Setting Up Allowlisting for Phin Security

We have built this guide to make allowlisting as easy as possible for you and your team.

To ensure emails for training and phishing make it through your email filtering process, you will need to allow the following sending IPs, domains, and simulated URLs to be listed. The guide below is broken down into each allowlist scenario depending on the platforms you use.

ACTION REQUIRED: Phin Security has updated its email service provider and IP addresses. This means that all Phin partners must update their allowlisted IPs for all clients by 1/6/2025 to continue sending simulated phishing emails. Failure to update allowlists will result in a failed delivery.

If your end-users are in Outlook, ensure the following IPs are listed in Microsoft Defender > Advanced Delivery > Phishing Simulation.

198.2.177.227
198.244.59.179
35.237.125.73
198.2.178.214

This can be done manually or using our new Automated Allowlisting solution.

Microsoft Outlook Users

Microsoft Automated Allowlisting

Microsoft Manual Allowlisting
- IPs, Domains, URLs

Google Workspace Users

Graph API Mail Delivery

Note: If you are using third-party software such as INKY, Barracuda, and others, you may need to add our IPs, domains, and simulated URLs to those platforms as well.

Microsoft Outlook Users

Microsoft Automated Allowlisting

Automated allowlisting performs all the steps for you listed in manual allowlisting with the single press of a button. Follow these instructions to enable automated allowlisting at the company level.

Navigate to Company > Integrations > Microsoft Automated Allowlisting
Click Continue to Microsoft (After reviewing the necessary permissions)
Log into Microsoft and grant consent for the integration at which time you will be navigated back to the Phin.
Once the verification step is done, the integration will begin the allowlisting procedure immediately, pushing all of the most up-to-date sending IPs, sending domains, and simulated URLs into Microsoft Defender > Policies & Rules > Threat Policies > Advanced Delivery > Phishing Simulation.
1. Automated Allowlisting should take no more than a couple of minutes per company and can be done simultaneously in new tabs (you don't have to wait for one company to finish before proceeding to the next).
Once the allowlist service is done, you'll be presented with either a success or failure message. A success message will be accompanied by an output of what was updated.
1. Success: If everything comes back as successful, we recommend navigating to Advanced Delivery> Phishing Simulation, confirming you see the injected sending IPs, domains, and simulated URLs listed. If you do not see them, please disconnect and re-attempt automated allowlisting or submit a ticket to the Phin support team.
2. If you receive an error message, please disconnect and re-attempt automated allowlisting, as this typically resolves the issue. If you experience repeated failed attempts, please submit a ticket to the Phin support team.
Continue steps 1-5 on all companies.

⭐ IMPORTANT NOTE: If additions are made to automated allowlisting (ex, added domains, URLs, rules), they will be auto-synced with the connected Microsoft environments, removing the need to re-run the integration once enabled.

PS: Check out the Financial Warning Mail Flow Rule, which can automatically create a rule to add a warning banner to emails that feature certain keywords.

If someone is added as an admin to Phin, connects this integration and then is removed from Phin, the integration will continue to work as long as the admin has the "Global Administrator" role.

Microsoft Manual Allowlisting

Go to https://security.microsoft.com/
Select Policies and Rules from the Email & collaboration section in the menu on the left
Then select Threat policies
Click the Advanced Delivery in the Rules section
Select the Phishing Simulation tab
Click Edit to add IPs, URLs, and domains (listed below).
Enable Transport Rule 1 (REQUIRED): The first rule will force Phin emails to show in users' inboxes.
1. Go to https://admin.exchange.microsoft.com/#/
2. Select Mail flow > Rules in the sidebar navigation on the left
3. + Add a rule > Create a new rule with the following information
  1. Name: Bypass Focused Inbox and Spam Filter for Phin
  2. Apply this rule if*
    - Dropdown 1 = The sender
    - Dropdown 2 = IP address is in any of these ranges or exactly matches
    - Add each of these IPs: 198.2.177.227, 198.2.178.214, 198.244.59.179, 35.237.125.73
  3. Do the following*
    - Dropdown 1 = Modify the message properties
    - Dropdown 2 = Set the spam confidence level (SCL)
    - Set the spam confidence level (SCL) = Bypass spam filtering
  4. And*
    - Dropdown 1 = Modify the message properties
    - Dropdown 2 = Set the message header
    - Set the message header to "X-MS-Exchange-Organization-BypassFocusedInbox"
    - Set the value to "True"
  5. Here is an example of what the rule should look like once completed.
Enable Transport Rule 2 (OPTIONAL): The second rule is optional and only applicable to partners who have chosen to generate a 'Custom Header' in a company's settings page. The following rule will set a spam confidence level (SCL) of -1 to all end-user Phin emails (phishing & training).
1. Go to https://admin.exchange.microsoft.com/#/
2. Select Mail flow > Rules in the sidebar navigation on the left
3. + Add a rule > Create a new rule with the following information
  1. Name: Set SCL for X-PHIN-CUSTOM header
  2. Apply this rule if*
    - Dropdown 1 = The message headers
    - Dropdown 2 = matches these text patterns
    - Enter text = X-PHIN-CUSTOM
    - Enter words = {insert the company custom header found in Phin portal}
  3. Do the following*
    - Dropdown 1 = Modify the message properties
    - Dropdown 2 = Set the spam confidence level (SCL)
    - Set the spam confidence level (SCL) = Bypass spam filtering
  4. Here is an example of what the rule should look like once completed.

Sending IPs (4)

All of our messages that are sent over SMTP are sent through the following IPs:

Phishing emails: 198.2.177.227, 198.244.59.179, 35.237.125.73
Reminders: 198.2.178.214

Simulated URLs (9)

Make sure to add the URLs exactly as they appear below!

*.betterphish.com/*
*.shippingalerts.com/*
*.amazingdealz.net/*
*.berrysupply.net/*
*.coronacouncil.org/*
*.couponstash.net/*
*.intelligentbros.com/*
*.creditsafetyteam.com/*
*.autheticate.com/*
*.notificationhandler.com/*

Sending Domains (10)

phinsecurity.com
betterphish.com
shippingalerts.com
amazingdealz.net
berrysupply.net
coronacouncil.org
couponstash.net
intelligentbros.com
creditsafetyteam.com
autheticate.com
notificationhandler.com

In addition to allowlisting, it is encouraged that MSPs also enable the Ignore 3rd party addresses option. This does NOT replace allowlisting but also serves as an additional best practice.

Additional Resources

Microsoft 365 Defender Advanced Delivery Guide

Allowlisting: Powershell Script

Google Workspace Users

Allowlisting domains:

Follow these instructions to add our dedicated domains to your approved senders list in Google Workspace. You will need to create an address list with the domains listed below.

Our dedicated sending domains:

phinsecurity.com,notificationhandler.com,amazingdealz.net,coronacouncil.org,couponstash.net,creditsafetyteam.com,shippingalerts.com,berrysupply.net,autheticate.com,betterphish.com

Allowlisting IPs:

Follow these instructions to add our dedicated sending IPs below to your Google Workspace allowlist.

Our dedicated sending IPs:

Phishing emails: 198.2.177.227, 198.244.59.179, 35.237.125.73
Training emails: 198.2.178.214

Knowledge Base

Phin works to update our Knowledge Base with new features with every release. You can read about the platform and its updates here: https://www.phinsec.io/knowledge.

Thanks for using our product!

We use all provided feedback to help drive Phin's development direction. Please keep reaching out and helping us shape the product's future! All ideas are welcome; please keep them coming!

The Dev Team @ Phin

Need help or have an idea for us? Click here!