I'm working on setting up Gophish for some internal phish testing at my workplace. Gophish is an open source phishing simulation tool written in Go (who'da thunk?) that allows administrators to schedule phishing campaigns to test their employees. Think of KnowBe4, but free and without the salespeople spamming your email and voicemail.
One of the hurdles I ran into while setting up our simulation was the increased security of Exchange Online in comparison to on-premise. Previously, when I configured KnowBe4, the company I worked for self-hosted their mail server - all we had to do was whitelist anything coming from their IP addresses with a certain header. Nowadays, it's a tad more involved. Most tutorials tell you to gather a list of all of the fake email addresses you'll be using, in addition to the other information - a time consuming process. There is still a way to get around this, thankfully.
There are a few steps that need to be done in order to ensure delivery - I'm assuming you already have Gophish and Postfix configured in your environment. I may write a bit about setting this up in another post - but it's outside of the scope of this post.
Here's the broad overview of what we need to do:
- Configure the sending email server to "spoof" envelope address
- Whitelisting the "spoofed" envelope address on Phishing Simulations page
- Implement transport rule to strip header showing "spoofed" address.
Each of these steps are broken down into more detail below.
Configuring Postfix to Spoof Envelope Addresses
In my setup, I chose to use Postfix as our sending mail server instead of just using our 365 tenant. Exchange 365 REALLY does not like you modifying your from address in any way whatsoever, so this was a necessary step. I configured Postfix to only accept local connections (127.0.0.1) and to "spoof" it's from address. I'm putting "spoof" in quotes because we're really forcing Postfix to use it's actual address.
Here's what I added for the envelope modifications:
sender_canonical_classes = envelope_sender
sender_canonical_maps = regexp:/etc/postfix/canonical
The canonical file only contains one mapping, which matches any address. This will force Postfix to use our address instead of the fake one we're using in our phishing tests.
Whitelisting the Internal Mail Server
Here's how to get to the page we're looking for. Don't worry, here's a direct link to the page: Phishing Simulation
- Open Microsoft 365 Defender: https://security.microsoft.com
- Navigate to Policies & rules under Email & collaboration.
- Pick Threat policies on the Policies & rules page.
- Pick Advanced delivery under the Rules header.
- Finally, pick the Phishing simulation tab.
On the phishing simulation page, you'll need to add the domain and an IP address for your on-premise mailserver. This needs to match what you've configured your mail server to use as it's envelope address!
I've also added a public "gophish" A record on our domain pointing to the same IP address so everything is hunky-dory.
Implement Transport / Mail Flow Rule
The next piece required for this to work is removing the Authentication-Results header. I'm accomplishing this with a transport rule. Without this step, mail will still get delivered, but Outlook will show the "spoofed" domain after the phishing domain, like this:
To create transport rules, you'll need to open the Exchange 365 admin center and pick Rules
under the Mail flow
header on the left. Here's a direct link for your convenience: https://admin.exchange.microsoft.com/#/transportrules
The rule I created matches the sending IP Address (same address specified in the DNS A record and Sending IPs earlier) and the envelope address. You can also added a header check as a security-through-obscurity measure, if you desire. The setting of the SCL score to -1 may not be entirely necessary since we also configured the phishing simulation whitelist, but you can never be too sure, can you?