Skip to main content

My domains are validated, but my Microsoft 365 phishing campaigns are not being delivered (spoofed domains)

You have successfully verified your domains in Riot, but your campaigns still aren't being delivered? The most likely reason is that the spoofed domains used by Riot have not yet been authorized in Microsoft Defender. Here's what you need to do.

❶ Why aren't my campaigns being delivered even though my domains are validated?

It's important to distinguish between two different things:

  • Your domains (the ones you own): these are verified and validated in Riot through Settings > Domains. This step proves that you own the domain and authorizes sending.

  • Spoofed domains (attack domains): these are the domains Riot uses to simulate the sender of a phishing attack. They vary depending on your workspace and the scenario being used. These are the domains that Microsoft filtering will block unless they are explicitly authorized.

In other words, validating your domains is not enough if you use Microsoft 365 with Microsoft Defender for Office 365. You must also authorize Riot's spoofed domains, sending IP address, and simulation URLs in Microsoft Defender's Advanced Delivery policy.

💡 Good to know:

Marking a domain as "safe" in Riot does not change how your email system behaves. As long as Microsoft Defender quarantines the message, the phishing simulation will not be delivered, even if Riot considers it safe. Therefore, configuring Advanced Delivery in Microsoft 365 is mandatory.

Prerequisites

📋 Requirements:

You must have administrator access to the Microsoft Defender portal, with permissions allowing you to modify threat policies.

How do I authorize Riot's spoofed domains in Microsoft 365?

👉 Step 1: Gather the values to authorize

Before making any changes in Microsoft Defender, collect the three values that need to be configured. These values are specific to your workspace and are provided by Riot (or displayed directly in the platform):

  • The spoofed domains (attack domains)

  • The sending IP address

  • The simulation URLs to allow, in the format *.example.com/*

Riot will remind you which domains need to be added, for example:

👉 Step 2: Open the Advanced Delivery page in Microsoft Defender

Sign in to the Microsoft Defender portal and navigate to:

Email & collaboration > Policies & rules > Threat policies > Advanced delivery

Then open the Phishing simulation tab.

Click Edit. If no phishing simulation has been configured yet, click Add.

👉 Étape 3 : Renseigner les trois champs

In the Edit third-party phishing simulations window, fill in:

  • Domain: Add all spoofed domains (attack domains) associated with your workspace.

  • Sending IP: Add Riot's sending IP address.

  • Simulation URLs to allow: Add the simulation URLs in the format *.example.com/*.

The values shown in the screenshot are only examples. Make sure to use the domains, IP address, and URLs specific to your own workspace.

👉 Étape 4 : Enregistrer et tester

Cliquez sur Save (Enregistrer). Envoyez ensuite un email test à un administrateur pour confirmer que les attaques arrivent bien en boîte de réception.

⚠️ Important:

Do not use global IP allow lists or the Tenant Allow/Block List to bypass filtering for phishing simulations. These settings apply to your entire email flow and can create a genuine security risk.

The Advanced Delivery page is the Microsoft-recommended method for handling third-party phishing simulations.

❹ What if links are still being rewritten or blocked?

If you are using Safe Links, you should also add the simulation URLs to the "Do not rewrite URLs in email" section of your Safe Links policy (using the format *.example.com/*).

This prevents Microsoft from rewriting or analyzing the links contained in Riot phishing campaigns.

Related Articles
1️⃣ Configure Microsoft 365
4️⃣ Riot in Barracuda
3️⃣ Set Up Riot with Proofpoint and Phish Alarm
Did this answer your question?