Additional Configuration - Microsoft
Key Microsoft policies to configure when setting up your Secure Schools phishing simulations
Last updated - June 9, 2026
This guide is for informational purposes only and is based on publicly available procedures to bypass image filters within Microsoft Defender, Microsoft Exchange, and related products to accommodate security testing platforms, and was authored with the assistance of AI. (Sources)
If you encounter any issues with these steps, please get in touch with your usual support representative at Microsoft directly.
Outlook (both desktop and web) may block automatic image downloads by default for untrusted senders to protect users from web beacons and malicious content.
The most effective administrative solution to ensure images load automatically without user intervention is to use Exchange Online PowerShell to centrally configure the phishing simulation's sending domains as Trusted Senders and Domains for user mailboxes.
PowerShell to Add to Safe Senders
The Safe Senders List in Outlook instructs the client (desktop or web) to automatically download images from a specific sender or domain. By applying this setting organisation-wide via PowerShell, you bypass the manual process for every user.
1. Review the necessary domains and/or email addresses:
Get the exact sending domains from our Domains and IP Addresses article.
2. Connect to Exchange Online PowerShell:
You will need administrative credentials with the necessary permissions (e.g., Exchange Administrator or Organisation Management role). In PowerShell: Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName your_admin_account@yourdomain.com
3. Define the Domains/Senders
Create an array of the domains and/or email addresses you want to allow. In PowerShell: $domains = @("phishing-domain-1.com", "phishing-domain-2.net", "no-reply@phishingsender.com")
4. Add to Existing Mailboxes:
Use the Set-MailboxJunkEmailConfiguration cmdlet to add the domains to the TrustedSendersAndDomains list for all current user mailboxes. (Note: We include -ErrorAction SilentlyContinue because Microsoft will report an error if a mailbox is brand new and has never been logged into by the user).
In PowerShell:
$mailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited
foreach ($mbx in $mailboxes) {
Set-MailboxJunkEmailConfiguration -Identity $mbx.Identity -TrustedSendersAndDomains @{Add = $domains} -ErrorAction SilentlyContinue
}
5. Addressing Future Users (Important)
The PowerShell command above only applies to mailboxes that exist at the time the script is run. It will not automatically persist to new users added in the future.
To ensure new staff or students also automatically download simulation images, you must do one of the following:
- Automate the script: Set up an Azure Automation Runbook or a local Scheduled Task to run this script on a recurring schedule (e.g., daily). The
SilentlyContinueflag ensures it safely skips brand-new accounts until they are fully initialised. - Update your onboarding process: Add running this script (or manually adding the individual user to the safe senders list) to your IT department's standard new-user provisioning checklist.
- Use Group Policy/Intune (Alternative): If your organisation only needs to support the classic Outlook desktop client on managed Windows devices, you can deploy the Safe Senders list centrally via GPO or Intune. (Note: This does not apply to Outlook on the web or the "New Outlook" client).
Why this works for both desktop and web:
The Safe Senders List is stored in the user's mailbox settings on the Exchange Online server. The classic Outlook desktop client, the new Outlook desktop client, and Outlook on the web all consult this list to determine if images should be loaded automatically.
Note that Microsoft is transitioning users to the "New Outlook" desktop application, which is a wrapper around Outlook on the web. Some older whitelisting methods (such as certain Group Policy settings that only worked for the classic Outlook desktop client) may no longer apply. The PowerShell method for TrustedSendersAndDomains and the Advanced Delivery Policy are the most future-proof and centrally managed ways to address both image loading and delivery for your mixed environment.
Additional Allowlisting Steps
While the PowerShell method handles image display, you should also ensure emails aren't quarantined or flagged as junk in the first place, as this would also prevent image loading.
Full details of these steps can be found on our knowledge base here:
Always get the most current and complete list of exact IP addresses listed in our article here: Domains and IP Addresses. Note that these lists can change over time. Using an outdated list will result in failed delivery.