Skip to main content
Skip table of contents

Microsoft 365 - Whitelisting / DMI

Read this article in: Deutsch, Français, Dutch

This article should be your starting point if you use Microsoft 365. Several things must be done to allow our simulated phishing emails reach your employees' inboxes (also known as whitelisting or allowlisting). In addition, this will enable your employees to access the learning pages they are supposed to see if they do click on one of these emails.

Following these instructions ensures that our simulated phishing emails - and only those - can bypass your email filters.

What to know before you start

We recommend starting work on this early. You might have to involve your IT department in the process and technical issues can come up.

There are 2 separate paths you can follow. We recommend the first, using Direct Message Injection (DMI) since this is considerably easier to set up and more flexible. If DMI does not work for you, traditional whitelisting is possible as well. Note that this type of whitelisting cannot be finalized until the phishing templates have been picked.

DMI steps

These 2 articles cover the basics to get DMI working:

  1. Direct Message Injection (DMI) setup guide for Microsoft 365/Entra
    Following this guide allows simulated phishing emails sent by SoSafe to reach your users' inboxes.

  2. Whitelisting domains with safe links (Microsoft Defender)
    Following this guide removes warnings shown when clicking on links in simulated phishing emails sent by SoSafe.

To further improve the effectiveness of our training solutions, we recommend automatically allowing the images in our simulated emails to be displayed, as explained in the following articles:

Enable images in emails (Outlook Trust Center)

Reloading images for certain senders (Microsoft 365)

Traditional whitelisting steps

We have split the main things you have to do in 3 articles. You should follow them in this order:

  1. Advanced delivery for third-party phishing simulations (Microsoft 365)

  2. Whitelisting domains with safe links (Microsoft Defender)

  3. Setting up Spoof Intelligence to let simulated phishing emails through (Microsoft Defender)

Once you have followed these instructions, you should make sure the emails are getting through by selecting Send test mails in the SoSafe Manager (Settings / Whitelisting). Do not worry: after selecting the button, you will be able to specify which email adress the test mails will be sent to.

If the above did not work, you can find further information in the following articles:

IP Permission List, Transport Rules (Microsoft 365)

Whitelisting envelope sender addresses (Microsoft 365)

To further improve the effectiveness of our training solutions, we recommend automatically allowing the images in our simulated emails to be displayed, as explained in the following articles:

Enable images in emails (Outlook Trust Center)

Reloading images for certain senders (Microsoft 365)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.