M365: Direct Email Creation

How to Configure Direct Email Creation

Step 1.

Go to Company > Company Settings > Direct Email Creation from the main menu. Click on + NEW to create a direct email creation setting.

Step 2.

Click on Connect Account button to connect your O365 with the Direct Email Creation (DEC) application to create a configuration.

You can find all API permission settings here

Step 3.

Name your DEC, select which domains you will send phishing simulation emails to and Send Test Email.

  • Send Test Email To: Enter the email of the person receiving the test email.

  • Sender Email Address: Enter any email - you can now send emails from any email address!

  • Sender Name: Enter a sender name.

  • Message: Enter a message.

  • Click SAVE to create configuration settings.

Top Tip: Make sure to select Direct Email Creation in your Email Delivery settings when running a new phishing campaign.

About Required API Permissions

You need to authorize the DEC application for your Microsoft 365 account to use the feature. The required minimum and mandatory API permissions are listed below.

Access mailboxes as the signed-in user via Exchange Web Services

Allows the app to have the same access to mailboxes as the signed-in user via Exchange Web Services.

Use Exchange Web Services with full access to all mailboxes

Allows the app to have full access via Exchange Web Services to all mailboxes without a signed-in user.

Manage Exchange As Application

Allows the app to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app.

Read all users' full profiles

Allows the app to read user profiles without a signed in user

Read and write mail in all mailboxes

Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail.

Read domains

Allows the app to read all domain properties without a signed-in user.

Sign in and read user profile

Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

You have now ensured your target users will receive emails through Keepnet. Now you need to Whitelist Domains so your target users can successfully open Keepnet email links. ➡️

Video Tutorial

This video tutorial explains how to configure direct email creation settings and launch a campaign with these settings to create phishing emails directly in the user's inbox instead of launching with the SMTP option.


Q: Which permissions does the DEC feature work with?

A: Click here for more information.

Q: Can I launch a campaign with DEC settings using the Fast Launch option?

A: No, you can only launch a campaign with DEC settings using Campaign Manager. If you launch a campaign with Fast Launch, the campaign will be started with default SMTP settings.

Q: Do I need to whitelist if I use the DEC feature?

A: If you use only the Phishing Simulator product and use the DEC feature, you don’t need to do whitelisting. If you’re using other products, such as Awareness Educator, you need to do whitelisting since the DEC feature only works for now with the Phishing Simulator product.

Q: Can I resend the campaign email to the users whose status shows Error in the Sending Report menu in the campaign report?

A: No, the users whose status shows Error means the destination email user account hasn’t been found in the O365, or there might be another problem for these users' email accounts which platform will show you as a tooltip if you hover your mouse over the error status.

Q: What action should I take for users whose status shows an error ("domain.com" is not in the allowed domain list) in the Sending Report menu after the launch campaign?

A: You can check and make sure you selected the related domain addresses in the DEC configuration, and then you can try to resend the campaign to these users from the Sending Report menu in the campaign report.

Q: What are the security risks if we authorize the DEC feature on the O365 server?

A: Authorizing the DEC feature on the O365 server doesn’t involve any potential security considerations. Keepnet Labs provides encryption to secure data and prevent unauthorized access to keep your data safe.

First, we encrypt data and apply it to our cryptography policy and data protection policy to make data secure and prevent potential vulnerabilities.

Furthermore, we have a strict access policy and do not allow unauthorized gain access to sensitive data; please see our access policy here.

Keepnet does its best to maintain rigorous security protocols such as regular audits of access rights, continuous monitoring for abnormal activities, and thorough vulnerability assessments.

You can see other data security measures on our platform security page.

Last updated

Copyright © Keepnet Labs LTD. All rights reserved.