Reduce sending domain list to 20 domains
complete
M
Melissa McNamara
In order to work around Microsoft's 20 domain restriction, step 2 in the below KB should have the number of domains reduced down to 20.
Also create a PowerShell script to quickly deploy these settings.
Step 2. Advanced Phishing Simulator Whitelist
Dima Kumets [Product Manager - Huntress]
complete
Marking as complete since we've whittled the list down
J
Josh Downing
Adding this as a top-level comment since some couldn't see my reply below. Powershell script to add these settings:
$clientdomain = Read-Host -Prompt 'Enter the client domain name'
Connect-ExchangeOnline
New-HostedContentFilterPolicy -Name "Curricula Whitelist Spam Filter Policy"
New-HostedContentFilterRule -Name "Curricula Whitelist Spam Filter Policy" -HostedContentFilterPolicy "Curricula Whitelist Spam Filter Policy" -RecipientDomainIs $clientdomain -Priority 0
Set-HostedContentFilterPolicy -Identity "Curricula Whitelist Spam Filter Policy" -AllowedSenderDomains "mycurricula.com", "phish.mycurricula.com", "amazonsecurity.org", "breach-notice.com", "employee-services.org", "feedback-collect.com", "filesharingnow.com", "fraud-assistance.com", "invite-meeting.com", "mailbox-quota.com", "news-article.com", "passwordsnotification.com", "payment-process.com", "securelinkedin.com", "security-updater.com", "securitynotifications.org", "notificationservices.org", "databoxonline.com"
Connect-IPPSSession
New-PhishSimOverridePolicy -Name "Curricula Phishing Sim Override Policy"
New-PhishSimOverrideRule -Name "Curricula Phishing Sim Override Rule" -Policy "PhishSimOverridePolicy 1" -Domains mycurricula.com,alerts.mycurricula.com,phish.mycurricula.com,securitynotifications.org,security-updater.com,amazonsecurity.org,breach-notice.com,filesharingnow.com,mailbox-quota.com,passwordsnotification.com,securelinkedin.com,fraud-assistance.com,payment-process.com,news-article.com,invite-meeting.com,feedback-collect.com,businessnotice.org,databoxonline.com,electronic-hr.com,emailtransaction.com -SenderIpRanges 18.205.140.116,168.245.36.66
Set-PhishSimOverrideRule -Identity "PhishSimOverrideRule34871525-2772-48d0-962e-c596b8935c73" -AddDomains employee-services.org,governmentnotice.org,notificationservices.org
Dima Kumets [Product Manager - Huntress]
in progress
Dima Kumets [Product Manager - Huntress]
Upon further analysis, only 14 of those domains are used as defaults in the phishing scenarios plus the 3 domains for our correspondence. Of course, you are able to customize any scenario to use a different domain and you are able to create custom phishing scenarios using any of the 23 domains. As such, we recommend the domains below plus any additional domains you might want to use in the future. We will update the kb to reflect this information shortly.
As of February 24, 2023 we recommend allow-listing these domains as a starting point.
Notifications:
----
Already in use with phishing scenarios:
---
Planned to be put in use soon:
---
J
Josh Downing
We've created a powershell script to deploy these changes (for the first 20 domains in the list anyway), let me know if you want a copy
T
Tyler White
Josh Downing: I would greatly appreciate if you shared this script!
J
Josh Downing
Tyler White: Obviously review before implementing in your environment but this works well for us. It's pretty basic and could definitely be beefed up with some error-checking.
$clientdomain = Read-Host -Prompt 'Enter the client domain name'
Connect-ExchangeOnline
New-HostedContentFilterPolicy -Name "Curricula Whitelist Spam Filter Policy"
New-HostedContentFilterRule -Name "Curricula Whitelist Spam Filter Policy" -HostedContentFilterPolicy "Curricula Whitelist Spam Filter Policy" -RecipientDomainIs $clientdomain -Priority 0
Set-HostedContentFilterPolicy -Identity "Curricula Whitelist Spam Filter Policy" -AllowedSenderDomains "mycurricula.com", "phish.mycurricula.com", "amazonsecurity.org", "breach-notice.com", "employee-services.org", "feedback-collect.com", "filesharingnow.com", "fraud-assistance.com", "invite-meeting.com", "mailbox-quota.com", "news-article.com", "passwordsnotification.com", "payment-process.com", "securelinkedin.com", "security-updater.com", "securitynotifications.org", "notificationservices.org", "databoxonline.com"
Connect-IPPSSession
New-PhishSimOverridePolicy -Name "Curricula Phishing Sim Override Policy"
New-PhishSimOverrideRule -Name "Curricula Phishing Sim Override Rule" -Policy "PhishSimOverridePolicy 1" -Domains mycurricula.com,alerts.mycurricula.com,phish.mycurricula.com,securitynotifications.org,security-updater.com,amazonsecurity.org,breach-notice.com,filesharingnow.com,mailbox-quota.com,passwordsnotification.com,securelinkedin.com,fraud-assistance.com,payment-process.com,news-article.com,invite-meeting.com,feedback-collect.com,businessnotice.org,databoxonline.com,electronic-hr.com,emailtransaction.com -SenderIpRanges 18.205.140.116,168.245.36.66
Set-PhishSimOverrideRule -Identity "PhishSimOverrideRule34871525-2772-48d0-962e-c596b8935c73" -AddDomains employee-services.org,governmentnotice.org,notificationservices.org
J
Joey Guglielmo
Josh Downing: Hi Josh, if possible would love this as well.
J
Josh Downing
Joey Guglielmo: Look up. :-)