Saturday, March 23, 2024

M365/Proofpoint - Bypass Link Checking For MassMailers Like Mailchimp

One of our users sends monthly newsletter blasts to a couple thousand recipients through MailChimp. The problem is (and I've seen this issue floating around on various forums like reddit) spam filters that do URL checking skew the open and link-click rates in the MailChimp dashboard. So, when the user goes to check the reports it shows 100% clicks, which is not anywhere near accurate considering over 2,000 people received the email blast.

What's happening, is the URL defense service (in our case Proofpoint Targeted Attack Prevention and M365 Security SafeLinks) is simulating a "click" in order to scan the URLs in messages to check for any malware.

In my environment MailChimp is spoofing one of our email addresses. So setting a bypass for the actual MailChimp sender or IP or even sending host wouldn't work because bulk senders use several IPs/hosts and they use those ugly-looking bounce email addresses to send...you know those ones that are like bounce-1234567899876543221@your_own_domain_even_though_its_not_you_sending_it.com

Here's how I created a bypass on both Proofpoint and M365/Exchange Online. 

You might be asking why do we run both Proofpoint and EOP (Exchange Online Protection)? The answer is: we're stupid and gluttons for punishment...it's much more fun to chase down issues when mail takes way too many hops.

Having said that, Proofpoint support pointed fingers at MS and vice-versa...so I had to bypass both to be sure.


**Note** This the "real" full-blown Proofpoint, not Essentials.

Policy Route:

Under System > Policy Routes:

Create a policy route called something like DisableTAP

Add the sender email address (in our case the spoofed address). 

Since we're adding a spoofed address, it won't match the actual sender (i.e. envelope sender) so I had to use the "message header 'from' (address only) equals sender@exchangeitup.com" entry.

Save your changes

URL Defense:

Under Email Protection > Targeted Attack Prevention > URL Defense > Settings:

Check the box marked "Disable processing for selected policy routes..."

In the "available" list scroll till you find the DisableTAP rule you created earlier and click the >> button to add it to the "disable for any of" list.

Save your changes

TAP Dashboard:

Go to the Targeted Attack Prevention > Dashboard.

In the dashboard, click the settings gear in the left pane, then the Organization tab.

Scroll down to "Excluded Addresses".

Click "ADD EMAIL ADDRESS", input the address you used for the above Policy Route, and the drop-down to "Sender".

After all this is done, give it 15-30 minutes (sometimes Proofpoint is slow for settings take effect).

Exchange Online:

Under Mail flow > Rules:

Create a new rule called something like "Spammysender bypass SafeLinks"

Apply this if:

The Sender > address includes any of these words

input the sending address we used in the Proofpoint route

Do the following

modify the message properties > set a message header

input X-MS-Exchange-Organization-SkipSafeLinksProcessing with a value of 1

Give it a couple hours to take effect and test the inbound mail from the MailChimp sender. It should now show more accurate open and click rates.

No comments:

Post a Comment