Table of contents
Overview
When running a Right-Hand Cybersecurity phishing simulation, some Microsoft 365 tenants may experience simulation emails being deferred or blocked entirely.
The sending server receives the following SMTP response from Microsoft:
451 4.7.500 Server busy. Please try again later (ASxxx)
This error means Microsoft's Exchange Online Protection (EOP) has detected an unusual sending pattern from the simulation IP address and is temporarily throttling delivery. This is part of Microsoft's grey-listing behaviour - a technique used to treat new or high-volume senders more cautiously until a sending history is established.
This article explains why this happens, why it only affects some customers, and how to resolve it using Microsoft's supported configuration methods.
The Advanced Delivery Policy is Microsoft's only supported method for consistently delivering third-party phishing simulations without filtering. Legacy allow-listing methods, such as Safe Senders lists, IP allow lists, and mail-flow rules are not reliable under Microsoft's Secure by default settings. See Step 1 for the recommended fix.
Why This Error Occurs?
Microsoft 365 uses Exchange Online Protection (EOP) and Defender for Office 365 to filter inbound mail. The 451 4.7.500 error is triggered by one or more of the following conditions:
Cause | Explanation |
High volume from unknown IPs | Simulation platforms send large volumes of email from IPs with no prior sending history with Microsoft recipients. This pattern matches a spam spike and triggers grey-listing. |
User phishing reports | If recipients in other tenants report simulation emails as phishing via the Outlook "Report Phishing" button, Microsoft's global filters treat the IP as a real threat. This negative feedback impacts IP reputation across all tenants. |
Secure by default | Since 2021, Microsoft ignores traditional allow-listing methods for messages scored as high-confidence phishing. Safe Senders lists, IP allow lists, and mail-flow rules are all bypassed. Simulation emails that score as high-confidence phishing are quarantined regardless of legacy allow-lists. |
Why This Only Affects Some Customers?
Not all Microsoft 365 tenants experience this error. The difference comes down to how each tenant is configured:
Scenario | Behaviour |
Advanced Delivery Policy configured | Simulation emails deliver cleanly. This is the correct configuration and the one Microsoft recommends. |
Legacy allow-lists only | Simulation emails are blocked or deferred under Secure by default. Safe Senders, IP allow lists, and mail-flow rules do not override high-confidence phishing detections. |
MX record points directly to Microsoft | EOP has full context and applies grey-listing and high-confidence phishing detections. This is the most common scenario where the 451 error appears. |
Mail routed through a third-party gateway | Secure by default may be disabled on this path. Filtering behaviour differs; Microsoft recommends enabling Enhanced Filtering for Connectors in this setup. |
Prerequisites
Before configuring the Advanced Delivery Policy, confirm the following:
Requirement | Details |
Microsoft 365 tenant | Your organisation uses Microsoft 365 with Exchange Online and Defender for Office 365 |
Admin role | You must be a Global Administrator or Security Administrator in the Microsoft 365 tenant to configure Advanced Delivery |
Right-Hand sending details | You need Right-Hand Cybersecurity's sending IP addresses and sending domains before you begin. Refer to the Whitelisting best practices article for the full list. |
Step-by-Step Instructions
Step 1 - Configure the Advanced Delivery Policy (Recommended)
Step 1 - Configure the Advanced Delivery Policy (Recommended)
Advanced Delivery Policy for third-party phishing simulations
Microsoft's only fully supported method for delivering third-party simulations without filtering
Sign into the Microsoft 365 Defender portal
Open https://security.microsoft.com and sign in with a Global Administrator or Security Administrator account.
Navigate to Advanced Delivery
Email & collaboration›Policies & rules›Threat policies›Advanced delivery
Open the Phishing simulation tab
On the Advanced delivery page, select the Phishing simulation tab, then click Add.
Enter Right-Hand Cybersecurity's sending details
In the Add third-party phishing simulations fly-out, enter the following values. You can add up to 50 domains and 10 IP addresses.
Field | Values to enter |
Sending IP | Refer to the Whitelisting best practices article for the full list of IPs. |
Domain | Refer to the Whitelisting best practices article for the full list of Domains. |
Simulation URLs to allow | Refer to the Whitelisting best practices article for the full list of simulation URLs. (Each domain has to be entered individually. Ensure the format aligns with the recommended URL syntax which is |
Save the policy
Click Add to save the entries. Close the confirmation fly-out. The configured domain and IP pairs will appear in the Phishing simulation list. The policy takes effect immediately.
Important: The Advanced Delivery Policy requires both the sending domain and IP address to match for a message to be allowed through. If Right-Hand Cybersecurity changes its sending IP or domain, you must update the policy, or simulation emails will be blocked again.
Step 2 - Create a Partner Inbound Connector (If Using On-Premises or Third-Party Gateway)
Step 2 - Create a Partner Inbound Connector (If Using On-Premises or Third-Party Gateway)
Partner inbound connector to remove IP throttling
Required when mail is routed through on-premises servers or third-party email gateways
If your organisation routes inbound mail through an on-premises Exchange server or a third-party gateway before reaching Microsoft 365, creating a Partner inbound connector removes IP throttling for Right-Hand Cybersecurity's sending IPs.
Open the Exchange admin center
Go to https://admin.exchange.microsoft.com and sign in with an administrator account.
Navigate to Connectors
Mail flow›Connectors
Create a new connector
Click Add a connector. Set From to Partner organization and To to Microsoft 365. Give the connector a descriptive name such as Right-Hand Cybersecurity - - Phishing Simulation.
Add Right-Hand Cybersecurity's sending IPs
Select By verifying the IP address of the sending server, and add the following IP addresses:
Field | Values to enter |
Sending IP | Refer to the Whitelisting best practices article for the full list of IPs. |
Enable TLS and save
Enable Require TLS and click Create connector. This tells Microsoft 365 to accept mail from the specified IPs and bypass IP throttling for those sources.
Important: A Partner inbound connector removes IP throttling but does not override high-confidence phishing filtering on its own. You should always combine this step with the Advanced Delivery Policy in Step 1.
Validation and Expected Outcome
Validation and Expected Outcome
After configuring the Advanced Delivery Policy, confirm it is working correctly before launching the full campaign.
Send a test simulation email to 1–2 admin mailboxes
Trigger a test from the Right-Hand Cybersecurity platform to 1–2 administrator mailboxes. This should be done before the full campaign is sent.
Confirm the email is delivered to the inbox
Expected result: The simulation email arrives in the inbox - not Junk, not Quarantine - without any deferral delay. If it is still deferred, revisit Step 1 and confirm both the sending domain and IP are entered correctly.
Verify that the Advanced Delivery Policy matched the email
In the Microsoft 365 Defender portal, go to Email & collaboration → Explorer (or Threat Explorer) and search for the test email. In the email details, confirm the delivery action shows Delivered, and the detection technology shows Phishing simulation.
Microsoft 365 Defender›Email & collaboration›Explorer
Once all four checks pass, the campaign is ready to roll out to your full user group.
Common Issues and Troubleshooting
Common Issues and Troubleshooting
Q1) Simulation emails are still deferred with a 451 4.7.500 error after configuring the Advanced Delivery Policy
The Advanced Delivery Policy requires an exact match on both the sending domain and IP address. Check the following:
Confirm the sending IP in the policy matches the exact IP used by Right-Hand Cybersecurity for this campaign. You can find the sending IP in the email headers of a deferred message (X-Originating-IP or Received headers).
Confirm the domain in the policy matches the domain in the MailFrom address (the envelope sender), not just the From display name.
If Right-Hand Cybersecurity has recently changed its sending IP, update the policy with the new IP.
Allow up to 30 minutes for policy changes to propagate across Microsoft 365.
Q2) Simulation emails are delivered, but going to Junk instead of the inbox
The Advanced Delivery Policy overrides anti-spam and anti-phishing filtering. If emails are still landing in Junk, the policy may not be matching correctly.
In Explorer, find the email and check whether the detection technology shows Phishing simulation. If it does not, the Advanced Delivery Policy did not match - review the domain and IP entries.
If the policy is matching but emails still land in Junk, check whether a custom mail-flow rule or Outlook client-side rule is redirecting them.
Q3) Simulation link clicks are not being recorded in Right-Hand Cybersecurity
Microsoft Safe Links may still be rewriting simulation URLs even when the Advanced Delivery Policy is configured.
Confirm all Right-Hand Cybersecurity simulation landing page domains are added to the Simulation URLs to allow field in the Advanced Delivery Policy. Refer to the Whitelisting best practices article for the full domain list.
If click tracking is still broken after adding URLs, contact Right-Hand Cybersecurity support to confirm the campaign tracking configuration is correct.
Q4) The Advanced Delivery option is not visible in the Defender portal
This is typically a permissions or licensing issue.
Confirm you are signed in with a Global Administrator or Security Administrator role.
Confirm your tenant has Microsoft Defender for Office 365 Plan 1 or Plan 2 (or equivalent) active. Advanced Delivery is not available on tenants using only Exchange Online Protection without a Defender licence.
If your licence is correct and the menu is still missing, contact Microsoft support.
Q5) Why don't Safe Senders lists or IP allow lists work for simulation emails?
Since 2021, Microsoft's Secure by default feature overrides legacy allow-listing methods for messages categorised as high-confidence phishing. Safe Senders lists, IP allow lists, and mail-flow rules that set SCL to -1 are all bypassed. The Advanced Delivery Policy is the only supported method that consistently overrides these detections for phishing simulation traffic.