The Microsoft Advanced Delivery Policy has been recommended and included in Nimblr's guide for whitelisting simulated phishing emails since November 2021. However, it wasn't until recently, in September 2023, that Microsoft started to ignore the old methods of whitelisting. This may cause issues for customers who have not yet configured the Advanced Delivery Policy. The following message (MC674418) was posted in the Microsoft 365 admin center on September 9th 2023:
Required Configuration for Phishing Simulation emails
Exchange online protection (EOP)/ Defender for Office 365 (MDO) customers who want to send phishing simulation emails, need to configure advance delivery policy for optimal behavior. This policy will ensure that emails that match your conditions are delivered unfiltered to the Inbox and that safe links time of click protection and post-delivery actions are disabled. Previously, EOP supported this scenario for some phishing simulation vendors by honoring admin configured Exchange transport rules stamping SCL -1 or the header (X-MS-ExchangeOrganizationPhishTraining). But this was a temporary solution and will be discontinued soon. We advise all customers who use phishing simulation products to configure advance delivery policy for a smooth product experience.
How this will affect your organization:
If you are using a 3rd party phishing simulation product and haven't configured advanced delivery policy, you might notice these emails getting quarantined.
What you need to do to prepare:
Instead of using mail flow transport rules, we recommend using Advance Delivery Policy (as decribed in the Nimblr's guide for whitelisting simulated phishing emails)