Setting up Spoof Intelligence to let simulated phishing emails through (Microsoft Defender)

When using Microsoft 365, it is possible that simulated phishing mails cause these warnings to appear:

This sender (example@example.com) is from outside your organization
We could not verify the identity of the sender. Click here to learn more.
The actual sender of this message is different than the normal sender. Click here to learn more

To prevent this warning, you can make use of the Tenant Allow/Block Lists feature in Microsoft 365. Doing so only takes a few minutes and we have prepared a step-by-step guide to make things easy for you.

Log in to your email server portal with an administrator account and select Security.
Select Policies & rules and then Threat policies.
Under Rules, select Tenant Allow/Block Lists (see Figure 1).
Select the Spoofing tab and then select Add. A new dialog will open (see Figure 2).
Here you can add up to 20 domain pairs. These consist of the the spoofed email address as the first value, followed by a comma and then the mail server we use. You can find the email addresses in the SoSafe Manager under Phishing Simulation / Phishing Templates. To find the email servers, go to Settings / Whitelisting and select SoSafe mail servers. Note that since we use multiple servers, you must add a domain pair for each server. As an example:
- user1@example.com, first IPv4 address
- user1@example.com, second IPv4 address
- user1@example.com, third IPv4 address
For Spoof type, select Internal. For Action, select Allow. Finish the process by selecting Add.