Bypass External Warning Banner for Exchange 2016 / Microsoft 365

Bypass External Warning Banner for Exchange 2016 / Microsoft 365

External warning banners added by mail flow rules can interfere with Threatcop TSAT phishing simulations and skew user-behavior results. To avoid this, whitelist Threatcop’s sending infrastructure or add exceptions to your banner rule.

1. Remove External Warning Banners by Prioritizing Threatcop Rules

  1. Sign in to your Microsoft 365 or Exchange admin portal.

  2. Navigate to Admin → Admin Centers → Exchange.

  3. Go to Mail flow → Rules.

  4. Select the last Threatcop whitelisting rule (e.g., Bypass Spam Filtering for Exchange, Skip Junk Filtering for Microsoft 365).

  5. Edit the rule → More options → enable Stop processing more rulesSave.

  6. Locate your organization’s external warning banner rule.

  7. Move this rule below all Threatcop rules.

Notes:

  • Exchange on-prem → last rule is usually Bypass Spam Filtering.

  • Microsoft 365 → last rule is usually Skip Junk Filtering.

  • If you use Advanced Delivery Policies (ADP), you may not have mail flow rules to reorder.

2. Add Exception to External Banner Rule (IP-Based)

If your banner rule adds a warning to external emails, add an exception for Threatcop’s IPs.

  1. Go to Mail flow → Rules.

  2. Open your external banner rule → Edit rule settings.

  3. Under Except if, click +.

  4. Select The sender… IP address is in any of these ranges or exactly matches.

  5. Add Threatcop’s sending IP ranges (from the Threatcop Whitelisting Guide).

  6. Save the rule.

3. Add Exception for Training Notification Headers (Optional)

If you’d rather exclude Threatcop notifications using custom headers:

In Exchange / Microsoft 365

  1. Go to Mail flow → Rules.

  2. Open the external banner rule → Edit rule settings.

  3. Under Except if, click +.

  4. Choose The message headers… matches these text patterns.

  5. Add 'X-Threatcop': 'This is a phishing security test from ThreatCop that has been authorized by the recipient organization.'

  6. Save the rule.

4. HTML-Based Banner Hiding (Last Resort)

You can hide external banners by adding CSS inside the <head> of an HTML email.
This only hides the banner; it does not stop the rule from executing.
Limitations:

  • Many mail clients still show banners in preview mode.

  • Must be added manually to every email template.

Administrative whitelisting is the cleanest and most reliable method.

    • Related Articles

    • Microsoft 365 ATP (Advanced Threat Protection) Whitelisting

      In case you are using Microsoft O365 Advanced Threat within your mail environment, there is a possibility that you might experience false clicks and email attachment opens. In order for ThreatCop’s email to function properly, additional rules to ...

    • Creating a Phishing Simulation Rule in the Microsoft Defender

      In order to whitelist Threatcop into your O365 environment you need to follow the below mentioned steps: Go to https://www.microsoft365.com/ Locate the square with dots positioned at the upper-left corner. Proceed to access the Security section ...

    • Why “Opens” Are Not Always Recorded — Outlook Settings Explained

      Why "Email Open" Data May Not Appear in Outlook How We Track Email Opens TSAT tracks email opens using a common industry method: Every email we send includes a tiny, invisible 1×1 pixel image (called a tracking pixel). When the email is opened, the ...

    • How to Whitelist ThreatCop in Mimecast

      Whitelisting Threatcop in Mimecast 1. Inbound Email Policies Step 1: Create a Permitted Senders Policy Path: Administration → Gateway → Policies → Permitted Senders → New Policy Configuration: - Policy Narrative: Threatcop – Permitted Senders - ...

    • How to Whitelist ThreatCop in Proofpoint

      Whitelisting Threatcop in Proofpoint 1. Add Threatcop to Safe Senders / Safe Domain List This document is intended to help you configure Proofpoint so that emails from Threatcop (“phishing simulations / awareness emails”) are delivered reliably, ...