Whitelisting Threatcop in Proofpoint

1. Add Threatcop to Safe Senders / Safe Domain List

This document is intended to help you configure Proofpoint so that emails from Threatcop (“phishing simulations / awareness emails”) are delivered reliably, bypassing unwanted filtering and rewriting.

Path:
Security Settings → Email → Sender Lists (or Filter Policies)

- For Essentials: Under *Safe Sender List*, add the Threatcop sending domain.
- For Enterprise: Under *Email Protection → Spam Detection → Organizational Safe List*, create a rule:
 - Filter Type: Sender Hostname
 - Operator: Equals
 - Value: Threatcop domain (It’s dependent on template used)

- Also add the SMTP IP: 168.245.74.19 (in IP form or CIDR as allowed) to the safe list.
- Ensure the domain + IP are allowed before filtering/URL rewriting steps.

2. Create a Policy Route to Bypass Specific Modules

Path:
Email Protection → Policy Routes (or equivalent)

- Create a new Policy Route (e.g., `Threatcop_Bypass`).
- Condition: Sender IP Address = 168.245.74.19
- Save.

Then, in modules such as Spam Detection, Anti‑Spoofing, Attachment Defense, URL Defense:
- For each module: enable “Disable Processing for Selected Policy Routes” (or equivalent) and select `Threatcop_Bypass`.
- This ensures that emails sent via that IP skip many of the heavy filters.

3. Configure Header‑Based Bypass Using Threatcop Custom Headers

Since you have custom headers (`X-Threatcop` and `X-Threatcop-Support`), you can use them as another bypass signal. Here’s how:

Path: 
Email Firewall → Rules (or Filter Policies)
- Create a rule with conditions:
 - If “Message Header” `X‑Threatcop` exists OR equals “This is a phishing security test from ThreatCop that has been authorized by the recipient organization.”
 - Or header `X‑Threatcop‑Support` exists OR equals “In case of any queries kindly contact us at support@threatcop.com”
- Under Action (Disposition): Change / Add header (optional) or Set as “Deliver” / “Allow” / “Bypass” depending on your UI.
- Scope the rule to inbound, applicable domains/users.
- Save and move the rule above any blocking or rewrite rules.

4. URL & Attachment Protection Bypass

To make sure the simulation URLs and attachments from Threatcop aren’t blocked:

- Under URL Defense / Targeted Attack Protection → URL Rewrite Policies: add Threatcop’s domain(s)/URL(s) to the Exceptions list so URLs are not rewritten or blocked.
- Under Attachment Defense: In similar fashion, associate the Policy Route or header conditions so that attachments from that sender/domain/IP are exempt.