Microsoft Defender for Office 365 (MDO) setup

If your organization runs Microsoft Defender for Office 365 (sometimes called “Advanced Threat Protection” or “ATP”), you'll need to allowlist ThouShaltNotClick once. Without this, MDO will quarantine our phishing simulation emails before staff ever see them — the simulations won't reach inboxes and the training value is lost. This is a one-time tenant admin task that takes about 10 minutes.

ℹ️
Microsoft built a policy called Advanced Delivery specifically for vendors like us. It tells MDO: “don't scan, filter, or modify mail from these senders — they're an authorized phishing simulation provider.” It's the official, supported way to integrate. We're not asking you to weaken your security posture.

Who needs to do this?

Only organizations that have any of these Microsoft 365 plans need this setup:

  • Microsoft 365 E5 (includes Defender for Office 365 Plan 2)
  • Microsoft 365 A5 for Education (includes Plan 2)
  • Microsoft 365 E3 / A3 + Defender for Office 365 add-on
  • Any plan with Defender for Office 365 Plan 1 or Plan 2 added separately

If you're on a plain Microsoft 365 Business Basic, Business Standard, or Apps for Business plan with no Defender add-on, skip this page — nothing to configure. Phishing simulations will deliver normally.

What goes in the allowlist

You'll add three things to MDO's Advanced Delivery policy. Each is a copy-paste exercise — no judgment calls.

  • Sending domains — the 31 domains we send simulations from. Full list below.
  • Sending IPs — we send through our infrastructure provider's shared IP pool.
  • Reply-to/return-path domainthoushaltnotclick.com

Step-by-step: Configure Advanced Delivery

  1. 1
    Open the Defender portal
    Sign in to security.microsoft.com as a Global Administrator or Security Administrator.
  2. 2
    Navigate to the Advanced Delivery policy
    In the left nav, expand Email & collaboration → click Policies & rulesThreat policies. Under the “Rules” section, click Advanced delivery.
  3. 3
    Choose the Phishing simulation tab
    Two tabs appear: SecOps mailboxes and Phishing simulation. Click Phishing simulation.
  4. 4
    Add a new policy
    Click + Add (or Edit if a policy already exists). A right-side panel opens.
  5. 5
    Add the domains
    Under Domain, paste the full list from the “Sending domains” section below — one per line. Press Enter after each.
  6. 6
    Add the sending IPs
    Under Sending IP, paste the IP ranges from the “Sending IPs” section below.
  7. 7
    (Optional) Add Simulation URLs
    If you want to also exempt our landing pages (for staff who click through and see a “you would have been phished” explainer), paste the URLs from the “Simulation URLs” section. Skip this if you'd rather Microsoft scan our landing pages too — that's fine, the simulations will still work.
  8. 8
    Save and confirm
    Click Add at the bottom. The policy goes live within a few minutes — you'll see “Phishing simulation override” appear under Active policies.
After saving, send yourself a test phishing simulation from the TSNC Campaigns page. It should arrive in your inbox within 60 seconds with no MDO warnings or quarantine flag. If it lands in Quarantine instead, double-check that the sending domain is spelled correctly in the Advanced Delivery policy.

Sending domains

Add all of these to the Domain field. We rotate sending domains across campaigns to keep simulations realistic — copy them all even if you don't recognize a particular one.

ℹ️
The full, current list of sending domains is available in your TSNC admin dashboard at Admin → Sending Domains. We update it whenever we add a new domain — you'll need to re-export and re-paste the list once or twice a year.

Sending IPs

We send through Railway's mail infrastructure. Currently the relevant ranges are:

  • 137.66.0.0/16
  • 66.33.22.0/24

These IPs may change — check the latest in your TSNC admin dashboard at Admin → Sending Domains → Show IPs. We'll email tenant admins when we change ranges.

Simulation URLs (optional)

Add these if you also want MDO to skip URL detonation on our landing pages:

  • *.thoushaltnotclick.com
  • *.tsnc-sim.com

What if my IT department has compliance concerns?

Common questions and the honest answers:

Doesn't allowlisting these domains create a security risk?+
No. The Advanced Delivery policy is scoped narrowly: only mail from our specific sending domains AND from our specific IP ranges is allowed through. An attacker would need to compromise both our infrastructure AND match our domains to abuse this. The same risk model applies to every sanctioned phishing simulation vendor (KnowBe4, Hoxhunt, Proofpoint Security Awareness, etc.).
Will this affect Safe Links or Safe Attachments for any other email?+
No. Advanced Delivery only changes behavior for mail matching the policy. All other inbound mail continues through MDO's full scanning pipeline.
Does this give TSNC the ability to send any email to our org?+
Only the simulation emails you've authorized through your TSNC dashboard. We can't send mail outside the simulations you create — there's no general 'send anything' capability tied to this allowlist.
What happens if MDO's policy changes or our admin lapses on the allowlist?+
Simulations will start landing in quarantine. You'll see lower 'delivered' rates in your TSNC campaign reports, which is the canary. Re-add the policy and they'll deliver again — no permanent damage.
We're SOC 2 / FERPA / HIPAA. Is this allowed?+
Yes. Phishing simulation allowlisting is a standard control documented in the major frameworks. SOC 2 specifically calls out 'authorized exceptions to security controls for testing purposes.' You'll want to document the allowlist in your security policy and review it during your annual policy review.

Troubleshooting

Simulations still going to quarantine after setting up Advanced Delivery. Most common cause: typo in a domain. Re-export the sending domain list from your TSNC dashboard and compare. Microsoft sometimes also takes 15–30 minutes to fully propagate the policy — if you just saved it, wait a bit and re-test.

Simulations delivering but with a warning banner. Two possibilities: (1) your tenant has an external-sender warning policy that fires before Advanced Delivery is checked — this is a separate setting under Mail flow rules in the Exchange admin center, and (2) the simulation is being flagged by your Microsoft 365 connectors before MDO runs. Contact support@thoushaltnotclick.com with the message header (View Source → copy the Authentication-Results line) and we'll diagnose.

Some users get simulations, others don't. Check whether the affected users have personal Outlook rules forwarding mail elsewhere, or whether your Defender policy has scoped exceptions. Both can intercept before the inbox.