This feature is available for Engage Core and Engage Pro.
This article contains information on configuring domains and SMTP addresses for Engage phishing simulations, including required allowlisting steps to ensure successful email delivery and proper functioning of phishing campaigns.
Also see: Managing Phishing Templates
Overview
When you are configuring your Engage environment, certain domains and SMTP addresses must be allowed, to ensure that your end users successfully receive phishing simulation Emails.
This is because phishing simulation emails are sent from specific SMTP addresses and contain specific domain URLs in the Email content.
All of the domains and SMTP addresses listed below are available for you to choose from when configuring phishing templates for use in your phishing campaigns.
Trusted Sites Configuration
Click here to learn how to configure a Safe Senders list for Engage emails, ensuring that images display properly.
Step 1: Add Mimecast Sending Addresses to the Safe Senders List using GPO
- Create a Safe Senders List File:
- Create a .txt file containing the sending address(es) you would like to add as Safe Senders (in this case, this would be whichever address you are sending the Training Modules from)
@domain.com
postmaster@domain.com- If you wish to do the same for Phishing Campaigns, ensure that you add the sending addresses listed in the article below to the text file as well:
https://mimecastsupport.zendesk.com/hc/en-us/articles/34000445739027-Engage-SMTP-and-URL-Guide#h_01JC0JYXB6TMDBBYWBEB1168E7- Save this file in a shared network location accessible to all users.
Configure the GPO
- Open the Group Policy Management Console (GPMC).
- Navigate to:
- User Configuration | Administrative Templates | Microsoft Outlook | Outlook Options | Preferences | Junk Email
- Enable the policy Specify path to Safe Senders list.
- Enter the UNC path to the .txt file (e.g.,\\ServerName\Share\SafeSenders.txt).
- Deploy the GPO:
- Link the GPO to the appropriate Organizational Unit (OU) containing the users.
- Run gpupdate /force on client machines to apply the policy.
Using Intune
Prepare the Safe Senders List:
- Create the same .txt file as above.
- Create a Configuration Profile:
- Log in to the Microsoft Endpoint Manager Admin Center.
- Go to Devices | Configuration profiles | Create profile.
- Select Windows 10 and later as the platform and Templates | Administrative Templates.
- Configure the Policy:
- Search for "Specify path to Safe Senders list".
- Enable the policy and provide the path to the .txt file.
- Assign the Profile. (Assign the configuration profile to the appropriate user or device groups.)
Using Exchange Online PowerShell (New Outlook/Outlook on the Web (OWA))
New Outlook and OWA require the sending email address to be added to the recipient's Safe Senders list in Outlook to automatically display external images in messages. To achieve this for all users in your organization, you can use Exchange Online PowerShell to add the sending email addresses from your selected Engage campaigns to user mailboxes. The following example demonstrates how to add the email addresses noreply@therelaysvc.com, noreply@info-needed.com, noreply@accountsecuritynotices.com to the Safe Senders list for all user mailboxes in your organization:
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
$All = Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited
$All | foreach {Set-MailboxJunkEmailConfiguration $_.Name -TrustedSendersAndDomains @{Add="noreply@info-needed.com","noreply@therelaysvc.com","noreply@accountsecuritynotices.com"}}
For more information, refer to the documentation on using Exchange PowerShell to Configure the Safe Sender's List.
Step 2: Enable Automatic Image Downloads for Safe Senders using GPO
Configure the GPO
- Open the Group Policy Management Console (GPMC).
- Navigate to:
- User Configuration | Administrative Templates | Microsoft Outlook | Outlook Options | Mail Format | HTML Options
- Enable the policy Automatic Picture Download Settings.
- Configure the setting to Permit downloads in email messages from Safe Senders and Safe Recipients.
- Deploy the GPO:
- Link the GPO to the appropriate OU and apply it.
Using Intune
- Create a Configuration Profile:
- Log in to the Microsoft Endpoint Manager Admin Center.
- Go to Devices | Configuration profiles | Create profile.
- Select Windows 10 and later as the platform and Templates | Administrative Templates.
- Configure the Policy:
- Search for Automatic Picture Download Settings.
- Enable the policy and configure it to Permit downloads in email messages from Safe Senders and Safe Recipients.
- Assign the Profile. (Assign the configuration profile to the appropriate user or device groups.)
Step 3: Verify the Configuration
On a Client Machine:
- Open Outlook and navigate to:
- Home | Junk | Junk Email Options | Safe Senders
- Confirm that Mimecast's sending addresses are listed.
- Test Automatic Image Downloads:
- Send a test email from a Mimecast address and verify that images are downloaded automatically without user intervention.
Domains
See the Listing Managed URLs section of Managed URLs for steps on how to specify the URLs and / or domains to be added to the managed URLs list.
The same configuration for Domains needs to be carried out by all Engage customers, regardless of your license type, the API security solutions you're using, or whether Secure Email Gateway has been set up.
You need to add the following to your Managed URLs list:
- https://*.therelayservice.com/ is the Engage phishing landing page, and the domain is owned by Mimecast.
- https://s3.amazonaws.com is needed to enable automatic downloads of inserted images and [videoposter] in your Engage Email Notifications.
The following domains, used in Engage Phishing Campaigns, also needed to be allowlisted. This is to ensure phishing simulations pass seamlessly through your email provider and are not blocked.
Domains that our phishing platform sends from are:
| KB Domains | In Platform Domains |
| account-renewals.com | account-renewals.com |
| accountsecuritynotices.com | accountsecuritynotices.com |
| benefits-bulletin.com | benefits-bulletin.com |
| ceo-update.com | ceo-update.com |
| company-updates.com | company-updates.com |
| corp-accounts.com | corp-accounts.com |
| corp-news.com | corp-news.com |
| corp-update.com | corp-update.com |
| corporate-payroll.com | corporate-payroll.com |
| corporate-updates.com | corporate-updates.com |
| cy-se.com | cy-se.com |
| employee-news.com | employee-news.com |
| info-needed.com | info-needed.com |
| instant-promos.com | instant-promos.com |
| our-account.com | payroll-news.com |
| payroll-news.com | payroll-updates.com |
| payroll-updates.com | relaysvc.com |
| relaysvc.com | salary-info.com |
| salary-info.com | secure-corporate-communications.com |
| secure-corporate-communications.com | secure-corporate-news.com |
| secure-corporate-news.com | secure-corporate-updates.com |
| secure-corporate-updates.com | secureceocommunications.com |
| secureceocommunications.com | securesecuritysolutions.com |
| securesecuritysolutions.com | security-bulletin.com |
| security-bulletin.com | subscriptionrenewalnotices.com |
| subscriptionrenewalnotices.com | subscriptionrenewalservices.com |
| subscriptionrenewalservices.com | sysgen-cash.com |
| sysgen-cash.com | sysgen-payroll.com |
| sysgen-payroll.com | worldwidenewsupdates.com |
| worldwidenewsupdates.com |
SMTP Email Addresses
See Permitted Senders Policy - Configuration on how to set up Permitted Senders policies, to ensure the successful delivery of inbound messages from trusted sources, and Policy Basics for more information on configuring policies.
You need to ensure the following email addresses are permitted, as they are used for Engage Phishing Campaigns. Emails are sent from these envelope addresses as the phishing domain.
- noreply@therelaysvc.com
- noreply@therelayservice.com
- noreply@securityvault.com ‐ FOR TEST SYSTEM ONLY
The following SMTP addresses also need to be permitted, as these are used for Engage Phishing Campaign Simulations:
This list of values / sending addresses is the same for all customers.
It’s up to you to choose which of the sending addresses to use from those available to you, which will then need to be allowlisted.
| Template Name | SMTP Address | Template Location |
| Sign-In Notification | noreply@accountsecuritynotices.com | System Template |
| OneDrive | noreply@benefits-bulletin.com | System Template |
| Free Promotions | noreply@instant-promos.com | System Template |
| Shipping | noreply@our-account.com | System Template |
| Dropbox Sharing | noreply@payroll-news.com | System Template |
| Amazon Shipping | noreply@relaysvc.com | System Template |
| File Sharing | noreply@secure-corporate-communications.com | System Template |
| Tracking Package | noreply@worldwidenewsupdates.com | System Template |
| ALL COMMUNITY TEMPLATES HAVE THE SAME SMTP ADDRESS BY DEFAULT | ||
| Access Restricted | noreply@info-needed.com | Community template |
| Account Compromised | noreply@info-needed.com | Community template |
| Grubhub Gift Card Acceptance | noreply@info-needed.com | Community template |
| Microsoft Task Approval Request | noreply@info-needed.com | Community template |
| Signature Request | noreply@info-needed.com | Community template |
| Statement of Account | noreply@info-needed.com | Community template |
| Product Marketing | noreply@info-needed.com | Community template |
| Login Confirmation | noreply@info-needed.com | Community template |
| Docusign Contract | noreply@info-needed.com | Community template |
| Account Verification | noreply@info-needed.com | Community template |
| Incoming Fax | noreply@info-needed.com | Community template |
| Login Attempt | noreply@info-needed.com | Community template |
| Adobe Subscription | noreply@info-needed.com | Community template |
| Microsoft Authenticator | noreply@info-needed.com | Community template |
| Invalid Payment | noreply@info-needed.com | Community template |
| BBC Licensing | noreply@info-needed.com | Community template |
| Netflix Payment | noreply@info-needed.com | Community template |
| Payroll Department | noreply@info-needed.com | Community template |
| Account Expiration | noreply@info-needed.com | Community template |
| Document Share | noreply@info-needed.com | Community template |
| FedEx Delivery | noreply@info-needed.com | Community template |
| Marketing Advertisement | noreply@info-needed.com | Community template |
| Microsoft Task Assignment | noreply@info-needed.com | Community template |
| Microsoft Teams Outreach | noreply@info-needed.com | Community template |
| Unlock Apple ID | noreply@info-needed.com | Community template |
| View Pay Slip | noreply@info-needed.com | Community template |
| Teams Project Outreach | noreply@info-needed.com | Community template |
| OneDrive Invoice | noreply@info-needed.com | Community template |
| Pending Payment | noreply@info-needed.com | Community template |
| Deposit Confirmation | noreply@info-needed.com | Community template |
| Signed Contract | noreply@info-needed.com | Community template |
| Send Data | noreply@info-needed.com | Community template |
| Login Attempt 3 | noreply@info-needed.com | Community template |
| Microsoft Teams | noreply@info-needed.com | Community template |
| Microsoft Planner | noreply@info-needed.com | Community template |
| Payment Processed | noreply@info-needed.com | Community template |
| Capital One | noreply@info-needed.com | Community template |
| 401k Information | noreply@info-needed.com | Community template |
| Maritime London Payment | noreply@info-needed.com | Community template |
| OpenAI Password Reset | noreply@info-needed.com | Community template |
| Auto Enrolment | noreply@info-needed.com | Community template |
Comments
For the GPO creation steps for ‘automatic picture download’, the GPO was located in a different location:
"Automatically download content for e-mail from people in Safe Senders and Safe Recipients lists" located at User Configuration/Administrative Templates/Microsoft Outlook 2016/Security/Automatic Picture Download Settings
In “Trusted Sites Configuration- Step 1:”, the entry ‘@domain.com ’ make sure the SafeSender list .txt file is reachable from the client machines and in users contexts.
And finally, before I could get the GPOs to apply to my clients, I had to add the below registry key to their machines:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1x.0\Outlook\Options\Mail
or
HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Outlook\Options\Mail
DWORD: JunkMailImportLists
Value: 1
Source- https://support.microsoft.com/en-us/topic/how-to-deploy-junk-email-settings-such-as-the-safe-senders-list-by-using-group-policy-d17e49fb-af72-c796-6295-4da6d89ef5fa
Thank you for your feedback, and for sharing your observations.
Steps 1 and 2 do not work for those that are Azure/M365 cloud based and are not in a Hybrid or AD on-prim setup. To accomplish the same thing, you must log into Exchange Online using PowerShell and use something like the following. I hope this helps others. There's no Mimecast documentation about this.
install-module ExchangeOnlineManagement
connect-exchangeonline
$mbxs = (get-mailbox -resultsize unlimited -recipienttypedetails usermailbox).userprincipalname
$mbxs | set-mailboxjunkemailconfiguration -TrustedSendersAndDomains @{Add="<redacted email>","<redacted email>","<redacted email>","<redacted email>","<redacted email>","<redacted email>","<redacted email>","<redacted email>",",redacted email>"}
New Outlook seems to block images from external parties by default and the safe senders inTune policy does not work with New Outlook.
Is there any workaround for this?
Hi Adrian Graves,
The New Outlook requires you to add an email address or domain to your M365 safe list for embedded images to display in an email. Your admin can add addresses to your safe list via PowerShell or add them as a contact and ensure "Also trust email from my Contacts" is checked in New Outlook.
From Microsoft Support:
Add recipients to the Safe Senders List in Outlook to prevent messages from being moved to the Junk E-mail folder:
Add recipients to the Safe Senders List in Outlook - Microsoft Support
From Microsoft Learn:
Configure junk email settings on Exchange Online mailboxes (including the safe list collection):
Configure junk email settings on Exchange Online mailboxes - Microsoft Defender for Office 365
Please sign in to leave a comment.