Skip to content
English
More support Sign in
Contact us
  • There are no suggestions because the search field is empty.

Additional Configuration - Microsoft

Key Microsoft policies to configure when setting up your Secure Schools phishing simulations

This guide is for informational purposes only and is based on publicly available procedures to bypass image filters within Microsoft DefenderMicrosoft Exchange, and related products to accommodate security testing platforms, and was authored with the assistance of AI. (Sources)

If you encounter any issues with these steps, please get in touch with your usual support representative at Microsoft directly. 

Outlook (both desktop and web) may block automatic image downloads by default for untrusted senders to protect users from web beacons and malicious content.

The most effective administrative solution to ensure images load automatically without user intervention is to use Exchange Online PowerShell to centrally configure the phishing simulation's sending domains as Trusted Senders and Domains for all user mailboxes.

 

Recommended Solution: PowerShell to Add to Safe Senders

The Safe Senders List in Outlook is a mechanism that instructs the client (desktop or web) to  download images from a specific sender or domain automatically. By applying this setting organisation-wide via PowerShell, you bypass the manual process for every user.

  1. Review the necessary domains and/or email addresses:
    Get the exact sending domains from our Domains and IP Addresses article.

  2. Connect to Exchange Online PowerShell:
    You will need a    dministrative credentials with the necessary permissions (e.g., Exchange Administrator or Organisation Management role).
    In PowerShell:
    Import-Module ExchangeOnlineManagement
    Connect-ExchangeOnline -UserPrincipalName your_admin_account@yourdomain.com

  3. Define the Domains/Senders: Create an array of the domains and/or email addresses you want to whitelist.
    In PowerShell:
    $domains = @("phishing-domain-1.com", "phishing-domain-2.net", "no-reply@phishingsender.com") 

  4. Add to All Mailboxes: Use the Set-MailboxJunkEmailConfiguration cmdlet to add the domains to the TrustedSendersAndDomains list for all user mailboxes.
    In PowerShell:
    $mailboxes = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited

    foreach ($domain in $domains) {
        foreach ($mbx in $mailboxes) {
            Set-MailboxJunkEmailConfiguration -Identity $mbx.Identity -TrustedSendersAndDomains @{Add = $domain }
        }
    }

Why this works for both desktop and web:

The Safe Senders List is stored in the user's mailbox settings on the Exchange Online server. Both the classic Outlook desktop client, the new Outlook desktop client, and Outlook on the web consult this list to determine if images should be loaded automatically.


Note that Microsoft is transitioning users to the "New Outlook" desktop application, which is a wrapper around Outlook on the web. Some older whitelisting methods (like certain Group Policy settings that only worked for the classic Outlook desktop client) may no longer apply. The PowerShell method for TrustedSendersAndDomains and the Advanced Delivery Policy are the most future-proof and centrally managed ways to address both image loading and delivery for your mixed environment.


Additional Allowlisting Steps

While the PowerShell method handles the image display, you should also ensure the emails don't get quarantined or flagged as junk in the first place, as this would also prevent image loading. 

Full details of these steps can be found on our knowledgebase here:


Always get the most current and complete list of exact IP addresses listed in our article here: Domains and IP Addresses. Note that these lists can change over time. Using an outdated list will result in failed delivery.