Skip to main content
All CollectionsPhishing Assessments
How do I configure M365 to allow phishing emails through?
How do I configure M365 to allow phishing emails through?

A quick mail transport rule should do the trick!

Brian Johnson avatar
Written by Brian Johnson
Updated over a year ago

7 Minute Security's phishing exercises are typically designed to test the end-users rather than the technical controls protecting email inboxes. So during the process, we may ask you to allowlist our phishing domain within M365 so that the emails come through without being gobbled by spam filters. To do this:

  1. Navigate to https://admin.exchange.microsoft.com/ and login with an M365 admin account.

  2. In the navigation tree on the left side, head to Mail flow > Rules

  3. Click Add a rule > Create New Rule:

  4. Give the rule an appropriate name, and then under Apply this rule if, choose The sender. Then set the condition for The sender to be domain is, and type in the phishing domain name 7 Minute Security will give you. Below is an example where the phishing domain name is domain.com:

  5. Next, under Do the following, click the drop down menu and choose Modify the message properties, then set the action to set a message header. Set the message header to X-MS-Exchange-Organization-BypassClutter and the value to true:

  6. Click the + next to set a message header so that a new condition is created:

  7. Under And, click the drop-down and choose Modify the message properties again. Then in the next drop-down, choose set the spam confidence level (SCL) and set it to Bypass spam filtering. Note that even when you choose Bypass spam filtering it is reflected as a value of '-1' when settings are saved (this is totally fine):

  8. Click Next near the lower left of this open window.

  9. At the next screen, leave all values at their defaults, but make sure you also click Activate this rule on (so that the rule gets enabled) and then click Next:

  10. At the next screen, review the rule and then click Finish to enable it.

  11. Have 7 Minute Security send a test phishing campaign through to a few designated users. The email should land directly in user inboxes, and not drop into the Junk Email folder.

    If you don't see the email in the inbox or junk folders, it may have gone into your email quarantine at https://security.microsoft.com/quarantine:


    If the email shows up in quarantine as pictured above, double-check your mail flow rule and contact 7 Minute Security for further support.

Did this answer your question?