round%20%24(%24i)%3A%20CurrentSet%20%3D%20%24(%24CurrentSet.count)%20and%20FilteredSet%20%3D%20%24(%24FilteredSet.count)%20-%20Releasing%20Messages%22%0A%20%24FilterCount%20%3D%200%0A%20%24FilteredSet%20%7C%20%25%20%7B%0A%20%20%24FilterCount%2B%2B%0A%20%20%24FilterPercentage%20%3D%20%24FilterCount%20%2F%20%24FilteredSet.count%20*%20100%0A%20%20%24FilterPercentage%20%3D%20%5Bmath%5D%3A%3ARound(%24FilterPercentage%2C%202)%0A%20%20Write-Progress%20-Activity%20%22Releasing%20Messages%3A%20%24(%24FilterCount)%20-%20Round%3A%20%24(%24i)%22%20-Status%20%22%24(%24FilterPercentage)%25%20Complete%3A%22%20-PercentComplete%20%24FilterPercentage%0A%20%20Release-QuarantineMessage%20-ReleaseToAll%20-Identity%20%24_.Identity%7D%0A%20%24SetSize%20%3D%20%24CurrentSet.count%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2502509%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2502509%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20this%20by%20default%20to%20all%20excahnge%20online%20plans%20or%20any%20specific%20license%20is%20requried%3F%20Thanks%2C%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2862989%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2862989%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20a%20very%20interesting%20post%20and%20even%20more%20interesting%20comments!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQ%20for%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F837994%22%20target%3D%22_blank%22%3E%40Sundeep_Saini%3C%2FA%3E%3A%20Is%20there%20a%20way%20to%20verify%20that%20the%20DKIM%20support%20for%20Advanced%20Delivery%20Policy%20(feature%20ID%26nbsp%3BFeature%20ID%2082083)%26nbsp%3Bis%20activated%20for%20a%20specific%20customer%3F%20I%20noticed%20the%20text%20in%20the%20top%20of%20the%20%22Edit%20third%20party%20phishing%20simulations%22%20window%26nbsp%3Bnow%20mention%20DKIM%20-%20does%20that%20mean%20it's%20avaliable%20to%20use%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2863125%22%20slang%3D%22en-US%22%3ERe%3A%20Mastering%20Configuration%20in%20Defender%20for%20Office%20365%20-%20Part%20Two%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2863125%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1190182%22%20target%3D%22_blank%22%3E%40Rikardz%3C%2FA%3E%2C%20the%20DKIM%20support%20for%20Advanced%20Delivery%20Policy%20(Feature%20ID%2082083)%20was%20launched%201st%20week%20of%20October%20and%20is%20available%20to%20tenants%20worldwide.%20Rollout%20to%20gov%20clouds%20is%20still%20in%20progress%20and%20will%20complete%20by%20end%20of%20month.%20Since%20you%20see%20the%20mention%20of%20DKIM%20-%20I%20believe%20you%20do%20indeed%20have%20it%20enabled%20for%20your%20tenant.%20If%20you%20run%20into%20any%20issues%2C%20please%20open%20up%20a%20support%20case.%20I%20believe%20you%20are%20all%20set!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Aug 12 2021 10:59 AM
Updated by: