How do I allowlist simulation domains in Google Safe Browsing for Google Chrome?

The domains used in Moxso phishing simulations may occasionally be falsely flagged by Google Safe Browsing as malicious, deceptive, or involved in social engineering. In such cases, users might see warning banners when clicking on simulation links or QR codes — potentially hindering the intended flow. By implementing a Safe Browsing allowlist that includes the simulation domains, you ensure that users can access simulation content without interruption.

Prerequisites (where applicable)

• Administrative access to Entra ID Portal (for Windows 11) or Administrative access to Intune Portal (for macOS).
• Administrative access to the Google Admin Console (for enterprise settings) or the Chrome browser settings (for individual users).
• A list of the domains or URLs you want to allow.
• One or more XML or CSV templates for uploading the domains to each respective service.

About the simulation domains

Simulations mainly rely on the following kinds of domains:

• Sender domains: used to send simulated emails.
• Landing page domains: used for spearphishing (credential harvesting) simulations.

Allowlisting via Entra ID (Windows 11 / Intune)

1. Open the Entra ID Portal → go to Devices > Windows (or navigate via the Intune Windows portal).
2. Click Create → New Policy.
3. Select Platform: Windows 10 and later and Profile type: Settings catalog.
4. Provide a name for the profile (e.g., Chrome Safe Browsing Allowlist for Moxso simulation domains) and click Next.
5. Under Configuration settings, click Add settings.
6. In the Settings picker, search for Safe Browsing. Choose Google Chrome Safe Browsing settings.
7. Enable the option Configure the list of domains on which Safe Browsing will not trigger warnings.
8. Import the list of simulation domains (via CSV or XML) and click Next.
9. Complete Scope tags and Assignments, then review and create the profile.

Allowlisting via Intune (macOS)

1. Open the Intune Portal → go to Devices > Mac.
2. Click Create → New Policy.
3. Select Template: Custom.
4. Provide a name for the profile (e.g., Chrome Safe Browsing Allowlist for Moxso simulation domains) and upload a ChromeSafeBrowsingAllowlist.xml populated with the provided domains.
5. Assign to the appropriate group, then review and create the profile.

Allowlisting via Google Enterprise Policy (for managed Chrome environments)

1. Access the Google Admin Console (admin.google.com) with rights to manage Chrome policies.
2. Navigate to Device Management → Chrome → Settings / Policies.
3. Locate the Safe Browsing policy section (could be named Safe Browsing Allowlist, URL Exemptions, or Whitelist, depending on your console version).
4. Add the Moxso simulation domains into the allowlist.
5. Save, propagate the policy (may take ~1 hour), and confirm end-users no longer see Safe Browsing warnings for those domains.

Local/Machine-level Browser Settings (non-managed devices)

• Open Chrome → go to Settings → Privacy and security → Security.
• If Safe Browsing is set to “Enhanced” or “Standard,” note that Chrome does not provide a user-facing per-domain allowlist. For local or unmanaged devices, full allowlisting usually requires enterprise/browser policy configuration.
• If enterprise policy isn’t practical, you may adjust Safe Browsing level or other settings — though this is not recommended for large-scale, managed deployments.

Verification

After applying the allowlist:

1. Use a test account or device.
2. Access one of the allowlisted simulation URLs.
3. Confirm that Google Safe Browsing does not display warning banners and that the simulation flow (click-through, landing page, credentials page) works correctly.