This article deals with the most important aspects of the general configuration and administration of the Security Awareness Service. It also provides some tips and troubleshooting assistance. It is assumed that the initial setup of the customer tenant in the Control Panel has been completed. All additional information that is not covered here, as it only offers added value but is not mandatory, can be found in the manual.
Overview of the article
- Creation of exceptions
- Activating and setting up the SAS
- Tips & tricks for the Security Awareness Service
Creation of exceptions
To ensure that the phishing simulations of the Security Awareness Service can be delivered to the relevant users without any problems, the administrators of the customer clients must create approvals in the respective email environments in advance. The values to be set differ depending on whether the customer client uses Spam & Malware Protection or not. The following is therefore described for customers with and for customers without Spam & Malware Protection.
Please note that third-party systems also require exceptions, as these can otherwise restrict the Security Awareness Service. We have described the exceptions to be set for the most common systems in the following article:
Exceptions for the Security Awareness Service in Third-Party Email Filters
The exceptions to be stored are described below. Please select the right instructions for you. This depends on whether you also use Spam & Malware Protection or just the Security Awareness Service:
Customers with Spam & Malware Protection
Allowing IP addresses and IP address ranges
Customers must allow certain IP addresses and IP address ranges in their email environment, depending on the customer's region.
Customers from europe (incl. subnet mask)
- 83.246.65.0/24 (255.255.255.0)
- 94.100.128.0/20 (255.255.240.0)
- 185.140.204.0/22 (255.255.252.0)
- 173.45.18.0/24 (255.255.255.0)
- 173.124.136.160/27 (255.255.255.224)
Customers from USA (incl. subnet mask)
- 83.246.65.0/24 (255.255.255.0)
- 94.100.128.0/20 (255.255.240.0)
- 173.45.18.0/24 (255.255.255.0)
- 185.140.204.0/22 (255.255.252.0)
Customers from Canada (incl. subnet mask)
- 108.163.133.224 (255.255.255.224)
- 199.27.221.64 (255.255.255.224)
- 209.172.38.64 (255.255.255.224)
- 216.46.2.48 (255.255.255.248)
- 216.46.11.224 (255.255.255.224)
Approval of DKIM signatures
Customers must approve emails with DKIM signatures from sas.cloud-security.net in their email environment.
Release of domains
If it is not possible to create an exception based on IP addresses or the DKIM signature in the email environment, it is possible to create an exception using a self-generated domain list as a emergency solution.
You can find a brief explanation of how the lists of authorized domains can be created here. Once created, the list can be downloaded in the same module and used for exception in the email environment. Please note that once the list has been created, only the domains from the list are used for the phishing simulation. As the variability of the domains is limited, this variant should only be considered as an emergency solution. We also recommend that you generate and save the list at regular intervals so that the most up-to-date domains are always used.
Configuration in Microsoft 365
The configuration in Microsoft 365 can be stored automatically, but should still be checked to ensure that all values were stored correctly when the shares were created. How to have the shares stored automatically is described here.
If the automatic configuration is not possible for you or you do not want this, the instructions for releasing the required values are linked below:
- Setting up Advanced Delivery for Microsoft 365 Defender
- Creating a Transport Rule for Attachments for Customers with Spam and Malware Protection
- Creating a Transport Rule for Links for Customers with Spam and Malware Protection
- Activating a Transport Rule
If Defender Plan 2 is used, the following guideline must also be created:
Configuration of clients
MS Defender SmartScreen is a Microsoft feature that is integrated into the Windows 10 and 11 operating systems. It is designed to warn users about phishing, malicious websites or the download of malicious software. Sometimes websites are also marked as malicious and blocked, even though they are not malicious websites. Creating a list of exceptions solves this problem.
First the exception for clients must be created and can then be distributed via a group policy.
Customers without Spam & Malware Protection
Allowing IP addresses and IP address ranges
Customers without Spam & Malware Protection only need to allow two IP addresses and IP address ranges in their email environment.
- 94.100.136.58 (255.255.255.255)
- 94.100.132.73 (255.255.255.255)
Approval of DKIM signatures
Customers must approve emails with DKIM signatures from sas.cloud-security.net in their email environment.
Release of domains
If it is not possible to create an exception based on IP addresses or the DKIM signature in the email environment, it is possible to create an exception using a self-generated domain list as a stopgap solution.
You can find a brief explanation of how the lists of authorized domains can be created here. Once created, the list can be downloaded in the same module and used for exceptions in the email environment. Please note that once the list has been created, only the domains from the list are used for the phishing simulation. As the variability of the domains is limited, this variant should only be considered as an emergency solution. We also recommend that you generate and save the list at regular intervals so that the most up-to-date domains are always used.
Configuration in Microsoft 365
The configuration in Microsoft 365 can be stored automatically, but should still be checked to ensure that all values were stored correctly when the shares were created. How to have the shares stored automatically is described here.
If the automatic configuration is not possible for you or you do not want this, the instructions for releasing the required values are linked below:
- Setting up Advanced Delivery for Microsoft 365 Defender
- Creating a Transport Rule for Attachments for Customers without Spam and Malware Protection
- Creating a Transport Rule for Links for Customers without Spam and Malware Protection
- Activating a Transport Rule
If Defender Plan 2 is used, the following guideline must also be created:
Configuration of clients
MS Defender SmartScreen is a Microsoft feature that is integrated into the Windows 10 and 11 operating systems. It is designed to warn users about phishing, malicious websites or the download of malicious software. Sometimes websites are also marked as malicious and blocked, even though they are not malicious websites. Creating a list of exceptions solves this problem.
First the exception for clients must be created and can then be distributed via a group policy.
Activating and setting up the SAS
Once the releases have been entered in all environments that could interfere with the Security Awareness Service, the Security Awareness Service can be activated. This enables access to the configuration and statistics.
Activating the Security Awareness Service
Activating or Deactivating the Phishing Simulation
Activating or Deactivating E-Trainings
Installation of the Phishing Reporter Add-In
In order to be able to report phishing simulations correctly and thus achieve faster progress, it is necessary to install the Phishing Reporter Add-In. For this purpose, we offer a manifest file for download in the Security Awareness module, which can be stored in your Outlook environment.
Please note the requirements for the add-in before installing it.
To download the manifest file, proceed as follows:
- Log in to the Control Panel with your administrative access data
- Select the domain for which you want to activate the Phishing Reporter in the domain selection
- Navigate to Security Settings -> Security Awareness Service -> Configuration
- Select the Phishing simulation tab
- Activate the Phishing Reporter option under Phishing Reporter settings
- Download the file using the Download button
Please note that the manifest file only works for the tenant in which it was downloaded. If you use a manifest file from another tenant, the users cannot be assigned when reporting.
The manifest file can be installed on Microsoft 365 and local Exchange servers. The corresponding instructions are linked below:
Local Exchange installation -> Local Exchange deployment
Report email, without add-in
If you cannot use the Phishing Reporter, you also have the option of reporting phishing simulations to reportto@hornetsecurity.com. This describes how to handle the email so that it arrives correctly at the specified address and is processed.
Other settings
You can configure further settings in the Control Panel as required. You can find an overview of this in the following manual article:
Tips & tricks for the Security Awareness Service
Creating groups for better administration and statistics overview
If you offer the Security Awareness Service across departments, it is advisable to create groups for the departments into which the users are sorted. This will help you with the overview and evaluation of the Security Awareness Service statistics.
Tips for a good ESI
The ESI calculation is based on various factors. The most obvious factor is the click behavior in phishing simulations. As soon as a user interacts with a phishing simulation email, this is rated negatively for the ESI. Interactions such as opening macro files are rated much more negatively than simply opening an email.
Ideally, a user recognizes the emails and reports them via add-in or the reportto@hornetsecurity.com address. This is rated more positively in the ESI than recognizing and ignoring/deleting a phishing simulation email. In addition, if the user's behavior in the phishing simulation remains the same, they rise in level more quickly and are assigned more difficult scenarios.
What should I do if the ESI suddenly breaks down without any clicks?
In some cases, it seems as if the ESI suddenly collapses for no reason. Users are often innocent in this case. The behavior is usually due to incomplete or incorrect exceptions. Third-party systems that were not initially considered during the creation of exceptions can also be the trigger.
You can find out how to check what is responsible for the clicks in the following knowledge base article:
Sudden drop of the ESI - potential exception problem and how it can be checked/solved