Skip to content
Login to the app
  • There are no suggestions because the search field is empty.

Troubleshooting for Phishing Simulations - Trend Micro

How Trend Micro can interfere with phishing simulations

If your organization uses TrendAI Vision One or another Trend Micro email security product, it is likely blocking or interfering with CyberPilot phishing simulation emails.

Common signs this is happening include:

  1. Fake clicks from unknown IPs (not Microsoft — often a cloud provider)

  2. Fake form submissions from unknown IPs

  3. Reporting in the CyberPilot App not working, even though Defender whitelisting looks correct

  4. No SPF failures in Defender, but SPF failures visible in local email headers

  5. Emails moved to junk 2–3 seconds after landing in the inbox (when Defender config looks correct)

  6. Trend Micro apps visible in your Azure App Registrations

  7. Trend Micro XDR used in the organization

 

Whitelisting via email headers

Trend Micro does not support whitelisting based on URLs or IP addresses the same way Defender does. Instead, you primarily whitelist based on email headers.

All CyberPilot phishing simulation emails contain the following headers:

Header name Value
Authentication-Results header.d=link120623.dk
DKIM-Signature d=link120623.dk

 

Ask Trend Companion

Trend Micro's built-in AI assistant, Trend Companion (found inside the TrendAI Vision One XDR portal), can tell you exactly where to whitelist a third-party phishing simulation in your specific setup. The answer varies depending on which products and add-ons your organization has purchased.

Send the headers above to Trend Companion so it understands the context, and ask it where to whitelist this header from a third-party phishing simulation.

 

Where to configure the header rule

Whitelisting in Trend Micro is complex and context-dependent, as there are various features and extensions that can be purchased. Below are descriptions of some of the places where whitelisting can be configured — we see the most success with whitelisting on the email header, as described in Option 1 (below).

Common admin URLs include:

  • admin-eu.tmes.trendmicro.com

  • admin-eu.tmems.trendmicro.com

  • https://admin-eu.tmcas.trendmicro.com/

  • tm.tmes.trendmicro.eu / ui.tmes.trendmicro.eu

Your URL will vary depending on your Trend Micro product.

 

Option 1: Trend Micro Vision One — Cloud Email and Collaboration Protection (recommended)

  1. In Cloud Email and Collaboration Protection, go to Policies → Global Settings → User-Defined Lists → Approved/Blocked Lists, and select Exchange Online.

  2. In the Approved Header Field List section, select the Enable the approved header field list check box.

  3. In the Name field, enter Authentication-Results

  4. In the Value field, paste header.d=link120623.dk

  5. Repeat the above steps with the following:

    • In the Name field, enter DKIM-Signature

    • In the Value field, enter d=link120623.dk

  6. Click Add >.

  7. Click Save.

Note: The Name and Value fields are case-sensitive.

 

Option 2: Trend Vision One — Cloud Email Gateway Protection

This option should not be necessary if a connector is already set up.

  1. Go to Administration → Other Settings → Service Integration and select Phishing Simulation.

  2. In the Trend Micro phishing simulation section, enable the Bypass scans for Trend Micro phishing simulations toggle to skip scans for incoming emails sent from Trend Micro phishing simulation IP addresses.

  3. In the Third-party phishing simulation section, add CyberPilot's IPs:

    • Select Add.

    • In the Add Phishing Simulation Settings pop-up window, select Enable for its Status.

    • Specify the name CyberPilot Whitelisting

    • Enter the following IPs:

      • 91.233.64.66

      • 91.233.64.65

      • 91.233.64.64

      • 3.75.105.111

      • 3.77.162.184

      • 3.120.101.167

      • 35.159.187.97

    • Provide a description like: CyberPilot phishing simulation sending IPs

    • Select Save.

 

Alternative: Exchange mail flow rule

If your emails are routed through Exchange, you can insert a custom header that Trend Micro uses to identify simulation emails:

  1. Go to Exchange Transport Rules

  2. Create a new mail flow rule that adds this header to all emails sent from CyberPilot's IP addresses:

    Header name Value
    X-CyberPilot-Phishing-Simulation true

  3. Then configure Trend Micro to allow emails containing that header.

 

Alternative: Whitelisting by IP

If header-based whitelisting does not resolve the issue, you can try whitelisting CyberPilot's sending IPs directly. This is usually not necessary if a connector is set up.

IP addresses: 

  • 91.233.64.66
  • 91.233.64.65
  • 91.233.64.64
  • 3.75.105.111
  • 3.77.162.184
  • 3.120.101.167
  • 35.159.187.97