Direct Email Creation for Microsoft 365

This page explains how to use the Direct Email Creation feature in Microsoft 365. Please follow the steps below to set up DEC settings within your Microsoft 365.

The Microsoft 365 settings section requires global administrator privileges.

Connect Your O365 with the DEC App

Please follow the steps below to make the necessary settings on the platform for the Direct Email Creation feature to be connected to your Microsoft 365.

  • Log in to the platform

  • Go to Company > Company Settings > Direct Email Creation page.

  • Click the + NEW button and select Microsoft 365.

  • Click on the Connect Account button to connect your O365 with the Direct Email Creation (DEC) application to create a configuration.

  • If required permissions are established successfully, you can configure the following DEC settings.

    • Name: Set a name for DEC settings.

    • Domains: Select email domains that you will send phishing simulation emails.

    • Test Email: Test if the configuration works successfully.

      • Send Test Email To: Enter the business email address.

      • Sender Email Address: Enter any from the address.

      • Sender Name: Enter a sender name.

      • Message: Enter a message.

    • Click the SAVE button to create configuration settings.

The configuration will be created if the requested permissions are established successfully. If it fails, the admin can see why it fails from the same page of the configuration.

How to Launch Phishing Campaign by DEC Settings

Go to Phishing Simulator > Campaign Manager from the main menu. Click on + NEW to create a phishing campaign and launch it to your target users.

  • Please complete the first, second, and third sections step by step. For more information about how to use each menu, see here.

  • When you get to the Delivery Settings page, inside of the Email Delivery field, select your DEC settings.

  • Set up the rest of the settings as you wish, and then click on Next to go to the last page.

  • Review all of your settings and click the Launch button to create phishing simulation emails in the selected target user's inbox.

About Required API Permissions

You need to authorize the DEC application for your Microsoft 365 account to use the feature. The required minimum and mandatory API permissions are listed below.

Access mailboxes as the signed-in user via Exchange Web Services

Allows the app to have the same access to mailboxes as the signed-in user via Exchange Web Services.

Use Exchange Web Services with full access to all mailboxes

Allows the app to have full access via Exchange Web Services to all mailboxes without a signed-in user.

Manage Exchange As Application

Allows the app to manage the organization's Exchange environment without any user interaction. This includes mailboxes, groups, and other configuration objects. To enable management actions, an admin must assign the appropriate roles directly to the app.

Read all users' full profiles

Allows the app to read user profiles without a signed in user

Read and write mail in all mailboxes

Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail.

Read domains

Allows the app to read all domain properties without a signed-in user.

Sign in and read user profile

Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

Video Tutorial

This video tutorial explains how to configure direct email creation settings and launch a campaign with these settings to create phishing emails directly in the user's inbox instead of launching with the SMTP option.


Q: Which permissions does the DEC feature work with?

A: Click here for more information.

Q: Can I launch a campaign with DEC settings using the Fast Launch option?

A: No, you can only launch a campaign with DEC settings using Campaign Manager. If you launch a campaign with Fast Launch, the campaign will be started with default SMTP settings.

Q: Do I need to whitelist if I use the DEC feature?

A: If you use only the Phishing Simulator product and use the DEC feature, you don’t need to do whitelisting. If you’re using other products, such as Awareness Educator, you need to do whitelisting since the DEC feature only works for now with the Phishing Simulator product.

Q: Can I resend the campaign email to the users whose status shows Error in the Sending Report menu in the campaign report?

A: No, the users whose status shows Error means the destination email user account hasn’t been found in the O365, or there might be another problem for these users' email accounts which platform will show you as a tooltip if you hover your mouse over the error status.

Q: What action should I take for users whose status shows an error ("" is not in the allowed domain list) in the Sending Report menu after the launch campaign?

A: You can check and make sure you selected the related domain addresses in the DEC configuration, and then you can try to resend the campaign to these users from the Sending Report menu in the campaign report.

Q: What are the security risks if we authorize the DEC feature on the O365 server?

A: Authorizing the DEC feature on the O365 server doesn’t involve any potential security considerations. Keepnet Labs provides encryption to secure data and prevent unauthorized access to keep your data safe.

First, we encrypt data and apply it to our cryptography policy and data protection policy to make data secure and prevent potential vulnerabilities.

Furthermore, we have a strict access policy and do not allow unauthorized gain access to sensitive data; please see our access policy here.

Keepnet does its best to maintain rigorous security protocols such as regular audits of access rights, continuous monitoring for abnormal activities, and thorough vulnerability assessments.

You can see other data security measures on our platform security page.

Last updated

Copyright © Keepnet Labs LTD. All rights reserved.