Allowlisting Coro as a safe sender for Security Awareness Training

To use Security Awareness Training (SAT), system administrators must first allowlist Coro in an organization's email domain. This ensures that SAT phishing simulation emails from Coro are not blocked or mistaken for real threats.

Coro SAT is supported in the following platforms:

Allowlisting Coro in Microsoft 365

To allowlist SAT emails in Microsoft 365, perform the following two-part procedure:

Configuring Microsoft Exchange

Phishing simulation emails sent by Coro all include a specific identifying header. Configure Microsoft Exchange to recognize and allow emails containing this header.

To configure Microsoft Exchange:

  1. Sign in to Microsoft Exchange admin center with your administrator credentials.
  2. Go to Mail flow > Rules .
  3. On the Rules page, select + Add a rule :

    Adding a new mail flow rule

  4. From the dropdown, select Create a new rule .

    Exchange displays the New transport rule dialog, on the Set rule conditions step:

    New transport rule dialog - Set rule conditions

  5. Enter a name. Coro recommends Coro Header Allow .
  6. Under Apply this rule if , select The message headers... from the first dropdown. Then, select matches these text patterns from the second dropdown.
  7. Select Enter text . Then, enter the email header name present in all SAT emails:

    X-BPSAT

  8. Select Enter words . Then, enter the email header value present in all SAT emails:

    66Y7U2LTS

  9. Under Do the following , select Modify the message properties from the first dropdown. Then, select Set the spam confidence level (SCL) from the second dropdown.

    Exchange displays the specify SCL dialog:

    specify SCL dialog

  10. Make sure the dropdown is set to Bypass spam filtering . Then, select Save .

    The Set rule conditions step should now resemble the following:

    New transport rule dialog - Set rule conditions

  11. Leave the remaining settings as their default values and select Next to proceed.
  12. On the Set rule settings step, leave all settings as their default values and select Next to proceed.
  13. On the Review and finish step, select Finish to add the new rule. Then, select Done to close the dialog.
  14. On the Rules page, locate and select your new rule.

    Exchange shows a rule summary dialog:

    Enabling your disabled new rule

  15. Enable your rule by selecting Enable or disable rule .

    After a short wait, Exchange confirms the rule status was updated successfully.

  16. Select Edit rule settings .

    Exchange displays the rule edit dialog.

  17. Enter a Priority of 0 (zero) to make sure your new rule is a higher priority than other inbound rules:

    Enabling your disabled new rule

  18. Select Save to save your changes.

Configuring Microsoft Defender

To make sure Microsoft Defender does not flag phishing simulation emails as potential threats, declare the list of simulation domains, IP addresses, and URLs used by Coro SAT.

Coro provides a PowerShell script to automate the process. Follow the instructions in Using PowerShell to execute the script on your M365 tenant.

Alternatively, add the simulation details manually in Microsoft Defender admin center.

Using PowerShell

note

Coro recommends this method because it automatically adds Coro's SAT simulation domains, IP addresses, and URLs without an administrator needing to enter them individually into Microsoft Defender admin center.

To add Coro SAT simulation domains, IP addresses, and URLs into Microsoft Defender through a PowerShell script:

  1. Connect to your M365 tenant via PowerShell.
    Important

    Make sure you are connected as an account with administrator privileges.

  2. Verify whether the Exchange Online Management module is installed on your tenant by entering:
    Copy
    Copied
    Get-Module -ListAvailable -Name ExchangeOnlineManagement
    • If the module is installed, PowerShell displays the module details. Perform an update to make sure you have the latest version:
      Copy
      Copied
      Update-Module ExchangeOnlineManagement
    • If the module is not installed, install it by entering:
      Copy
      Copied
      Install-Module -Name ExchangeOnlineManagement -Force
  3. Load the module into your PowerShell session by entering:
    Copy
    Copied
    Import-Module ExchangeOnlineManagement
  4. When connecting to Exchange Online via PowerShell, the execution policy set for PowerShell determines how scripts run on your tenant.

    Coro recommends using a RemoteSigned policy as this ensures:

    • Locally-created scripts run without requiring a digital signature.
    • Trusted publishers must sign scripts downloaded from the internet.

    Set the execution policy by entering:

    Copy
    Copied
    Set-ExecutionPolicy RemoteSigned -Scope CurrentUser

    If prompted, allow the execution policy change by entering y (for "Yes") or a (for "All").

  5. Use Modern Authentication to connect to Exchange Online by entering:
    Copy
    Copied
    Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

    Complete the sign-in process, including any multi-factor authentication steps, when prompted.

    note

    Modern Authentication is the default connection method for standard M365 tenants.

  6. Download the Coro SAT Phishing Simulation Override Policy PowerShell script to your tenant. Make a note of the download location.
  7. Run the script in your PowerShell session using the full path to the script's location. For example:
    Copy
    Copied
    & "C:\Users\User\Downloads\CoroSAT-PhishSimOverridePolicy.ps1"
    note

    If PowerShell prompts you to approve a security warning for running the script, enter R to proceed.

    While the script executes, PowerShell displays the override policy being added.

  8. After the script completes successfully, PowerShell displays an error message:

    Error message from Phishing Sim Override Policy PowerShell script successful completion

    Important

    This error message is expected and confirms the script completed successfully. If you see any other errors, this might indicate issues requiring investigation. Contact Coro Support for advice.

  9. To verify that the allowlist is correctly populated, use the steps included in Using the admin center to view the Advanced delivery > Phishing simulation page in Microsoft Defender admin center:

    Microsoft Defender - Advanced delivery

    Confirm that this page includes all simulation domains, IP addresses, and URLs required for Coro SAT to function.

Using the admin center

To manually add all Coro SAT simulation domains, IP addresses, and URLs into Microsoft Defender admin center:

  1. Sign in to Microsoft Defender with your administrator credentials.
  2. Go to Email & collaboration > Policies & rules .

    Defender displays the Policies & rules page:

    Microsoft Defender - Policies and rules

  3. Select Threat policies .
  4. From the Rules section, select Advanced delivery :

    Microsoft Defender - Threat policies

  5. From the Advanced delivery page, select Phishing simulation :

    Microsoft Defender - Advanced delivery

  6. If this page is already populated with phishing simulation rules, select Edit . Otherwise, select Add .

    Defender displays the Edit third party phishing simulations dialog:

    Microsoft Defender - Advanced delivery

  7. Populate the Domain section with the following list of domains:
    Copy
    Copied
    sat-coro.net
    eu.sat-coro.net
    mail.microsoft-notifications.co.uk
    mail.hr-staff-updates.com
    info.bluuebeams.com
    mail.google-account-team.com
    mail.google-notifications.co.uk
    mail.noreply-deliveroocredit.co.uk
    info.onedrivesharing.com
    mail.noreply-amazon.co.uk
    email.dpdupdates.co.uk
    info.electrosoftt.com
    mail.file-transf3rs.com
    mail.linkedin-network.com
    mail.insightfulsurveys.com
    mail.dropbox-notifications.co.uk
    mail.windowsmessages.com
    promo.e-cards-mail.com
    info.noreply-linkedinverify.co.uk
    security.microsoftaccountalert.com
    info.royaal-maill.com
    mail.bankfraudteam.com
    apple.isecurity-alerts.com
    mail.amazoneorder.com
    mail.fa-uk.com
    portal.coffee-vouchers.com
    info.who-travel-updates.com
    mail.365invoices.com
    info.just-eat-voucher.co.uk
    info.gmaillogin.co.uk
    info.mail365-team.com
    info.google-notificatons.com
    mail.netflix-password.co.uk
    info.netlfix-update-details.com
    info.netlixnotifications.co.uk
    mail.traffordgov.com
    secure.accessyourcloud.co.uk
    info.microsoft-security-alerts.com
    drive.fileboxshare.com
    mail.noreply-ubercredit.co.uk
    info.dhlshipping.co.uk
    mail.theaccountsgroup.com
    mail.staff-payroll-updates.com
    info.mydeliverytracker.com
    info.freshworked.co.uk
    mail.webcontracttar.co.uk
    mail.noreply-hmrcupdate.co.uk
    mail.nhs-antibodytest.co.uk
    mail.noreply-sage.com
  8. Populate the Sending IP section with the following IP address list:
    Copy
    Copied
    23.249.219.118
    18.168.104.87
    13.42.200.223
    3.9.228.40
    3.127.7.20
    63.178.172.172
    13.216.31.253
    74.177.142.1
  9. Populate the Simulation URLs to allow section with the following:
    Copy
    Copied
    *.boxphish.com/*
    *.microsoft-notifications.co.uk/*
    *.dropbox-notifications.co.uk/*
    *.gmaillogin.co.uk/*
    *.file-transf3rs.com/*
  10. Select Save to save your changes.

Additional steps for Coro Inbound Gateway users

If you use Coro's Inbound Gateway proxy for your incoming email, SAT requires you to make an update to the filtering configuration for the mail flow connector you created when setting up the gateway.

Make the following updates to the enhanced filtering configuration in Microsoft Defender admin center to ensure that Coro's SAT IP addresses are not restricted:

  1. Sign into Microsoft Security admin center with your administrator credentials.
  2. Go to Email & Collaboration > Policies & Rules > Threat policies .
  3. Select Enhanced filtering :

    Selecting enhanced filtering in M365 Defender admin center

  4. Select the inbound email connector you created for the Inbound Gateway .
  5. In the detail pane for the connector, select Skip these IP addresses that are associated with the connector , then enter the full list of Coro SAT IP addresses together with the list of Coro Inbound Gateway IP addresses (as specified in the connector configuration):

    Selecting the Coro Inbound Gateway connector

  6. For Apply to these users , select Apply to entire organization .
  7. Select Save .

Allowlisting Coro in Google Workspace

To allowlist Coro SAT in Google Workspace:

  1. Sign in to the Google Workspace admin console with your administrator credentials.
  2. Select Apps > Google Workspace > Gmail .

    Google displays the Settings for Gmail page:

    Gmail settings

  3. Locate and select Spam, Phishing and Malware :

    Gmail - Spam, Phishing and Malware

Next, perform the following three-part procedure:

Allowlisting Coro's sender IP address

To prevent Google from categorizing SAT emails from Coro as spam (and potentially quarantining or moving emails so users do not receive them), add Coro's sender IP address to the email allowlist.

  1. From the Spam, phishing, and malware page, select Email allowlist :

    Gmail - selecting Email allowlist

  1. Enter the following Coro SAT IP addresses as a comma-separated list:
    Copy
    Copied
    23.249.219.118,18.168.104.87,13.42.200.223,3.9.228.40,3.127.7.20,63.178.172.172,13.216.31.253,74.177.142.1

    Gmail - Entering the Coro SAT IP address

  2. Select Save .

Adding Coro's sender IP address as an inbound mail gateway

Google can automatically tag incoming emails it believes to be suspicious with warning banners to highlight the risk to recipients. To best assess your users' vulnerability to phishing, prevent Google from adding warning banners by adding Coro's sender IP address as an inbound gateway.

  1. From the Spam, phishing, and malware page, select Inbound gateway :

    Gmail - selecting Inbound gateway

  2. In the Inbound gateway dialog, select Enable , then enter the following settings:
    • Gateway IPs : Add the SAT IP address list from the previous section .
      note

      Google requires you to add each IP address individually. Select ADD and enter a single address from the list, then select Save. Repeat for each IP address in the list.

    • Automatically detect external IP (recommended) : Disable.
    • Reject all mail not from gateway IPs : Disable.
    • Require TLS for connections from the email gateways listed above : Enable.
    • Message is considered spam if the following header regexp matches : Enable.
    • Regexp : Enter a random series of characters to represent a header that does not exist in Coro's SAT emails.
    • Test expression :
      • Select Message is spam if regexp matches .
      • Enable Disable Gmail spam evaluation on mail from this gateway; only use header value .

    Gmail - Inbound gateway settings page

  3. Select Save to save your changes.

Allowlisting Coro's SAT domains

Add the domains used by Coro for phishing simulations, course enrollment, and policy hand-outs to your Google Workspace allowlist to make sure Google does not restrict delivery of such emails to your users.

  1. From the Spam, phishing, and malware page, locate the Spam section and select CONFIGURE :

    Gmail - selecting Spam configuration

    Google displays the Add setting dialog:

    Gmail - Spam - Add setting dialog

  2. Enter a short description.
  3. Enable Bypass spam filters and hide warnings for messages from senders or domains in selected lists. , then select Create or edit list :

    Gmail - Link to create or edit address list

  4. In the Manage address lists dialog, select ADD ADDRESS LIST :

    Gmail - Adding a new address list

    Google displays the Add address list dialog:

    Gmail - Add address list dialog

  5. Enter a name for your new address list.
  6. Select BULK ADD ADDRESSES .

    Google displays the Bulk add addresses dialog:

    Gmail - Bulk add addresses option

  7. Copy and paste the following list of domains into the dialog:
    Copy
    Copied
    sat-coro.net,
    eu.sat-coro.net,
    boxphish.com,
    nhs-antibodytest.co.uk,
    just-eat-voucher.co.uk,
    noreply-linkedinverify.co.uk,
    noreply-amazon.co.uk,
    dpdupdates.co.uk,
    dropbox-notifications.co.uk,
    microsoft-notifications.co.uk,
    netflix-password.co.uk,
    netflixnotifications.co.uk,
    noreply-deliveroocredit.co.uk,
    noreply-hmrcupdate.co.uk,
    noreply-microsoftpasswordreset.co.uk,
    noreply-ubercredit.co.uk,
    gmaillogin.co.uk,
    google-notifications.co.uk,
    dhlshipping.co.uk,
    noreply-amazon.co.uk,
    who-travel-updates.com,
    royaal-maill.com,
    netflix-update-details.com,
    fed-ex-parcels.com,
    microsoft-security-alerts.com,
    coffee-vouchers.com,
    hr-staff-updates.com,
    staff-payroll-updates.com
  8. Enable Require sender authentication , then select ADD .
  9. Select SAVE .
  10. Return to the Add setting dialog and select Use existing list :

    Gmail - link to use an existing address list

  11. Select your newly created address list:

    Gmail - selecting an address list

  12. Select X to close the selection dialog.
  13. Select SAVE to create your Coro SAT spam rule:

    Gmail - save the configured spam rule