What is the name of the domain?
What is the error number?
NA
What is the error message?
CIPA Filter, Phishing are in the categories
What is the issue you’re encountering
I’m reaching out regarding a critical issue impacting my businesses ability to utilize Microsoft’s Attack Simulation Training (AST) platform. We’ve encountered repeated instances where URLs used in Microsoft’s phishing simulations are flagged with CIPA Filter by Cloudflare. This has led to significant disruptions in our companies security training efforts. We work with the DHS who have strict security policies that prohibit the allowlisting of these domains, currently we must manually test each URL in the phishing simulation and hope that during the simulation the URLs don’t end up marked as CIPA filter, phishing during the test.
What steps have you taken to resolve the issue?
Workarounds Attempted:
Manual testing of payload URLs post-generation.
Weekly monitoring of all AST domains for reputation changes.
Use of custom domains, which still rely on the original Microsoft URLs for redirection—rendering the workaround ineffective if the base URL is blocked
Request: We respectfully request that Cloudflare consider reviewing and remove the CIPA categorization of Microsoft AST URLs used in phishing simulations, it should be only information security and its only these 32 that are marked currently
What are the steps to reproduce the issue?
End-users click the URLS in the training and because of the block we can’t get the reports of them clicking through the URL
Will attach more of the links we manually just went through today and checked all of them
We have reached out to Microsoft regarding this as well