M365: Direct Email Creation
Last updated
Last updated
Copyright © Keepnet Labs LTD. All rights reserved.
Go to Company > Company Settings > Direct Email Creation from the main menu. Click on + NEW to create a direct email creation setting.
Click on Connect Account button to connect your O365 with the Direct Email Creation (DEC) application to create a configuration.
You can find all API permission settings here
Name your DEC, select which domains you will send phishing simulation emails to and Send Test Email.
Send Test Email To: Enter the email of the person receiving the test email.
Sender Email Address: Enter any email - you can now send emails from any email address!
Sender Name: Enter a sender name.
Message: Enter a message.
Click SAVE to create configuration settings.
Top Tip: Make sure to select Direct Email Creation in your Email Delivery settings when running a new phishing campaign.
Keepnet follows Microsoft's secure design principles for third-party applications and has received approval from Microsoft. The app uses permissions solely to create simulated phishing emails in users' inboxes. It does not include permission to read, send email or access other mailbox functionalities.
The following permissions are required for customers using the Microsoft 365 email server.
Read and write all applications
It is used only when the customer uses a custom domain instead of dash.keepnetlabs.com to access the platform. This ensures that the customer can successfully configure the DEC settings on the platform while using the custom whitelabeled domain.
Read domains
It is used to fetch the domains that the customer owns in Microsoft 365 and allows the customer to select the relevant domains so the platform can create simulation emails in the user's inbox under the selected domains.
Read and write mail in all mailboxes
It is used to create a simulation email in the user's inbox. Please see following screenshot for more information about this permission
Read all users' full profiles
It is used to read the user's profile information, retrieve email account details (e.g., email address), and switch to the user's profile to create simulation emails in their inbox.
Sign in and read user profile
It is used to read basic company information of the signed-in user who grants permission.
Microsoft bundles permissions together. The following Microsoft screenshot shows a 'Mail' permission group. There's no separate Write permission — only the Mail.ReadWrite permission, which handles Write actions.
The following permissions are required for customers using the Microsoft Exchange Online email server.
Access mailboxes as the signed-in user via Exchange Web Services
It is used to access user's mailbox in order to create simulation email in the inbox.
Use Exchange Web Services with full access to all mailboxes
It is used to create a simulation email in the user's inbox without using a sign-in account.
Manage Exchange As Application
It is used to allow the app to manage the organization's Exchange environment without any user interaction.
In summary, customers only need to share the necessary permissions based on their specific environment, whether they use Microsoft 365, Microsoft Exchange Online, or a hybrid of both. Keepnet requests these permissions to create simulation emails in the user's inbox across any of these environments.
For example, if you use just only Microsoft Exchange Online, then Keepnet only uses the related permission groups for Exchange Online, other permissions are not used.
To view the activity of the DEC application created by the platform and confirm that it is only creating simulation emails (and not reading any emails), please follow these steps:
Log in to the Microsoft Compliance Portal.
Navigate to the Audit menu.
If not already enabled, click to Enable Audit Logging.
Set up the DEC configuration successfully on the platform, and send a test email using the DEC settings to generate activity logs.
Go back to the Audit menu and search for logs related to the user who sent the test email with DEC settings. Also, you may copy the Application ID of the DEC application and paste it under the Keyword Search field to search logs.
In the logs, you should see activities such as "Created mailbox item", confirming the application's behavior. For example:
This log indicates that the application is only creating mailbox items and not accessing or reading mailboxes.
✅ You have now ensured your target users will receive emails through Keepnet. Now you need to Whitelist Domains so your target users can successfully open Keepnet email links. ➡️
This video tutorial explains how to configure direct email creation settings and launch a campaign with these settings to create phishing emails directly in the user's inbox instead of launching with the SMTP option.
A: Click here for more information.
A: No, you can only launch a campaign with DEC settings using Campaign Manager. If you launch a campaign with Fast Launch, the campaign will be started with default SMTP settings.
A: If you use only the Phishing Simulator product and use the DEC feature, you don’t need to do whitelisting. If you’re using other products, such as Awareness Educator, you need to do whitelisting since the DEC feature only works for now with the Phishing Simulator product.
A: No, the users whose status shows Error means the destination email user account hasn’t been found in the O365, or there might be another problem for these users' email accounts which platform will show you as a tooltip if you hover your mouse over the error status.
A: You can check and make sure you selected the related domain addresses in the DEC configuration, and then you can try to resend the campaign to these users from the Sending Report menu in the campaign report.
A: Authorizing the DEC feature on the O365 server doesn’t involve any potential security considerations. Keepnet provides encryption to secure data and prevent unauthorized access to keep your data safe.
First, we encrypt data and apply it to our cryptography policy and data protection policy to make data secure and prevent potential vulnerabilities.
Furthermore, we have a strict access policy and do not allow unauthorized gain access to sensitive data; please see our access policy here.
Keepnet does its best to maintain rigorous security protocols such as regular audits of access rights, continuous monitoring for abnormal activities, and thorough vulnerability assessments.
You can see other data security measures on our platform security page.