CanIPhish can integrate directly with Google Workspace through the Gmail API. Using this API we can inject simulated phishing and notification emails directly into employee inboxes, bypassing the need for traditional email allowlisting!
Table of contents:
- Prerequisite
- Step 1. Create A Google Service Account
- Step 2. Associate The Service Account With Google Workspace
- Step 3. Configure Direct Email Injection In CanIPhish
- Frequently Asked Questions
- Common Issues
To leverage direct email injection functionality, please follow the below steps:
Prerequisite
You need a Google Cloud Project to create a Google Service Account. If you already have a Google Cloud Project that can be used, you can go straight to Step 1.
P.1. Open the Google Cloud Resource Manager
P.2. Click Create Project
P.3. Enter a Project Name and then click Create
Note: It may take a few minutes for the new project to create, once ready it should appear on the resource manager page.
P.4. You now need to enable the Gmail API on the newly created project.To do this, go to APIs and Services > Enable APIs and Services > Enable APIs and Services (at the top of the page). Then enter "Gmail API" into the search field and select Gmail API from the search results. Click Enable to activate the API.
Step 1. Create A Google Service Account
1.1. While logged into your Google Cloud Project,Go to IAM and Admin > Service Accounts.
1.2. Click the Create Service Account button at the top of the page.
1.3. Enter a unique name that clearly distinguishes the service accounts purpose (e.g. CanIPhish DMI Connector - this name can be anything you choose, so you can omit CanIPhish if white-labelled). Then click 'CREATE AND CONTINUE':
1.4. No role is required for the Service Account, once created, simply click 'DONE'.
1.5. Click into the newly created Service Account and copy or make a note of the Unique ID. We'll need this later.
1.6. While still looking at the Service Account, click the 'KEYS' tab and click ADD KEY > Create new key:
1.7 Select JSON for the 'Key type' and then click CREATE. The newly created key should automatically download once created:
Step 2. Associate The Service Account With Google Workspace
2.1. Open the Google Admin Console.
2.2. Go to Security > Access and data control > API Controls:
2.3. Click on "MANAGE DOMAIN WIDE DELEGATION" at the bottom of the page:
2.4.Click the "Add new" button next to the API clients field:
2.5. In the Client ID field, enter the Service Accounts Unique ID copied earlier (In Step 1.5).
2.6. In the OAuth scopes field, enter the following oAuth Scope and then click AUTHORIZE:
https://www.googleapis.com/auth/gmail.insert
2.7. Confirm the Gmail API is Enabled on the Google Cloud Project used by your Google Workspace Account. This can be confirmed by traversing to and clicking the "Enable" button if visible: https://console.cloud.google.com/apis/library/gmail.googleapis.com
Step 3. Configure Direct Email Injection In CanIPhish
3.1. Login to your CanIPhish account and traverse to the Email Delivery Providers page. This can be found under Platform Settings > Email Delivery Settings.
3.2. Click on the New Integration button for the 'Google Workspace Direct Email Injection Integration.
3.3.Provide a unique name for the integration (e.g. Google-DMI) and then upload the JSON credentials file that was downloaded during Step 1.7. Then click the Save button:
3.4. Test that the integration is functioning by clicking the 'Test DMI Connectivity' button on the newly created integration:
3.5. In the popup that appears, enter the email address that you would like a test email to be sent to, and then click the Test Connectivity button. This test will confirm that CanIPhish has sufficient privileges to insert emails into user account inboxes, and also that the provided email address can be located within the linked Google Workspace account.
3.6. If you're presented with a success notification, as depicted in the screenshot above, you're all done! As a final and optional step, you can set the new integration to be your default mail server. This means it will be selected by default whenever a new campaign is created.
Frequently Asked Questions
What happens if a user doesn't exist within the Google Workspace Tenant?
If the user is sent a simulated phishing email, an error will appear next to their email address within the affected campaign, making a note of the issue. If the user is sent a notification, then a fallback to use CanIPhish email servers will occur to ensure the notification is still sent.
Common Issues
Receiving an error indicating a lack of permissions
This issue is almost always due to the Gmail API being disabled on your Google Workspace Account. Please validate it's active by going to the following URL and enabling the API if required: https://console.cloud.google.com/apis/library/gmail.googleapis.com
Note: Ensure the correct project is selected (if you have multiple projects associated to your Google Workspace Account).
Comments
0 comments
Please sign in to leave a comment.