This article describes how to set up the Cyber Guru Connector in Exchange Online, based on TLS certificate authentication and limited to simulation sender domains.
This setup is the solution recommended by Microsoft’s official documentation to avoid throttling applied by Exchange Online Protection to phishing simulation emails.
Why the connector is needed
Phishing simulation campaigns naturally involve sending large volumes of emails from an external infrastructure to the customer’s tenant. The Microsoft Exchange Online Protection (EOP) anti-abuse engine continuously and automatically reassesses the reputation of sending IPs and may apply reputational throttling (slowing down delivery) to unauthenticated senders.
When this happens, simulation emails are not rejected or blocked on the customer’s tenant, but are deferred upstream by Microsoft with the following response code:
451 4.7.500 Server busy. Please try again later from [85.235.135.191].
Key points about this issue:
- It’s a temporary slowdown (soft-defer), not a permanent block or blacklist: messages stay in the queue and are retried.
- It’s cross-tenant: it affects the sending IP for all Microsoft 365 recipients, so there’s nothing to unblock on the customer’s tenant (emails won’t appear in quarantine or tenant logs).
- Any mitigation requests to Microsoft (delisting) are temporary: reputation is automatically reassessed and throttling can return.
For this specific error, Microsoft’s official documentation (Fix NDR error 451 4.7.500-699 (ASxxx) in Exchange Online) recommends that the receiving tenant administrator set up a connector as the solution.
With the connector, the Cyber Guru sending server authenticates to the tenant by presenting its TLS certificate: the traffic is no longer considered “anonymous” and throttling — which only applies to unauthenticated senders — is not applied. This is effective immediately and does not depend on Microsoft’s intervention or timing.
Why this setup is also more secure
TLS certificate authentication provides stricter controls:
- The scope is limited: the connector is restricted to only the domains used for phishing simulations.
- Identification is done via a TLS certificate issued by a public CA, with mandatory TLS: this is a stronger and more verifiable method than IP-based trust.
- Anti-spoofing: with this restriction enabled, any message claiming one of the simulation domains but not presenting the Cyber Guru certificate will be rejected by the tenant.
- A single certificate covers all simulation domains and remains valid even if the sending IP changes: you only need to set this up once.
- It’s a single, documented configuration, can be disabled at any time, and is fully tracked in the tenant’s admin tools.
Prerequisites
- Access to the Exchange Admin Console with admin permissions
- List of Cyber Guru sender domains
- Domain name of the TLS certificate for the Cyber Guru sending server:
pmail.cyberguru.report
|
WHERE TO FIND THE FULL LIST OF SENDER DOMAINS
|
Step-by-step procedure
1. Log in to the Microsoft Admin Console
2. Go to "Mail flow > Connectors" and select "+ Add a connector"
3. Select the "Partner organization" option and connect to "Office 365", then click "Next"
4. Add the connector name "Cyber Guru Connector", leave the "Enable" checkbox checked, and click "Next"
5. Select "By verifying that the sender domain matches one of the following domains" and enter the Cyber Guru sender domains
Enter all sender domains (available on the platform under "Help > Support - Knowledge"), clicking the "+" symbol after each domain, then click "Next".
Note: domains must be entered exactly as provided, without wildcards or prefixes.
6. Enable TLS certificate verification
On the security restrictions screen:
- Leave the option "Reject email messages if they aren't sent over TLS" enabled (default setting)
- Select the option "And require that the subject name on the certificate used by the partner to authenticate with Office 365 matches this domain name" and enter:
pmail.cyberguru.report
7. Review the summary and click "Create Connector"
8. Final check
After setup, request a test email to be sent from the platform to verify successful delivery. If needed, contact Cyber Guru support for a joint configuration and testing session.
Important notes
- The connector does not replace Advanced Delivery in Microsoft Defender, which remains the most important configuration in the entire whitelisting process: 1. Advanced Delivery (Microsoft Defender).
- If the Cyber Guru connector identified by IP address already exists, update it with the certificate verification described in this article: IP-based identification does not exempt from throttling.