LogoLogo
Get Demo
  • 💫NEXT-GENERATION PRODUCT
    • Introduction
    • Getting Started
      • 1. Invite System Users
      • 2. Add Target Users
        • Add Users via CSV
        • Add users via SCIM
          • SCIM Setup in Azure AD
          • SCIM Setup in Okta
          • SCIM Setup in Onelogin
          • SCIM Setup in Jumpcloud
        • Add users via LDAP
        • Add Users via API
      • 3. Email Deliverability
        • Microsoft 365
          • M365: Direct Email Creation
          • M365: Whitelisting
        • Google Workspace
          • Google: Direct Email Creation
          • Google: Whitelisting
        • Exchange 2013 and 2016
      • 4. Track Opened Emails
      • 5. Allow Phishing URLs
        • Whitelist for Office 365
        • Whitelist for Google Workspace
        • Whitelist for Exchange 2013/2016
        • Whitelist in Security Solutions
      • 6. Setup Phishing Reporter
        • Step 1. Download Phishing Reporter
        • Step 2. Deploy Phishing Reporter
          • How to Deploy Add-In in Microsoft 365
          • How to Deploy Add-In in Exchange Admin Center
          • How to Deploy Add-In in Google Workspace
          • How to Deploy Add-In in Outlook
            • Troubleshooting Phishing Reporter Add-In on Outlook Desktop
      • 7. Incident Responder Setup
        • Step 1. Integrate Threat Intel Partners
        • Step 2. Mail Configurations
          • Microsoft 365
          • Google Workspace (Gsuite)
          • Exchange (EWS)
    • Platform
      • Dashboard
        • Dashboard Widgets
        • Incident Responder Widgets
        • Threat Sharing Widgets
        • Phishing Simulator Widgets
      • Threat Intelligence
      • Email Threat Simulator
        • Start Scan
        • View Scan Report
        • Create Trusted Account on Exchange
        • Start Scan on O365 Email Account
        • Start Scan on Google Workspace Email Account
      • Threat Sharing
        • Communities
        • Incidents
      • Phishing Simulator
        • Manage Phishing Scenarios
          • Phishing Scenarios
          • Email Templates
          • Landing Pages
        • Phishing Campaign Manager
        • Phishing Campaign Reports
        • Settings
          • DNS Services and Domains
          • Exclude IP Address
      • Callback Simulator
        • Manage Callback Scenarios
          • Callback Scenarios
          • Callback Email Templates
          • Callback Templates
        • Callback Campaign Manager
        • Callback Campaign Reports
        • Settings
          • Callback Phone Numbers
      • Vishing Simulator
        • Vishing Templates
        • Vishing Campaign Manager
        • Vishing Campaign Reports
      • Smishing Simulator
        • Manage Smishing Scenarios
          • Smishing Scenarios
          • Text Message Templates
          • Landing Page Templates
        • Smishing Campaign Manager
        • Smishing Campaign Reports
        • Settings
          • Manage DNS and Domains
          • Exclude IP Addresses
      • Quishing Simulator
        • Manage Quishing Scenarios
          • Quishing Scenarios
          • Quishing Templates
          • Quishing Landing Page Templates
        • Quishing Campaign Manager
        • Quishing Campaign Reports
        • Settings
          • DNS and Domains
          • Excluding IP Address
      • Awareness Educator
        • Training Library
        • Enrollments
        • Certificates
        • Training Reports
        • Training Completion Queries
      • Incident Responder
        • Incident Responder Dashboard
        • Investigations
        • Integrations
        • Playbook
        • Mail Configurations
          • Microsoft 365
          • Exchange
          • Google Workspace
        • Cross Company Integration
      • Phishing Reporter
        • Phishing Reporter Customization
        • Phishing Reporter Deployment
          • How to Deploy the Add-in in Microsoft 365
          • Phishing Reporter Page View Failure Due to Deprecated Exchange Online Tokens
          • Microsoft Ribbon Phishing Reporter
          • How to Deploy the Add-in in Exchange Admin Center
          • How to Deploy the Add-in in Google Workspace
          • Phishing Reporter Announcement Email Template
        • Diagnostic Tool
        • Integrating Microsoft Phishing Reporting Button with Keepnet
        • Troubleshooting Phishing Reporter on Outlook Desktop
      • Reports
        • Advanced Reports
        • Executive Reports
        • Scheduled Reports
        • Gamification Report
      • Company
        • Target Users
        • Companies
          • Company Groups
        • Company Settings
          • Privacy
            • Account Privacy
            • Data Privacy
          • AI Ally Settings
          • SMTP Settings
          • Direct Email Creation
            • Direct Email Creation for Google Workspace
            • Direct Email Creation for Microsoft 365
          • Notification Templates
          • Google User Provisioning
          • REST API
          • White Labeling
          • Proxy Settings
          • SAML Settings
            • How to Configure SAML on ADFS
            • How to Configure SAML on Google Workspace
            • How to Configure SAML on Azure AD
            • How to Configure SAML on CyberArk
            • How to Configure SAML on Okta
          • SCIM Settings
            • Getting Started with SCIM
            • Azure AD SCIM Integration
            • Okta SCIM Integration
            • Onelogin SCIM Integration
            • Jumpcloud SCIM Integration
          • SIEM Integrations
            • Splunk Integration
            • Syslog Integration
          • LDAP
          • Allowed Domains
        • System Users
          • People
          • Roles
        • Audit Log
        • Job Log
      • Free Phishing Email Analysis Service
    • Miscellaneous
      • Whitelisting
        • How to Whitelist an IP Address in Office 365
        • How to Whitelist an IP Address in Exchange 2013 and 2016
        • How to Whitelist an IP Address in Google Workspace
        • How to Whitelist in Mimecast
        • Whitelisting in Other Security Solutions
        • Whitelisting the Pictures on Microsoft Outlook Apps
        • Keepnet Tools Whitelisting Guidelines
        • Understanding Email Delivery Errors
        • Tracking Email Opens in Phishing Simulations
      • User Profile
      • Multi-Factor Authentication (MFA) Settings
      • On-Premise Requirement Checker
      • Platform Requirements
        • Portal UI Requirements
        • Phishing Reporter Requirements
        • Diagnostic Tool Requirements
      • Maintenance Tool
      • Understanding the Preferred Language Setting
  • 📚RESOURCES
    • Platform Security
    • Volume & Performance
    • Customer Help Desk
    • Product Update/Maintenance
    • Research Methodology
    • Release Notes
      • 2025
      • 2024
      • 2023
      • 2022
      • 2021
      • 2020
  • ⚖️Legal Hub
    • For Customers
      • Customer Terms of Service
      • Product Specific Terms
      • Jurisdiction Specific Terms
      • Data Processing Agreement
      • Regional Data Hosting Policy
      • Product and Services Catalog
      • Acceptable Use Policy
      • Keepnet Security Program
      • Microsoft CoPilot Usage Policy
    • For Everyone
      • Website
        • Terms of Use
        • Privacy Policy
        • Cookie Policy
      • Free Phishing Email Analysis
        • Terms of Service
        • Privacy Policy
      • Transparency Report
Powered by GitBook

Copyright © Keepnet Labs LTD. All rights reserved.

On this page
  • Direct Email Creation
  • How to Configure Direct Email Creation
  • About Required API Permissions
  • How to Provide Proof of DEC App Activity for Compliance and Security
  • Video Tutorial
  • FAQ
  • Q: Which permissions does the DEC feature work with?
  • Q: Can I launch a campaign with DEC settings using the Fast Launch option?
  • Q: Do I need to whitelist if I use the DEC feature?
  • Q: Can I resend the campaign email to the users whose status shows Error in the Sending Report menu in the campaign report?
  • Q: What action should I take for users whose status shows an error ("domain.com" is not in the allowed domain list) in the Sending Report menu after the launch campaign?
  • Q: What are the security risks if we authorize the DEC feature on the O365 server?

Was this helpful?

Export as PDF
  1. NEXT-GENERATION PRODUCT
  2. Getting Started
  3. 3. Email Deliverability
  4. Microsoft 365

M365: Direct Email Creation

PreviousMicrosoft 365NextM365: Whitelisting

Last updated 1 month ago

Was this helpful?

Direct Email Creation

Direct Email Creation (DEC) is a feature that connects to your O365 with a few required API permissions. This feature creates the phishing simulation email directly in the user’s inbox instead of sending the emails over SMTP protocol.Key Benefits:

  1. Remove false positives that whitelisting tools cause when analyzing links.

  2. Eradicate maintenance and challenges of whitelisting for the purpose of email delivery (you may need to whitelist in your URL protection solutions such as Defender or ZScaler)

  3. Very simple and quick setup (can be completed in a couple of minutes!)

How to Configure Direct Email Creation

Step 1.

Go to Company > Company Settings > Direct Email Creation from the main menu. Click on + NEW to create a direct email creation setting.

Step 2.

Click on Connect Account button to connect your O365 with the Direct Email Creation (DEC) application to create a configuration.

Step 3.

Name your DEC, select which domains you will send phishing simulation emails to and Send Test Email.

  • Send Test Email To: Enter the email of the person receiving the test email.

  • Sender Email Address: Enter any email - you can now send emails from any email address!

  • Sender Name: Enter a sender name.

  • Message: Enter a message.

  • Click SAVE to create configuration settings.

Step 4.

Make Direct Email Creation your Default Delivery Method - this will save you lots of time and remove delivery errors when you start sending phishing campaigns.

Top Tip: Make sure to select Direct Email Creation in your Email Delivery settings when running a new phishing campaign.

About Required API Permissions

The following permissions are required for customers using the Microsoft 365 email server.

Read and write all applications

It is used only when the customer uses a custom domain instead of dash.keepnetlabs.com to access the platform. This ensures that the customer can successfully configure the DEC settings on the platform while using the custom whitelabeled domain.

Read domains

It is used to fetch the domains that the customer owns in Microsoft 365 and allows the customer to select the relevant domains so the platform can create simulation emails in the user's inbox under the selected domains.

Read and write mail in all mailboxes

It is used to create a simulation email in the user's inbox. Please see following screenshot for more information about this permission

Read all users' full profiles

It is used to read the user's profile information, retrieve email account details (e.g., email address), and switch to the user's profile to create simulation emails in their inbox.

Sign in and read user profile

It is used to read basic company information of the signed-in user who grants permission.

Microsoft bundles permissions together. The following Microsoft screenshot shows a 'Mail' permission group. There's no separate Write permission — only the Mail.ReadWrite permission, which handles Write actions.

The following permissions are required for customers using the Microsoft Exchange Online email server.

Access mailboxes as the signed-in user via Exchange Web Services

It is used to access user's mailbox in order to create simulation email in the inbox.

Use Exchange Web Services with full access to all mailboxes

It is used to create a simulation email in the user's inbox without using a sign-in account.

Manage Exchange As Application

It is used to allow the app to manage the organization's Exchange environment without any user interaction.

In summary, customers only need to share the necessary permissions based on their specific environment, whether they use Microsoft 365, Microsoft Exchange Online, or a hybrid of both. Keepnet requests these permissions to create simulation emails in the user's inbox across any of these environments.

For example, if you use just only Microsoft Exchange Online, then Keepnet only uses the related permission groups for Exchange Online, other permissions are not used.

How to Provide Proof of DEC App Activity for Compliance and Security

To view the activity of the DEC application created by the platform and confirm that it is only creating simulation emails (and not reading any emails), please follow these steps:

  1. Navigate to the Audit menu.

  2. If not already enabled, click to Enable Audit Logging.

  3. Set up the DEC configuration successfully on the platform, and send a test email using the DEC settings to generate activity logs.

  4. Go back to the Audit menu and search for logs related to the user who sent the test email with DEC settings. Also, you may copy the Application ID of the DEC application and paste it under the Keyword Search field to search logs.

In the logs, you should see activities such as "Created mailbox item", confirming the application's behavior. For example:

This log indicates that the application is only creating mailbox items and not accessing or reading mailboxes.

Video Tutorial

This video tutorial explains how to configure direct email creation settings and launch a campaign with these settings to create phishing emails directly in the user's inbox instead of launching with the SMTP option.

FAQ

Q: Which permissions does the DEC feature work with?

Q: Can I launch a campaign with DEC settings using the Fast Launch option?

A: No, you can only launch a campaign with DEC settings using Campaign Manager. If you launch a campaign with Fast Launch, the campaign will be started with default SMTP settings.

Q: Do I need to whitelist if I use the DEC feature?

Q: Can I resend the campaign email to the users whose status shows Error in the Sending Report menu in the campaign report?

A: No, the users whose status shows Error means the destination email user account hasn’t been found in the O365, or there might be another problem for these users' email accounts which platform will show you as a tooltip if you hover your mouse over the error status.

Q: What action should I take for users whose status shows an error ("domain.com" is not in the allowed domain list) in the Sending Report menu after the launch campaign?

A: You can check and make sure you selected the related domain addresses in the DEC configuration, and then you can try to resend the campaign to these users from the Sending Report menu in the campaign report.

Q: What are the security risks if we authorize the DEC feature on the O365 server?

A: Authorizing the DEC feature on the O365 server doesn’t involve any potential security considerations. Keepnet provides encryption to secure data and prevent unauthorized access to keep your data safe.

Keepnet does its best to maintain rigorous security protocols such as regular audits of access rights, continuous monitoring for abnormal activities, and thorough vulnerability assessments.

You can find all API permission settings

Keepnet follows for third-party applications and has received approval from Microsoft. The app uses permissions solely to create simulated phishing emails in users' inboxes. It does not include permission to read, send email or access other mailbox functionalities.

Log in to the .

✅ You have now ensured your target users will receive emails through Keepnet. Now you need to so your target users can successfully open Keepnet email links. ➡️

A: Click for more information.

A: If you use only the product and use the DEC feature, you don’t need to do . If you’re using other products, such as Awareness Educator, you need to do whitelisting since the DEC feature only works for now with the product.

First, we encrypt data and apply it to our and to make data secure and prevent potential vulnerabilities.

Furthermore, we have a strict access policy and do not allow unauthorized gain access to sensitive data; please see our access policy .

You can see other data security measures on our .

💫
Microsoft's secure design principles
Microsoft Compliance Portal
Whitelist Domains
Phishing Simulator
whitelisting
Phishing Simulator
cryptography policy
data protection policy
here
platform security page
here
here