We recommend forwarding this article to IT administrators responsible for mailboxes and gateways (e.g. Azure & Mimecast), and internet traffic gateways.
Allow list for browser and app
app.cybsafe.com is the fully qualified domain name in use.
Other external URLs in use:
u3114074.ct.sendgrid.net [for general emails, nudges etc]
l.cs-mail-sender.com [for opening links in phishing simulations]
cs-portalintranet.com [phishing landing pages]
*.vimeo.com [for high quality video playback]
*.vimeocdn.com [for high quality video playback]
cybsafe-resources.s3-eu-west-1.amazonaws.com [images]
Allow list for receiving emails
Please note: While you can allowlist based on sender domain, we highly recommend you allowlist based on IP address. All of these IP addresses are dedicated to CybSafe.
If you are using a mail filter, both your email solution and inbound gateway (filter) need to use allow list rules be allowlisted.
CybSafe can also send out phishing emails from an expanded range of IP addresses. We recommend that you allowlist all the following IP addresses to ensure you do not experience throttling or having our emails blocked from one address.
CybSafe service emails
IP 167.89.38.249 / cybsafe.com
Simulated Phishing attacks (including expanded IPs) 👇
IP Address | Hostname | Embedded url |
54.78.3.99 54.74.7.50 34.254.53.189 34.252.200.43 34.246.164.195 | email.cs-mail-sender.com | l.cs-mail-sender.com
|
Allowing phishing emails to be sent from multiple domains from CybSafe
Once you have allowlisted the four additional phishing IP addresses, you will be able to receive CybSafe phishing emails from an expanded range of domains. If you have allowlisted only our default IP address, all phishing emails will be sent from cs-mail-sender.com.
After allowlisting, contact [email protected], or your account manager if you have one, and ask them to enable expanded phishing domains. Your phishing campaigns will then start to send emails from more domains.
Please note: Enabling additional domains will change the DKIM signature from CybSafe phishing emails from the default email.cs-mail-sender.com. If you are using the DKIM signature for any other purposes (e.g. triage), we recommend that you do this based on the Message ID of our phishing emails, which will always end in @app.cybsafe.com
For Microsoft 365
To allow the training reminders and simulated phishing emails to reach your people, the CybSafe servers must be allow-listed on your mail platform(s). This is usually either Microsoft365 or an on-premise mail server. If you use an external email scanning service (e.g. FireEye ETP, Mimecast, MessageLabs or Proofpoint), you will also need to allow CybSafe emails on their system. Please consult their documentation for details of how to do this.
Note – the domains “(email.)cs-mail-sender.com” and “cybsafe.com” are used in the MailFrom attribute as per RFC 5321, not in the From attribute as defined in RFC 5322. This ensures that even when the “From” address seen in the email does not match – which is the case for phishing emails - the rule will still be applied.
Exchange Online Protection - advanced delivery policy
Exchange Online Protection (EOP) does not allow safe lists or filtering bypass for messages that are identified as malware or high confidence phishing. But, there are specific scenarios that require the delivery of unfiltered messages such as a CybSafe Phishing Campaign.
Please see our how to guide for configuring PHISH allow listing:
How to guide: PHISH allowlisting for Microsoft 365
Additional confirmation can be found in the Microsoft third-part phishing simulation documentation:
Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes
NB: you will need to add /*
to the end of urls added here for Microsoft to process them correctly
Microsoft Defender
If your organisation uses Microsoft Defender, you may need to configure settings in it to allow CybSafe phishing emails to be delivered.
Google Workspace
If your organisation uses Google Workspace for email please see our how to guide for configuring PHISH allow listing.
Mimecast
If you're using Mimecast Email Security you can allow list CybSafe to permit our simulated phishing emails and training invitations through to your end users.
In this article, "Additional Allowlisting Information for Mimecast", you’ll find instructions for several different policies, which you’ll need to add to your Mimecast console to allow the use of CybSafe.
Multiple email gateways - Configuring ARC
If your email setup causes emails to be routed through multiple systems, you may need to configure trusted ARC sealers in order for our allowlisting rules to be applied.
Emails being routed through email gateways can sometimes have their IP address changed causing SPF to fail, even if CybSafe's IP range has been allowlisted.
How to identify if you need to configure ARC
lorem ipsum
How to configure trusted ARC sealers
To setup ARC sealers follow Microsoft's guidance on the matter here. You will need to identify the domain found in a received email that has been routed through your trusted third party. This can usually be found in the domain 'd' tag in the ARC-Seal and ARC-Message-Signature headers (found in the email header), and will be added by the trusted third party.
Still have any questions?
If you still have questions, you can contact the CybSafe team via [email protected]. We’re on hand to help resolve any further issues!