TechNsight

Ask a Question

The Whitelisting Woes: Navigating KnowBe4 and Office 365’s Email Filters

Question:

I’m seeking guidance on configuring whitelisting for high-confidence phishing emails within KnowBe4 and Office 365. Despite setting up the Advanced Delivery Policy and Exchange rules to bypass the Spam Confidence Level (SCL) using KnowBe4’s documentation, the SCL isn’t being set to -1 as expected.

Upon inspection in the Microsoft Defender portal, it appears that the Exchange rules and my custom connection filter are being applied. However, the email was still blocked and sent to Quarantine. What could be the reason for this discrepancy?

I’m aware that I could whitelist all of KnowBe4’s domains in our Anti-Spam Policy, but with an Advanced Delivery Policy in place, shouldn’t that be unnecessary? Why is the email being quarantined, and why aren’t the Exchange rules taking effect as intended?

I’ve thoroughly reviewed the documentation from both Microsoft and KnowBe4, and everything seems to be configured correctly. The policy in question is a Hosted Content Filter Policy with an action to send to Quarantine, yet no threats were detected in attachments or URLs.

This issue arose during a phishing test from KnowBe4, originating from an IP address listed in the Advanced Delivery Policy. The policy overrides were allowed by an organization policy: Exchange transport rule.

Any insights or assistance you can provide would be greatly appreciated.

Thank you!

P.S. After further investigation and community feedback, I discovered that the DKIM setting in my KnowBe4 account was configured to use my domain. Although it was validated, switching to KnowBe4’s domain resolved the issue. It seems the Advanced Delivery Policy relies on their entry for DKIM.”

Answer:

In the intricate world of email security, configuring whitelisting for high-confidence phishing emails is a nuanced task that requires a deep understanding of both KnowBe4 and Office 365’s Advanced Delivery Policy and Exchange rules. The challenge often lies in ensuring that legitimate test emails bypass the Spam Confidence Level (SCL) without being erroneously quarantined.

The Core Issue

Many IT professionals have encountered a perplexing situation where, despite meticulous adherence to KnowBe4’s documentation for setting up the Advanced Delivery Policy and Exchange rules, the SCL is not adjusted to -1. This anomaly becomes evident when emails that should be whitelisted are instead blocked and relegated to Quarantine.

Investigating the Discrepancy

A thorough examination in the Microsoft Defender portal confirms that the Exchange rules and custom connection filters are active. Yet, the expected outcome is not achieved. The question arises: why is there a discrepancy between the policy setup and its execution?

Whitelisting and Advanced Delivery Policy

The dilemma extends to the consideration of whitelisting all of KnowBe4’s domains in the Anti-Spam Policy. With an Advanced Delivery Policy already in place, this step seems redundant. However, the persistent issue of emails being quarantined raises doubts about the effectiveness of the existing configurations.

Documentation Review and Configuration Verification

Despite an exhaustive review of the documentation from both Microsoft and KnowBe4, and a confirmation that the settings appear correct, the problem persists. The policy in question is a Hosted Content Filter Policy, which, despite detecting no threats in attachments or URLs, still results in emails being sent to Quarantine.

The Phishing Test Conundrum

The issue was highlighted during a phishing test from KnowBe4, which originated from an IP address listed in the Advanced Delivery Policy. Despite the policy overrides being permitted by an organization policy, the Exchange transport rule did not prevent the email from being quarantined.

Resolution and Insights

After extensive community feedback and further investigation, a critical discovery was made. The DKIM setting in the KnowBe4 account, initially set to use the user’s domain, was a contributing factor. Once switched to KnowBe4’s domain, the issue was resolved, indicating that the Advanced Delivery Policy heavily relies on the correct DKIM entry.

Conclusion

This case study underscores the importance of a holistic approach to email security configurations. It highlights the need for continuous monitoring, community engagement, and a willingness to delve into the minutiae of policy settings. For those navigating similar challenges, this experience serves as a reminder that sometimes, the solution lies in the details that are easily overlooked.

Acknowledgments

The resolution of this issue was made possible through the collaborative efforts of the IT community and the diligent re-examination of the KnowBe4 account settings. The shared knowledge and insights have been invaluable in enhancing the understanding of email whitelisting within KnowBe4 and Office 365.

If you’re looking for more personalized advice or have further questions, feel free to reach out for additional support. Remember, the community is here to help each other navigate these complex configurations. Thank you for your inquiry, and best of luck with your email security endeavors!

Related posts:

  1. Solving Playback Problems with Animated PNG Files
  2. Inside MongoDB Security: Ensuring Data Integrity and Privacy
  3. Playing Your Best Hand: The Strategy of ‘Holding All the Aces’
  4. Beyond Scanning: The Analytical Advantages of Barcode Data Storage
  5. IDA Initiatives: Catalyzing Small Business Development
  6. The Ultimate Guide to Customizing Audio with X-Fi Mode Changer

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us