Skip to main content
Skip table of contents

Setting up Spoof Intelligence to let simulated phishing emails through (Microsoft Defender)

When using Microsoft 365, it is possible that simulated phishing mails cause these warnings to appear:

  • This sender ( is from outside your organization

  • We could not verify the identity of the sender. Click here to learn more.

  • The actual sender of this message is different than the normal sender. Click here to learn more

To prevent this warning, you can make use of the Tenant Allow/Block Lists feature in Microsoft 365. Doing so only takes a few minutes and we have prepared a step-by-step guide to make things easy for you.

  1. Log in to your email server portal with an administrator account and select Security.

  2. Select Policies & rules and then Threat policies.

  3. Under Rules, select Tenant Allow/Block Lists (see Figure 1).

  4. Select the Spoofing tab and then select Add. A new dialog will open (see Figure 2).

  5. Here you can add up to 20 domain pairs. These consist of the the spoofed email address as the first value, followed by a comma and then the mail server we use. You can find the email addresses in the SoSafe Manager under Phishing Simulation / Phishing Templates. To find the email servers, go to Settings / Whitelisting and select SoSafe mail servers. Note that since we use multiple servers, you must add a domain pair for each server. As an example:

  6. For Spoof type, select Internal. For Action, select Allow. Finish the process by selecting Add.


Figure 1: Tenant Allow/Block Lists


Figure 2: Add new domain pairs

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.