Whitelisting Overview - For Phishing Simulations

Here's what the whitelisting process looks like: 

Before a phishing simulation

  1. Whitelist across all of your systems using the guides
  2. Test the delivery of the phishing email
  3. Troubleshoot in case of failed delivery  
  4. Configure Mail Connector as a last troubleshooting measure 

After a phishing simulation

Remember to remove the whitelisting after the campaign is complete. 

 

In the article, we guide you through each step of the process. Let's go!

Introduction

All organisations use tools/systems that protect them from receiving malicious emails. These tools are part of the normal tech-stack provided by Microsoft (Defender) and Google. They are constantly updated and give organisations a strong foundation for avoiding email attacks.  

Some organisations choose to use additional tools to protect against the threat of malicious emails.  

In all cases, there is a need to configure these systems/tools correctly before running simulated phishing campaigns. This process is known as “whitelisting”. Whitelisting ensures simulations can get past your security systems. 

You might be able to do the whitelisting yourself, or you might need assistance from your IT administrator or external IT provider. 

It is your responsibility to whitelist within all the security tools your organisation uses. Your Customer Success Manager will support you.  

 

What is whitelisting and why we ask you to do it 

When you whitelist within your relevant systems, you temporarily or permanently tell your security tools to trust a sender/domain/URL. You essentially instruct your relevant systems that the emails you have whitelisted should not be subject to the normal scanning/blocking policies. 

Whitelisting serves two important purposes.  

  1. Email delivery. It prevents the simulated phishing email from being stopped by your spam/anti-phishing filters and makes sure that the email reaches your users.
  2. Email interaction. It tells any additional email security tools you have not to interact with the email once it’s in your users’ inboxes. For example, some tools “click” on links in the email to see if they are safe. Telling these tools to trust the email helps make your simulation data as accurate as possible, so you don’t see false positive clicks. 

Here’s what you need to do 

Step 1 – Make a list of all the email security systems/tools you are using 

Imagine the entire journey of the email from when we send it to when your end users have it in their inboxes (not spam folders). What are the different tools that might be involved? Consider both tools that are involved in email delivery and interaction. Answer both of the questions below. 

  1. Do you have any tools for email security that are scanning and filtering incoming emails, scanning the content of incoming emails, and potentially blocking the delivery of emails?  
    1. Some examples of these tools are Microsoft Defender, Mimecast or Vipre. 
  2. Do you have any tools that have access to the inbox after emails have been delivered. These could be anti-virus or phishing-reporting tools (like an add-in button to Outlook). These are tools that might interact with the email once it has been delivered by, e.g., clicking on links.  
    1. Some examples of these tools are Microsoft Defender, Mimecast, and Trendmicro. 

It is very important that you identify all of the systems/tools you use. This helps ensure both the delivery of emails and the accuracy of your results. It’ll make your whitelisting process go as smoothly as possible.  

Step 2 – Whitelist in all of your systems 

Start by whitelisting in your email client. Open the appropriate guide and follow the steps. 


 

If you only use Microsoft or Google 

If you don’t use any additional security systems for email, then continue down to Step 3. 

 

If you use other email security tools in addition to Microsoft or Google 

If your organization has a more complicated setup with several security tools, you will need to tell all of them to trust the simulation email. 

After you have whitelisted in Microsoft or Google using the guides above, you should also whitelist in any other tools you use.  

We have guides for how to whitelist in some of the tools our customers commonly use:  


These are just two examples of places you might need to whitelist. Make sure you whitelist in all of the tools you have. If the system you use isn’t listed here, visit their customer support page for more guidance. 

Step 3 – Confirm the whitelisting with a test email 

Now, we want to test that the campaign can be delivered to your inbox (and that the whitelisting worked).  

Follow the steps in the whitelisting guide to send yourself a test email. Check to see that:

  • The email is delivered correctly
  • The link within the email works (there is no link protection blocking it)

If both of these are confirmed, you are all done. Let your Customer Success Manager know that everything worked properly. 

 

Troubleshooting – what if the email couldn’t be delivered correctly? 

In case the delivery failed, you need to revisit the whitelisting guides above. Go through the guides and ensure that you’ve followed the steps correctly.

  • It’s common to accidentally miss a step or put in the wrong domain, IP address or URL. Did you miss a step?  
  • The most common issue is that the email was blocked in one of your security systems. See if you can identify in which system and where the email was "blocked".
  • Think about if there are any other email security tools you might have forgotten about. Maybe you need to whitelist there as well.  

If you have trouble along the way, reach out to your Customer Success Manager. They will support you where possible, but it is important that you also get help from your IT administrator, who has in-depth knowledge of your email security systems. 

If you can’t determine the cause of the delivery failure, you have the option to set up a mail connector (through Microsoft).  

 

What is a mail connector? 

A Microsoft Mail Connector creates a direct connection between the CyberPilot phishing email server and your email server. This direct connection bypasses all your other email tools and enables the email to be delivered directly to your users’ inboxes. 

Note: A mail connector can unfortunately only help with one part of the whitelisting, the delivery part. It can ensure that the emails get into your users’ inboxes. But it does not tell your other email tools not to interact with the email once it has been delivered. So, you still need to whitelist in all of your different systems, even if you use a mail connector.  

 
If you decide to proceed and set up a Mail Connector, use the guide below to set it up.

 

What's next?

Now you have completed the steps for whitelisting your systems. Congrats! You’re one step closer to running a good phishing campaign. Make sure to coordinate the next steps for your training with your Customer Success Manager. 

The last step - remember to remove the whitelisting on completion of campaign(s)

On completion of campaign(s), you should remove the whitelisting you did to allow the training to take place. This essentially restores your accepted senders back to what it was before the simulation.