Engage - SMTP and URL Guide

Updated

This article contains information on configuring domains and SMTP addresses for Engage phishing simulations, including required allowlisting steps to ensure successful email delivery and proper functioning of phishing campaigns.

Also see: Managing Phishing Templates

Introduction

When you are configuring your Engage environment, certain domains and SMTP addresses must be allowed, to ensure that your end users successfully receive phishing simulation Emails

This is because phishing simulation emails are sent from specific SMTP addresses and contain specific domain URLs in the Email content.
All of the domains and SMTP addresses listed below are available for you to choose from when configuring phishing templates for use in your phishing campaigns.

Trusted Sites Configuration

Click here to learn how to configure a Safe Senders list for Engage emails, ensuring that images display properly.

Step 1: Add Mimecast Sending Addresses to the Safe Senders List using GPO

  1. Create a Safe Senders List File:
  2. Create a .txt file containing the sending address(es) you would like to add as Safe Senders (in this case, this would be whichever address you are sending the Training Modules from)
@domain.com
postmaster@domain.com
  1. If you wish to do the same for Phishing Campaigns, ensure that you add the sending addresses listed in the article below to the text file as well:
https://mimecastsupport.zendesk.com/hc/en-us/articles/34000445739027-Engage-SMTP-and-URL-Guide#h_01JC0JYXB6TMDBBYWBEB1168E7
  1. Save this file in a shared network location accessible to all users.

Configure the GPO

  1. Open the Group Policy Management Console (GPMC).
  2. Navigate to:
    • User ConfigurationAdministrative TemplatesMicrosoft Outlook | Outlook OptionsPreferences | Junk Email
    • Enable the policy Specify path to Safe Senders list.
    • Enter the UNC path to the .txt file (e.g.,\\ServerName\Share\SafeSenders.txt).
  1. Deploy the GPO:
    • Link the GPO to the appropriate Organizational Unit (OU) containing the users.
    • Run gpupdate /force on client machines to apply the policy.

Using Intune

Prepare the Safe Senders List:

  1. Create the same .txt file as above.
  2. Create a Configuration Profile:
    • Log in to the Microsoft Endpoint Manager Admin Center.
    • Go to Devices | Configuration profilesCreate profile.
    • Select Windows 10 and later as the platform and TemplatesAdministrative Templates.
  1. Configure the Policy:
    • Search for "Specify path to Safe Senders list".
    • Enable the policy and provide the path to the .txt file.
    • Assign the Profile. (Assign the configuration profile to the appropriate user or device groups.)

Step 2: Enable Automatic Image Downloads for Safe Senders using GPO

Configure the GPO

  1. Open the Group Policy Management Console (GPMC).
  2. Navigate to:
    • User Configuration | Administrative TemplatesMicrosoft OutlookOutlook OptionsMail Format | HTML Options
    • Enable the policy Automatic Picture Download Settings.
    • Configure the setting to Permit downloads in email messages from Safe Senders and Safe Recipients.
  1. Deploy the GPO:
    • Link the GPO to the appropriate OU and apply it.

Using Intune

  1. Create a Configuration Profile:
    • Log in to the Microsoft Endpoint Manager Admin Center.
    • Go to DevicesConfiguration profilesCreate profile.
    • Select Windows 10 and later as the platform and Templates | Administrative Templates.
  1. Configure the Policy:
    • Search for Automatic Picture Download Settings.
    • Enable the policy and configure it to Permit downloads in email messages from Safe Senders and Safe Recipients.
    • Assign the Profile. (Assign the configuration profile to the appropriate user or device groups.)

Step 3: Verify the Configuration

On a Client Machine:

  1. Open Outlook and navigate to:
    • Home | Junk | Junk Email Options | Safe Senders
    • Confirm that Mimecast's sending addresses are listed.
  1. Test Automatic Image Downloads:
    • Send a test email from a Mimecast address and verify that images are downloaded automatically without user intervention.

Domains

See the Listing Managed URLs section of Managed URLs for steps on how to specify the URLs and / or domains to be added to the managed URLs list.

The same configuration for Domains needs to be carried out by all Engage customers, regardless of your license type, the API security solutions you're using, or whether Secure Email Gateway has been set up.

You need to add the following to your Managed URLs list:

  • https://*.therelayservice.com/ is the Engage phishing landing page, and the domain is owned by Mimecast.
  • https://s3.amazonaws.com is needed to enable automatic downloads of inserted images and [videoposter] in your Engage Email Notifications.

The following domains, used in Engage Phishing Campaigns, also needed to be allowlisted. This is to ensure phishing simulations pass seamlessly through your email provider and are not blocked. 
Domains that our phishing platform sends from are:

KB Domains In Platform Domains
account-renewals.com account-renewals.com
accountsecuritynotices.com accountsecuritynotices.com
benefits-bulletin.com benefits-bulletin.com
ceo-update.com ceo-update.com
company-updates.com company-updates.com
corp-accounts.com corp-accounts.com
corp-news.com corp-news.com
corp-update.com corp-update.com
corporate-payroll.com corporate-payroll.com
corporate-updates.com corporate-updates.com
cy-se.com cy-se.com
employee-news.com employee-news.com
info-needed.com info-needed.com
instant-promos.com instant-promos.com
our-account.com payroll-news.com
payroll-news.com payroll-updates.com
payroll-updates.com relaysvc.com
relaysvc.com salary-info.com
salary-info.com secure-corporate-communications.com
secure-corporate-communications.com secure-corporate-news.com
secure-corporate-news.com secure-corporate-updates.com
secure-corporate-updates.com secureceocommunications.com
secureceocommunications.com securesecuritysolutions.com
securesecuritysolutions.com security-bulletin.com
security-bulletin.com subscriptionrenewalnotices.com
subscriptionrenewalnotices.com subscriptionrenewalservices.com
subscriptionrenewalservices.com sysgen-cash.com
sysgen-cash.com sysgen-payroll.com
sysgen-payroll.com worldwidenewsupdates.com
worldwidenewsupdates.com  

SMTP Email Addresses

See Permitted Senders Policy - Configuration on how to set up Permitted Senders policies, to ensure the successful delivery of inbound messages from trusted sources, and Policy Basics for more information on configuring policies.

You need to ensure the following email addresses are permitted, as they are used for Engage Phishing Campaigns. Emails are sent from these envelope addresses as the phishing domain.

  • noreply@therelaysvc.com
  • noreply@therelayservice.com
  • noreply@securityvault.com ‐ FOR TEST SYSTEM ONLY

The following  SMTP addresses also need to be permitted, as these are used for Engage Phishing Campaign Simulations:

This list of values / sending addresses is the same for all customers.
It’s up to you to choose which of the sending addresses to use from those available to you, which will then need to be allowlisted.

Template Name SMTP Address Template Location
Sign-In Notification  noreply@accountsecuritynotices.com  System Template 
OneDrive  noreply@benefits-bulletin.com  System Template 
Free Promotions  noreply@instant-promos.com  System Template 
Shipping  noreply@our-account.com  System Template 
Dropbox Sharing  noreply@payroll-news.com  System Template 
Amazon Shipping noreply@relaysvc.com  System Template 
File Sharing noreply@secure-corporate-communications.com  System Template 
Tracking Package noreply@worldwidenewsupdates.com  System Template
ALL COMMUNITY TEMPLATES HAVE THE SAME SMTP ADDRESS BY DEFAULT
Access Restricted  noreply@info-needed.com  Community template 
Account Compromised  noreply@info-needed.com   Community template 
Grubhub Gift Card Acceptance noreply@info-needed.com  Community template 
Microsoft Task Approval Request noreply@info-needed.com  Community template 
Signature Request noreply@info-needed.com  Community template 
Statement of Account noreply@info-needed.com  Community template 
Product Marketing  noreply@info-needed.com  Community template 
Login Confirmation   noreply@info-needed.com  Community template 
Docusign Contract noreply@info-needed.com  Community template 
Account Verification   noreply@info-needed.com  Community template 
Incoming Fax noreply@info-needed.com  Community template 
Login Attempt    noreply@info-needed.com  Community template  
Adobe Subscription   noreply@info-needed.com   Community template 
Microsoft Authenticator  noreply@info-needed.com   Community template 
Invalid Payment  noreply@info-needed.com   Community template 
BBC Licensing noreply@info-needed.com  Community template 
Netflix Payment noreply@info-needed.com  Community template 
Payroll Department noreply@info-needed.com  Community template 
Account Expiration  noreply@info-needed.com  Community template 
Account Verification noreply@info-needed.com  Community template 
Document Share  noreply@info-needed.com  Community template 
FedEx Delivery  noreply@info-needed.com  Community template 
Marketing Advertisement noreply@info-needed.com   Community template 
Microsoft Task Assignment    noreply@info-needed.com  Community template  
Microsoft Teams Outreach  noreply@info-needed.com  Community template 
Unlock Apple ID noreply@info-needed.com  Community template 
View Pay Slip noreply@info-needed.com  Community template 
Access Restricted  noreply@info-needed.com  Community template 
Account Compromised noreply@info-needed.com  Community template 
Teams Project Outreach  noreply@info-needed.com  Community template 
OneDrive Invoice noreply@info-needed.com  Community template 
Pending Payment  noreply@info-needed.com  Community template 
Deposit Confirmation noreply@info-needed.com   Community template  
Signed Contract  noreply@info-needed.com   Community template 
Send Data  noreply@info-needed.com   Community template 
Login Attempt 3  noreply@info-needed.com  Community template 
Microsoft Teams   noreply@info-needed.com  Community template 
Microsoft Planner noreply@info-needed.com  Community template 
Payment Processed noreply@info-needed.com  Community template 
Capital One noreply@info-needed.com  Community template 
401k Information noreply@info-needed.com  Community template 
Maritime London Payment noreply@info-needed.com  Community template 
OpenAI Password Reset noreply@info-needed.com  Community template 
Auto Enrolment noreply@info-needed.com  Community template 

 

Related to

Was this article helpful?
2 out of 3 found this helpful

Comments

4 comments
Date Votes
  • Avatar
    Steve Carr

    For the GPO creation steps for ‘automatic picture download’, the GPO was located in a different location:

    "Automatically download content for e-mail from people in Safe Senders and Safe Recipients lists" located at User Configuration/Administrative Templates/Microsoft Outlook 2016/Security/Automatic Picture Download Settings

    0
  • Avatar
    Steve Carr
    (Edited )

    In “Trusted Sites Configuration- Step 1:”, the entry ‘@domain.com ’ make sure the SafeSender list .txt file is reachable from the client machines and in users contexts.

    And finally, before I could get the GPOs to apply to my clients, I had to add the below registry key to their machines:

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1x.0\Outlook\Options\Mail
     

    or

    HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Outlook\Options\Mail

    DWORD: JunkMailImportLists
    Value: 1

    Source- https://support.microsoft.com/en-us/topic/how-to-deploy-junk-email-settings-such-as-the-safe-senders-list-by-using-group-policy-d17e49fb-af72-c796-6295-4da6d89ef5fa

    0
  • Avatar
    Admin - CL

    Thank you for your feedback, and for sharing your observations. 

    0
  • Avatar
    Matt Wallis

    Steps 1 and 2 do not work for those that are Azure/M365 cloud based and are not in a Hybrid or AD on-prim setup. To accomplish the same thing, you must log into Exchange Online using PowerShell and use something like the following. I hope this helps others. There's no Mimecast documentation about this.

    install-module ExchangeOnlineManagement

    connect-exchangeonline

    $mbxs = (get-mailbox -resultsize unlimited -recipienttypedetails usermailbox).userprincipalname

    $mbxs | set-mailboxjunkemailconfiguration -TrustedSendersAndDomains @{Add="<redacted email>","<redacted email>","<redacted email>","<redacted email>","<redacted email>","<redacted email>","<redacted email>","<redacted email>",",redacted email>"}

    0

Please sign in to leave a comment.