Direct Send for Simulated Phishing Emails in Microsoft 365 (Recommended)

How to set up Direct Send for Simulated Phishing Emails in Microsoft 365

CultureAI recommend using direct send to ensure delivery of simulated phishing emails. Due to the nature of these emails, they will often be blocked by Microsoft or other email tooling. Direct send is a process that allows our simulated phishing emails to be sent directly to your email servers, bypassing any other infrastructure that you have in place.

Note - in order for direct send to work, your domain needs to match a domain in the domain scanning section of the CultureAI platform, please reach out to success@culture.ai to get your domain added to your scanning section if required.  

The high level steps are as follows:

1. Configuring a connector to allow mail directly from CultureAI.
2. Setting up Microsoft advanced phishing delivery.
3. Set up a spam rule to ensure delivery of other CultureAI emails.
4. Add your MX record into CultureAI to turn on direct send.

Microsoft 365 connector

1. Head to your Microsoft Admin Connectors panel
2. Select “Add a connector”
   
3. Select “Partner organisation”
   
4. Add a name and description: 
    
5. Leave “Turn it on” enabled.
6. Select verify by IP address and enter the following 3 IP addresses:
   18.168.112.23
   18.169.30.9
   18.169.49.67
    
7. Leave “Reject email messages if they aren’t sent over TLS” enabled.
8. Review and save
   
   

 Add trust for inbound connector traffic

1. Head to the anti-spam policies.
2. Select “Connection filter policy (Default)”
   
3.  Add the 3 mail server IP's to the allow messages list:
   18.168.112.23
   18.169.30.9
   18.169.49.67
   
4. Review and save 

Advanced Phishing Configuration

1. Access the Microsoft 365 defender portal and browse to Policies & Rules > Threat Policies > Advanced Delivery > Phishing Simulation
2. Add the following IP addresses to the allowed sending IPs:
   18.168.112.23
   18.169.30.9
   18.169.49.67 
3. Add culture.ai as the sending domain.
   
4. Review and save

Allow-list other CultureAI emails

CultureAI will deliver all emails that are not simulated phishing emails from a different set of IP addresses. Such emails will include welcome emails, case closure notifications and nudges sent via email. This stage of the configuration is to prevent those emails being blocked by Microsoft or filtered as spam. 

1. Head to the Exchange mail flow rules.
2. Select 'Create a new rule'.
3. Set the rule conditions as follows: 
   1. 'Apply this rule if' -> 'The sender' -> 'IP address is in any of these ranges or exactly matches'. Add '149.72.233.190' and '149.72.224.180'. 
   2. 'Do the following' -> 'Modify the message properties' -> 'Set the spam confidence level (SCL)'. Select 'Bypass spam filtering'. 
4. Your rule should look as follows:
   
5. Select 'Next', leave the rule settings as default and select 'Next', then 'Finish'. 
6. Select your new rule and toggle the 'Enable or disable rule' toggle to 'Enabled'.
   
   
   

Get Domain Settings and apply them in CultureAI

1. Head to the Domains section of Microsoft 365 admin centre.
2. Select the relevant domain and then 'DNS records'.
   
3. Copy the MX record value. 
   This usually ends in "mail.protection.outlook.com" or similar. 
   If you have multiple MX records, such as Mimecast ones, ensure that you use the Outlook record. Any other record will not work for direct send.
4. Head to the direct send settings tab in the CultureAI admin dashboard here.
5. Enter the MX record into the box.
6. Click "Save".
   
7. You're done! Although the change in CultureAI is immediate, the settings in Microsoft can take up to 24 hours to apply, so you may still see emails being blocked until then.