Skip to main content

Microsoft 365 Direct Email Injection (For White-Labelled Tenants) - Setup Guide

Sebastian Salla
Updated

CanIPhish can integrate directly with Microsoft 365 through the Graph API. Using this API we can inject simulated phishing and notification emails directly into employee inboxes using a technique known as Direct Email Injection (DMI for short), bypassing the need for traditional email allowlisting!

Important Note: This guide should only be followed if you have set up platform white-labeling. If you haven't, please follow this setup guide. Additionally, please ensure you're accessing CanIPhish through your white-labelled domain (there is server-side logic which determines which DMI integration to present, based on the domain in-use).

Table of Contents

Step 1. Create An App Registration In Microsoft

1.1. Login to the Microsoft Azure account linked to your Microsoft 365 Tenant: https://portal.azure.com/

1.2. In the search bar at the top of the page, search for "App registrations" and click on the corresponding Service.

1.3. Click "New Registration" to create a new App Registration:

1.4. Provide the app with a unique and distinguishable name (e.g. CanIPhish DMI Connector), leave the other options on their default setting (as shown below) and then click the Register button:

1.5. While on the Overview page, copy the Application ID and Tenant ID values to your clipboard or a text editor as you'll need them later:

1.6. Click on the "Manage" > "API permissions" tab on the left:

1.7. Click the "Add a permission" button:

1.8. Click the "Microsoft Graph" API:

1.9. Click "Application permissions":

1.10. In the search box type in: "Mail.ReadWrite" and then expand the "Mail" permission, selecting the "Mail.ReadWrite" permission.

1.11. Now, change the search to look for: "User.Read.All" and then expand the "User" permission, selecting the "User.Read.All" permission.

1.12. Click the "Add permissions" at the bottom of the page to add the two permissions we've selected:

1.13. Confirm that both the permissions appear in the API Permissions table:

1.14. You'll notice that a warning dialog appears next to each permission which is indicating that admin consent hasn't yet been granted. This is required to allow these permissions to work effectively. Click the "Grant admin consent..." button directly above the table. After, you'll notice the Status will indicate access has been granted.

1.15. Now change to the "Manage" > "Certificates & secrets" tab:

1.16. Click the "New client secret" button:

1.17. In the dialog that appears on the right of your screen, provide the secret with a descriptive name (e.g. "CanIPhish DMI Connector Secret") and an expiration date - we recommend the maximum of 730 days (upon expiration you need to provision a new secret). Then click "Add":

1.18. Your secret will now appear in the Client secrets table. Copy the Value of your newly created secret to your clipboard or text editor:

Step 2. Configure Direct Email Injection In CanIPhish

2.1. Login to your CanIPhish account and traverse to the Email Delivery Providers page. This can be found in Platform Settings > Email Delivery Settings

2.2. Click on the New Integration button for the "Microsoft 365 Direct Email Injection" integration:

2.3. In the popup that appears, enter the following values and then click Save:

  • Integration Name: Provide a unique and distinguishable name for this integration (e.g. "M365 DMI Connector")
  • Application ID: Paste the value that you copied in Step 1.5.
  • Tenant ID: Paste the value that you copied in Step 1.5.
  • Client Secret: Paste the value that you copied in Step 1.18.

2.4. The newly created Integration should now appear in the Mail Integrations table. Test that the integration is functioning by clicking the "Test DMI Connectivity" button:

2.5. In the popup that appears, enter the email address that you would like a test email to be sent to, and then click the Test Connectivity button. This test will confirm that CanIPhish has sufficient privileges to insert emails into user account inboxes, and also that the provided email address can be located within the linked Microsoft 365 account.

2.6. If you're presented with a success notification, you're all done! As a final and optional step, you can set the new integration to be your default mail server. This means it will be selected by default whenever a new phishing campaign is created.

 

Important Note: If you use M365 Safe Link/Attachment Processing, you'll need to implement rules to bypass this scanning. Please see our Bypass Safe Link/Attachment Processing for M365 knowledgebase article.

 

Frequently Asked Questions

What happens if a user doesn't exist within the Microsoft 365 Tenant?

If the user is sent a simulated phishing email, an error will appear next to their email address within the affected campaign, making a note of the issue. If the user is sent a notification, then a fallback to use CanIPhish email servers will occur to ensure the notification is still sent.

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk