CanIPhish can integrate directly with Microsoft 365 through the Graph API. Using this API we can inject simulated phishing and notification emails directly into employee inboxes, bypassing the need for traditional email allowlisting!
Important Note: This guide should only be followed if you haven't set up platform white-labeling. If you have, please follow this setup guide.
To leverage direct email injection functionality, please follow the below steps:
- Login to your account and navigate Platform Settings > Email Delivery Settings
- Click the 'New Integration' button for the 'Microsoft 365 Direct Email Injection' Service Provider.
- Provide a unique name for the Microsoft 365 integration and then click the 'Sign in with Microsoft' button.
- If your browser doesn't have an active Microsoft/Azure AD session, you'll be prompted to login via the Microsoft login portal. Once signed in, you'll be prompted to authorise the CanIPhish Email Connector to access several APIs within your Microsoft/Azure AD account. Click 'Accept' to authorise the access.
Note: Access to all scopes is required to successfully setup the integration. Click here to understand in further detail what information we're accessing. Consenting on behalf of your organization is optional.
- Once authorized, you'll be immediately redirected to the CanIPhish Mail Servers page and notified on the status of the integration and that you now need to provide Admin Consent. From here you can choose one of two options. You can either:
- Automatically provide Admin Consent by authorizing a permissions upgrade in a similar dialog box to that shown in Step 4 (completing the setup).
- Proceed with Steps 6-10 to do this manually.
What is Admin Consent? With Microsoft there are two types of permissions: Delegate and Application. Delegate permissions are used when an application needs to act on behalf of a user. On the other hand, Application permissions are used when an application needs to access resources without a signed-in user. These permissions allow the application to act autonomously, accessing the specified resources at a broader level, with higher privileges than delegate permissions. By providing Admin Consent, the CanIPhish Email Connector is upgraded from Delegate to Application Permissions, which is necessary to perform Direct Email Injection. - If proceeding with the manual approach, go to the Azure home page: https://portal.azure.com/
- Click on or search for Enterprise Applications:
- Click on the "CanIPhish Email Connector" Application.
- Click on the Permissions tab on the left
- Click the "Grant admin consent for CanIPhish" button to upgrade the Mail.ReadWrite and User.Read.All permissions from Delegated to Application.
All done! You can now select this as a email provider when scheduling phishing campaigns, bypassing the need to setup email allowlisting. To do this, either make this new mail server your default or click the 'Show Advanced Options' link on the initial setup page when creating a new campaign:
Appendix: Additional Information on Microsoft API Scopes
We'll be accessing APIs that allow us to read and write information to employee inboxes. Additionally, we'll read information from employee Microsoft profiles so we can determine which email address is associated to which Microsoft profile and then find the corresponding Inbox folder. The below table outlines the scopes we're accessing in detail:
user.read.all
Provides CanIPhish with access to read the profiles of all users within the Azure AD tenant for the Microsoft 365 account.
mail.readwrite
Provides CanIPhish with access to read and write to employee mailboxes. This is necessary so we can find the location of the Inbox folder and then inject the necessary simulated phishing email.
offline_access
Allows CanIPhish to maintain access to the mentioned scopes above. This is necessary so CanIPhish can periodically refresh its access token to prevent expiry every 90 minutes.
Frequently Asked Questions
What happens if a user doesn't exist within the Microsoft 365 Tenant?
If the user is sent a simulated phishing email, an error will appear next to their email address within the affected campaign, making a note of the issue. If the user is sent a notification, then a fallback to use CanIPhish email servers will occur to ensure the notification is still sent.
Comments
0 comments
Please sign in to leave a comment.