Question

Why are phishing emails being deferred for hours or days before eventually being delivered to Microsoft 365 mailboxes? 

Answer

Many of our phishing templates are taken from real world examples of recent attacks. Microsoft seems have become more  aggressive in content filtering and scanning these phishy looking emails recently in products like Microsoft Defender Advanced Threat Protection.

In order for the simulated phishing emails to be delivered quickly to your end users we suggest setting up a Connector to the Phishing MTAs.

Please refer to section 2 of the guide found at Security Awareness Safelisting in Office 365 for step-step instructions. 

In the event that Office 365 is downstream from your Security Email Gateway and/or filters, please make sure that your email gateway is not removing the originating Phishing IPs from the mail header. If you do not see the Phishing IPs in the mail headers of the received emails, then you will need to set up of a connector based on the sender domain name you selected for the campaign and not the IPs.