Welcome to Keepnet! We're excited to be partnering with you on your human-risk management strategy.

This Getting Started guide will be your key resource in successfully implementing the technical setup of Keepnet and, therefore, mitigating human-related cybersecurity risks.

The steps you will follow:

1. ​Invite System Users​

2. ​Add Target Users​

3. ​

4. ​

5. (Only for customers who have Incident Responder product)

(Recommended)

(Recommended)

The document covers all aspects of , which not only addresses traditional phishing methods but also provides robust defenses against more complex attacks such as Vishing (Voice Phishing), Smishing (SMS Phishing), MFA Phishing (Multi-Factor Authentication), Quishing (QR code phishing), and Callback Phishing (Telephone Oriented Attack Delivery).

Our documentation ensures you get maximum value from our products. It comprehensively covers its core functionalities and detailed features, providing clear, step-by-step instructions for effective utilization.

Target Audience

Our documentation is designed for anyone who works with Keepnet products—whether you’re actively using them, selling them, or exploring their capabilities. It supports roles such as HR, IT, Compliance, and SOC teams, helping them maximize value from the platform. Whether sending targeted training, analyzing and containing email threats, or managing human risk across the organization, the resources are tailored to guide each role in achieving their objectives effectively.

It is essential that your employees are able to open all emails sent via Keepnet platform for you to accurately measure how your employees behave when faced with evolving social engineering threats.

To ensure emails are delivered in Google Workspace, you have 2 options:

​Direct Email Creation (recommended)

​Whitelisting​

Direct Email Creation

Direct Email Creation (DEC) is a feature that connects to your O365 or Google Workspace with a few required API permissions. This feature creates the phishing simulation email directly in the user’s inbox instead of sending the emails over SMTP protocol.

Key Benefits:

1. Remove false positives that whitelisting tools cause when analyzing links

2. Eradicate maintenance and challenges of whitelisting for the purpose of email delivery (you may need to whitelist in your URL protection solutions such as Defender or ZScaler)

3. Very simple and quick setup (can be completed in a couple of minutes!)

Whitelisting

Whitelisting is common practise for ensuring emails from specific domains are delivered successfully to the inboxes of your employees. Whitelisting is a method used by many organisations to ensure emails are successfully delivered.

The key challenge our customers face with whitelisting is email analysis tools often open links within emails to check for maliciousness, impacting the accuracy of your reporting data. For example, it may show that your employees have opened the phishing link when they have not. This will directly influence who receives the behavioural-based training.

Most customers choose to deploy Keepnet's highly customisable Phishing Reporter Button. Our Keepnet button is fully customisable and allows customers to set up automatic positive messages to employees to reinforce secure behaviour.

Setup is super simple:

Step 1. Configure the Phishing Reporter

Step 2. Deploy Phishing Reporter

For our full technical documentation on Phishing Reporter Button, please see below

Phishing Reporter

This page is currently under construction.

Your Target Users are the people who will receive simulation emails, training emails or any other emails from the platform. They will not have a login to Keepnet or require any access to the platform.

⬇️ You have several options for adding target users:

• Manually Add Users

• (most common: add users from your identity management provider directly into Keepnet. Automatically add people who join your business and remove people who leave)

The document show step-by-step how to synchronize users' information from the Jumpcloud identity provider to the platform.

SCIM Configuration in Jumpcloud

1. Please log in to Jumpcloud as an admin and follow the following steps.

2. Please create a group and assign users to the group for synchronization.

3. Go to SSO > + > and then click the Custom SSO SAML.

4. Enter a name for the Application name.

5. Go to the SSO submenu and enter a number like ‘1’ into the ‘IdP Entity ID’ and ‘SP Identity ID’ fields.

6. Go to the Identity Management submenu and then go to the bottom of the page to fill up the following fields.

   1. SCIM Version: SCIM 2.0

   2. Base URL: https://scim-api.keepnetlabs.com/scim

   3. Token Key: Please enter the secret token.

Jumpcloud configuration has been successfully finished. You can proceed with the following step.

Synchronization Users or Groups

1. Go to the SAML application and then select Groups that contain users that will be synchronized to the platform and then click the Save button.

2. The users will be synchronized to the platform in approximately a few minutes.

✅ You have now added your first Target Users. Now you need to successfully ➡️

What is the Incident Responder?

The Incident Responder analyses a suspicious email, and according to the results, it takes action at the inbox level. The product also analyses the URLs, IPs, and Files with the engines of different technologies it is integrated where it enables an institution to acquire the technologies that it doesn’t have.

There are 2 steps for setting up the Incident Responder:

1. - Keepnet will automatically tell you whether a suspicious email is malicious or not

2. - Keepnet will be able to remove malicious emails from all employees inboxes

Send a Smishing Campaign

Customise your Smishing Campaigns

Review Reporting for your Smishing Campaigns

Step 1.

To download the Phishing Reporter, go to the Phishing Reporter tab on the left hand side and select Configure Add-in (or click on Settings).​

Without this step, your employees will successfully receive the test phishing email but not be able to open the test phishing link without your browser security notifying the user that it may be a suspicious link. For the highest accuracy when measuring employee behaviour, you will need to whitelist domains in your browser and other security solutions.

Below are quick links for you to follow the relevant steps:​

It is essential that your employees are able to receive all emails sent via Keepnet platform for you to accurately measure how your employees behave when faced with evolving social engineering threats.

To ensure emails are delivered in Microsoft 365, you have 2 options:

​ (recommended)

​​

For successful analysis, you need to integrate one or many Threat Intel Partners. By integrating Threat Intel partners you will automate identifying malicious emails. Each email reported through the Phishing Reporter add-in will automatically be analysed for malicious content via multiple integrations.

1. Create a New Integration

Navigate to Incident Responder > Integrations. Click the blue New button. You can find all our Threat Intel partners under Integration Type.

The Targeted Approach is ideal for organisations that want to focus on specific threats or high-risk areas. With this method, you choose exactly which scenarios to send, giving you complete control over your campaign content and timing.

You can run campaigns in one of two ways:

1. Distribute scenarios across your target group

   • Distribute several specific scenarios to employees at the same time.

The Hyper-Personalisation feature allows you to send phishing simulation scenarios in each recipient’s preferred language. If a preferred language is not set, the system will default to the company's preferred language.

Step 1: Setting Up Preferred Languages for Users

Before launching a campaign with this feature, you must assign preferred languages to users:

1. Navigate to Company > Target Users.

With over 250 callback scenarios, our customers have a huge range of choice when planning their annual social engineering strategy. Our customer success team has cherry-picked our customers' most favourite scenarios across a number of different industries and tech stacks to help you streamline your efforts.

Top Tip: Simply copy and paste these Scenario Titles into Keepnet to find our favourites!

Please Contact Support Team

IT: Temporary IT support changes

Amazon: Order Confirmation

Slack : Reset your password

Microsoft Defender: Thank you for your auto-payment

Employee Survey Reminder

Google: Google Workspace Account Recovery

Send a Callback Campaign

Customise your Callback Campaign

The Randomised Approach is ideal for organisations looking to raise awareness broadly while collecting meaningful data on employee responses. Each employee receives a unique, randomly selected scenario from categories you’ve chosen, keeping campaigns relevant to their role or department.

You can automate campaigns to run weekly, bi-weekly, monthly, or quarterly, keeping your approach scalable without additional manual work. This ensures you consistently gather data on how employees respond to phishing threats, without the risk of employees alerting each other.

Key benefits:

• Broad awareness: Employees receive different scenarios from selected categories, making training realistic and engaging.

With over 6,500 smishing scenarios, our customers have a huge range of choice when planning their annual social engineering strategy. Our customer success team has cherry-picked our customers' most favourite scenarios across a number of different industries and tech stacks to help you streamline your efforts.

Top Tip: Simply copy and paste these Scenario Titles into Keepnet to find our favourites!

New Device Policy

Company Survey

Update MFA MS

Dropbox Verification Notice

LinkedIn Profile Notification

LinkedIn Unusual sign-in detected

Apple Apple ID login

Suspicious Login Detected

Amazon Delivery Failed

With over 5,000 vishing scenarios, our customers have a huge range of choice when planning their annual social engineering strategy. Our customer success team has cherry-picked our customers' most favourite scenarios across a number of different industries and tech stacks to help you streamline your efforts.

Top Tip: Simply copy and paste these Scenario Titles into Keepnet to find our favourites! Get these scenarios in your local accent by duplicating the scenario and change the AI voice 🤖

CEO Message

PayPal Fraud Alert

Tax Refund Support

Your Tax Refund is Ready: Confirm Now and Get Your Money!

Apple Gift Card Promotion

Bank Fraud Alert

Send a Vishing Campaign

Create Custom Vishing Templates

Keepnet makes it simple to deliver security awareness programs that feel authentic and accessible to every employee, anywhere in the world. Our multi-language features ensure your training and phishing simulations are effective across regions, cultures, and languages -without added complexity.

• – Set up enrolments so employees can choose their preferred language directly from the training email, ensuring inclusivity and higher engagement.

• – Instantly adapt any phishing template into multiple languages, with AI adjusting tone, dates, currencies, and formatting for cultural accuracy. Multiple localisations can be completed at once for faster, more realistic campaigns.

Send a Quishing Campaign

Customise your Quishing Campaigns

Your license model determines which widgets are available on the dashboard.

Top Posts

The Top Posts box shows the five messages shared on the Threat Sharing platform that have generated the most interaction. Click on the title of a post to see more information.

The All button at the top right of the box will take you to the Threat Sharing section.

Recently Posted Threats

The Recently Posted Threats box displays the title of the last five posts shared on the Threat Sharing platform, the name of the malicious content in the post, and the name of the community where it was shared.

The All button at the top right of the box will take you to the Threat Sharing section.

The widgets available will vary depending on your license type, role, and permissions.

Any actions you take will only be valid for your system users. Other users will see their own settings.

Dashboard Actions

Edit Dashboard

You can add, remove, or relocate a widget by clicking on the Edit Dashboard button at the top right. Once you have made the change, click Save Changes.

Add Widgets

Select the widget you want from the Edit Dashboard > Add Widgets menu and click Save Changes to confirm the action.

Remove Widgets

When you click Edit Dashboard, an ‘X’ icon will be visible at the top right of each widget. Click the ‘X’ to delete a widget and click Save Changes to confirm the action.

Relocate Widgets

Click the Edit Dashboard button and drag and drop the widget to the desired location. Click Save Changes to confirm the action.

Responding swiftly to email attacks is significant, as each passing minute escalates the threat. On average, it takes 9 hours to detect and remove a malicious email, significantly amplifying the risk. Keepnet's automated phishing incident response tool allows businesses to identify and respond to email attacks in minutes

Here's our Understanding Incident Responder Slide Deck 📍

With thousands of ready-to-use simulations across phishing, quishing, callback, vishing, and smishing, you have a wealth of options when shaping your organisation’s security awareness strategy. To make things easier, our Customer Success team has hand-picked their favourite and most effective scenarios from each simulator. These recommendations highlight the scenarios most loved by customers across industries and use cases, helping you quickly identify impactful options and streamline your process as you get started with Keepnet.

The document show step-by-step how to synchronize users' information from the Okta identity provider to the platform.

Please make sure to set up the mandatory settings from the ‘Getting Started’ page in this document before proceeding to the following step.

OKTA Configuration

1. Please log in to https://www.okta.com/ as an admin user.

2. Click on Applications and go to Applications from the left menu.

3. Click on the Browse App Catalog and search SCIM 2.0 Test App (OAuth Bearer Token) and then click Add button.

4. Enter a name for the application like My SCIM Integration and click on the Next button.

5. Choose SAML 2.0 with the default settings and click on the Done button.

6. The application is now created successfully, go to the Provision menu and click the Configure API Integration button and then enable the API Integration option.

   1. Tenant URL: https://scim-api.keepnetlabs.com/scim

   2. Secret Token: Enter the token which was created on the platform.

Okta configuration has been successfully finished. You can proceed with the following step.

Synchronization Users or Groups

1. Go to the Assignments menu and click on the Assign button to assign Users or Groups to this SCIM application which will be synchronized to the platform.

2. To import user(s) or group(s), click on the Assign button to synchronize users or groups to synchronize to the platform.

✅ You have now added your first Target Users. Now you need to successfully ➡️

Tutorial Video

This video tutorial shows the documentation steps for synchronizing users' information from the Okta identity provider to the platform.

By setting up a SCIM integration, you can ensure all new employees are added in auto-enrolled training and phishing simulations. There are 2 key steps to setting up your SCIM integration:

1. Get your secret token

2. Complete setup in your AD portal

First, get your secret token

Step 1: Create a new SCIM Setting

Go to Company > Company Settings > SCIM Settings page. Click the ‘+New’ button to create a SCIM setting.

Step 2: Map a Field (Optional)

Some of our customers add custom fields to add information in addition to email, first name, last name, department and phone number. If you would like to set this up click here, otherwise you can skip.

Step 3: Group Settings

Group Name: If you would like to synch all users to one target group please select the group here. You can leave empty and group by department instead.

Grouping Criteria: You must select one of these

• Select a SCIM field to determine user groups: Group users by department (or a custom mapped field such as location). This will group all users by the Entra ID property "Department"

• Synchronise groups with identity management platform: Groups are mirrored directly from Entra ID. If you select a group called "Keepnet UK" on Entra ID, this group will be named exactly the same in Keepnet and contain the exact same users.

Step 4: Copy your Secret Token

Click Save and make sure to copy the unique token information.

✅ You can now use the following shortcuts to complete the final settings on your identity provider platform.

Shortcuts

• ​

• ​​

• ​​

Welcome to the Customer Success Hub—your one-stop destination for guidance, best practices, and resources to help you get the most out of Keepnet. This self-service model is designed to put success at your fingertips, so you can find the answers you need quickly and start seeing results right away.

Inside, you’ll find:

• 🎥 How-to Videos – Quick, practical walkthroughs to guide you through common tasks.

• 🎯 Campaign Strategy Guide – Expert advice on planning and running effective security awareness campaigns.

• 💙 – Hand-picked simulations from our Customer Success team, showcasing the scenarios customers love most.

• 🌍 – Tools to run global programmes with local impact through training, localisation, and hyper-personalisation.

Our goal is to make it easy for you to achieve success—whether you’re just getting started or scaling your awareness efforts globally.

Keepnet utilizes a tracking pixel to monitor when users open phishing simulation emails. This tracking pixel is embedded in all phishing simulation emails sent through the platform. When the email is opened, the pixel sends a response to Keepnet, logging the open event.

It is important to note that opening a phishing simulation email is not considered a failure and does not impact the user’s gamification score. However, phishing emails may be marked as "opened" automatically in the following scenarios:

• Email Reported: If a user reports the phishing email using the Reporter Button, the email is automatically logged as opened.

• Phishing Failure: If a user clicks on a phishing link or opens a malicious attachment within the simulation email, the system will mark the email as opened, even if the tracking pixel does not load.

This tracking mechanism ensures accurate monitoring of user interactions while maintaining fair evaluation criteria in phishing awareness programs.

Email Opens Not Being Recorded

In some organizations, email client settings prevent images from being automatically downloaded. When this occurs, Keepnet's tracking pixel cannot load, and email opens will not be recorded in phishing simulation reports.

If your organization blocks automatic image downloads, you can enable email open tracking using one of the following methods:

Safe Senders List (not recommended)

You can add phishing email senders to a safe senders list to allow all email images to load. This method is not recommended for the following reasons:

• There is a limit to the number of safe senders you can add, and Keepnet sends simulations from many different email addresses. Our phishing simulation email addresses are also subject to change without notice.

• Your users may be able to identify phishing simulation emails due to all of the images loading, while other external, non-Keepnet emails would not load images.

Trusted Zone in Outlook (recommended)

You can create a Group Policy Object in Active Directory to update the Trusted Zone in Outlook to allow tracking pixels to load without allowing all other phishing simulation email images to load. The steps to complete this are detailed below:

1. Navigate to your Local Group Policy Editor.

2. You will find the correct Group Policy to edit by navigating to User Configuration > Windows Settings > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.

3. Double-click the Site to Zone Assignment List policy to modify the policy.

We recommend sending a phishing test campaign to yourself once these settings are saved so you can ensure opens are being tracked successfully.

Scheduling your Phishing Campaigns

Customising your Phishing Templates

We have over 16,000 templates you can start using immediately. However, many customers love to customise the templates available for their own business. Alternatively, some customers have emails they want to import to Keepnet to use as a Phishing scenario.

View Reporting for your Campaigns

Scheduling Training Enrollments

How Your Employees Receive & Access Training

View Reporting For Training Enrollments

Requirements

In order to use the Phishing Reporter add-in in the Exchange environment, your platform must meet the following requirements.

• Exchange 2013 - version (15.0.847.32) or above

• Exchange 2016 - version (15.1.225.42) or above

• Exchange 2019

Deploy Add-in

To deploy the Phishing Reporter add-in, follow the steps below.

• Log in to the Exchange Admin interface.

• Go to Exchange Admin Center > Organization > Add-ins (called Apps in some versions)

• Click the (+) button and select Add from file. Install the Phishing Reporter .xml file that you previously downloaded and click Next.

✅ You have now deployed the Phishing Reporter. Next step is to (only for customers who have purchased the Incident Responder or SOC package)

Video Tutorial

Keepnet makes it simple to deliver training in the languages your employees are most comfortable with. This guide will walk you through setting up training enrollments that allow employees to choose their preferred language directly from the enrollment email. You’ll also learn how to configure which languages are available for each training, ensuring a seamless experience that supports inclusivity and accessibility across your organisation.

Step 1: Update Notification Template Email

1. Go to Company > Company Settings > Notification Templates

2. Search "Enrollment" to bring up all 7 Enrollment templates

   1. Learning Path Enrollment Reminder

   2. Learning Path Enrollment

   3. Infographic Enrollment

   4. Poster Enrollment
3. Duplicate each one to be able to edit and add the Language Selector option

4. Replace the "Enroll" button with the "Training Language Selection" merge tag

5. Repeat for all 7 enrollment templates

Top Tip: Some customers use this opportunity to customise with their logo and branding!

Step 2: Send Training & Select Languages

1. Go to Awareness Educator

2. Select the training module you would like to send (work best for multi-language modules)

3. Click on the 3 dots & click "Send Training"

4. Under Content Language:

🤖 Analysis

1. An employee reports a suspicious email using the Keepnet Reporter Button or Native Microsoft Report button

2. Keepnet analysis the reported email for malicious content in seconds using 5+ integrations simultaneously

3. Keepnet automatically shares the analysis result with the employee via email

🔎 Investigate

1. When analysis result is “Malicious”, Keepnet starts an automatic investigation to find all instances of the malicious content

2. Once investigation is complete, Keepnet System Admins receive Investigation Report

3. Keepnet System Admin can then log into Keepnet and delete all instances of malicious emails in a few clicks

With over 16,000 phishing scenarios, our customers have a huge range of choice when planning their annual social engineering strategy. Our customer success team has cherry-picked our customers' most favourite scenarios across a number of different industries and tech stacks to help you streamline your efforts.

Top Tip: Simply copy and paste these Scenario Titles into Keepnet to find our favourites!

Microsoft

Policy Announcement – Microsoft Teams

Microsoft: SETTINGS EXPIRE TODAY

New Message on Teams

Someone Sent a Document

Sharepoint: IT Support shared “To be completed” with you

Microsoft Teams: Director added you to a project team!

Google

Google Docs: You were mentioned in a comment

Google: Suspicious sign-in prevented

Google: Shared Spreadsheet

Common Threats

DocuSign: Your Document Has BeenCompleted

DocuSign: Signature Request

IT: Back Up Your Emails

LinkedIn: Deactivation Request

Support Desk Alert

HR: All Employee Meeting

Mimecast: You have new held messages

Your Benefit Program Account has invalid information

Impersonation

New Employee Impersonation

Action Required: Storage Quota Exceeded

CEO Fraud: Supplier Payment Approval

CEO Fraud - Payroll confirmation

CEO Fraud - Request IT Help, Locked Out

Senior Leadership Team

CFO: Financial Report

HR: Annual Employee Growth Report

Sharepoint: New shared document

Sharepoint: IT Support shared “To be completed

OpenAI: Invited to a ChatGPT Team

Example: Sharepoint: IT Support shared “To be completed

This section explains how to structure phishing awareness campaigns using Keepnet. It introduces three approaches — Randomised, Targeted, and The Blend — showing how each helps you:

• Deliver relevant scenarios to employees

• Scale campaigns efficiently

• Collect meaningful data on how employees respond to phishing threats

To help you hit the ground running, our Customer Success team has hand-picked the most popular and effective phishing campaigns. These examples give you tried-and-tested inspiration to build an engaging programme that develops employee awareness from day one.

You can explore each approach in detail using the links below, including step-by-step guidance and tutorial videos for setting up campaigns:

Quick visual summary:

Use this page as your starting point to decide which approach works best for your organisation and to access tutorials for each campaign type.

Whitelisting in Content Filtering (Proxy)

Whitelisting Platform Addresses

Platform administrators must whitelist dash.keepnetlabs.com and api.keepnetlabs.com on content filtering proxy solutions to use the products successfully.

Whitelisting Phishing Simulation Domain Addresses

The domain names of the should be whitelisted with content filtering (proxy) solutions to make sure that the domains can be accessed by the target users. If the target users can't access the phishing link in the network, the simulated phishing campaign might not be successful.

You can find the phishing simulation domains by logging into the platform and then go to Phishing Simulator > Settings > Domains page.

Whitelisting in Data Loss Prevention (DLP)

System administrators may upload the target users' first name, last name, email address, department, or such other information to the platform; however, because can be very sensitive, the platform domain information should be whitelisted to ensure DLP allows you to upload these pieces of information to the platform.

✅ You have now Whitelist Domains so your target users can successfully open Keepnet email links. Please also Whitelist in your security solutions if you haven't already.

Next step is to ➡️

What is the Phishing Reporter?

Phishing Reporter is an add-in that allows users to easily report a suspicious email to cyber security teams. Quick, comprehensive analysis and response can be provided when used in conjunction with the Incident Responder.

There are 2 options:

• Integrate the Native Microsoft Reporter Button with Keepnet

  • Use your existing reporter button whilst capturing who is showing secure reporting behaviour across your phishing simulations

• Use our highly customisable Keepnet Reporter Button

  • Customise the language employees see when reporting and set up positive reinforcement messages for employees whilst still being able to redirect reported emails to your SOC team

Using the platform's APIs, target users may be effortlessly migrated. The API endpoints that are required are detailed below.

Instructions for adding target users using an API

POST ​/api​/target-users

• Go to the Swagger .

• Click the Authorize button on the top right side of the page.

• Complete the authorization step with the Client ID and Client Secret key that you created on the platform.

• Make sure that the api1 option is checked (✓) on the Scopes section.

• Then use this endpoint to add a new target user to the platform.

Searching for a user using API

POST ​/api​/target-users​/search

• Go to the Swagger .

• Click the Authorize button on the top right side of the page.

• Complete the authorization step with the Client ID and Client Secret key that you created on the platform.

• Make sure that the api1 option is checked (✓) on the

Editing Target Users using API

PUT ​/api​/target-users​/{resourceId}

• Go to the Swagger .

• Click the Authorize button on the top right side of the page.

• Complete the authorization step with the Client ID and Client Secret key that you created on the platform.

• Make sure that the api1 option is checked (✓) on the

​✅ You have now added your first Target Users. Now you need to successfully ➡️

Video Tutorial

This document provides a step-by-step guide on how to synchronize users' information, such as First Name, Last Name, Email Address, Department Name, etc., from the Google Workspace email server to the platform.

Please follow the steps below.

1. Go to Company > Company Settings > Google User Provisioning page.

2. Click the CONNECT TO GOOGLE button.

3. Click Continue and then click the Allow button to grant the requested permissions.

4. After successful integration, please proceed with the following configurations.

5. In the Select Sync Source field, choose one of the following options:

   1. Sync Organizational Units (OU): Sync users from the organizational units. Select all organizational units or choose the ones you wish to sync users from.

   2. Sync Groups: Sync users from group(s) that are from your Google Workspace. Select all groups or choose the ones you wish to sync users from.

6. In the Select Sync Method field, choose one of the following three options:

   1. Sync all users to target users: This will sync all users from the selected organizational units or groups.

   2. Sync all users to a target group: This will sync all users from the selected organizational units or groups and add them to the selected target group on the platform.

   3. Sync users and create a matching group:

7. Now, click the START SYNC button to begin synchronization.

The synchronization may take some time depending on the number of target users. Once the synchronization is complete, you can view the synced users on the Company > Target Users page.

The synchronization automatically repeats every 24 hours to ensure all users are updated with the latest information from Google Workspace, or to remove any target users who are no longer available in Google Workspace.

If you wish to sync the user's latest information to the platform immediately without waiting 24 hours, please click the SYNC NOW button.

How to Remove Google Workspace Integration

If you no longer need to sync users from Google Workspace to the platform and wish to remove the integration, you can follow the steps below.

• Go to Company > Company Settings > Google User Provisioning page.

• Click the Unlink Integration button to remove the integration.

The integration is now successfully deleted.

Customers can take any of our 16,000+ phishing templates - or your own custom scenarios -and localise them into any language of your choice. Keepnet doesn’t just translate; it adapts the entire email, including subject lines, body text, currencies, dates, and tone, to feel natural and authentic for the target region. Multiple localisations can be completed at once, making it simple to launch truly global campaigns in minutes.

With optional human review for added quality assurance and unified reporting across all languages, you can scale phishing simulations faster, more cost-effectively, and with greater realism than ever before.

For example:

Step-by-Step

1. Go to Phishing Simulator > Phishing Scenarios > Email Templates

2. Duplicate or Edit any Phishing Template

3. On the Email Settings page, click on the Localize button

4. Select one or many languages you'd like the template to be localised in

5. Once complete, use the drop-down on the top left hand side to review the localisation of each language

6. Save

Top Tip: Add this template to a Scenario to send to your employees

Video: How to Localise any phishing template

To complete this procedure, you must have security administrator privileges with the Microsoft Security & Compliance Center or be a member of the Microsoft Exchange Online Organization Management administrator group.

1. Note the IP addresses to be allowed.

2. Log in to your exchange admin center.

3. From the left sidebar menu, go to Mail flow > Connectors.

4. Click Add a connector.

5. Select Partner organization in the Connection from the section.

6. Give the connector a name and click Next.

7. In the Authenticating sent email window, select the option that states By verifying that the IP address of the sending server matches one of the following IP addresses that belong to your partner organization.

8. Enter the IP addresses and click Next.

9. Uncheck the TLS option stating Reject email messages if they are not sent over.

10. Click Next, then click Save to complete the process.

You must complete the following steps once the connector is defined.

1. Go to the Mail flow > Rules page in the left sidebar menu.

2. Click the + icon on the screen and select Bypass spam filtering.

3. In the New rule window, give the rule a name and select The sender is ... > IP address is in any of these ranges or exactly matches.

4. Enter the IP addresses and click

✅ You have now Whitelist Domains so your target users can successfully open Keepnet email links. Please also Whitelist in your security solutions if you haven't already.

Next step is to ➡️

Q: When I try to log-in, I get a "invalid token" error

A: This error message appears when customers try to access keepnet using their "account creation" link on the original email you received when joining Keepnet. Instead, navigate to dash.keepnetlabs.com to login and you won't have any issues!

Q: I added the new Just-in-time Red Flags landing page as a 2nd landing page for a data submission campaign. However, the email template didn't pull through when I tested.

A: Great idea! When you copy the HTML of the Red Flags landing page to use as a 2nd step, you will also need to copy the custom javascript code. This is the code which loads the email template use in the campaign with the red flags highlighted. Below is a 5 minute video on how to resolve this!

https://www.loom.com/share/79889043685147479f35c80696442723

We're also going to be improving the customer experience for adding 2nd landing pages which will allow you to select an existing landing page for page 2 without copying HTML at all!

Q: What is Bot Activity and why might I see it on my Campaign Report?

Bot Activity means something has scanned the link on your phishing email. This could be a security tool, a chrome extension or an analysis engine. Keepnet has highly sophisticated methods of detecting bot activity to ensure your reports only include the human activity of your employees. Here is an explainer deck which covers each Bot Activity type in more detail 👇

Q: How do I remove users from the platform if I've used SCIM to pull in from Entra ID?

To remove users from Keepnet when connected to Entra ID, please go to portal.azure.com and find the Enterprise Application you made for Keepnet SCIM. Navigate to Users & Groups and manage users from here. Add and remove users to Keepnet from this application. Microsoft updates Keepnet every 40 minutes!

The Blend Approach combines the strengths of both the Randomised and Targeted methods, giving organisations a balanced, scalable, and highly effective phishing awareness programme.

With this approach, you run:

1. Monthly randomised campaigns

   • All employees receive unique, randomly selected scenarios from categories you choose.

   • Keeps awareness broad and realistic while preventing employees from alerting each other.

2. Quarterly targeted campaigns

   • Focus on high-risk users, departments that need extra awareness, or key functions such as HR, Finance, and IT.

   • Ensure everyone in these groups experiences and sees examples of the most relevant phishing threats for their role.

Key benefits:

• Comprehensive coverage: Combines broad awareness with focused attention on high-risk areas.

• Scalable: Automate randomised campaigns while scheduling targeted campaigns at key intervals.

• Industry-relevant exposure: Employees see the most common phishing threats in your industry — for example, DocuSign, Microsoft notifications, or reset password scams — reinforcing recognition and response skills.

• Actionable insights:

Getting started:

FAQs

This document will provide information on how to start an Email Threat Simulator scan to the email inbox using a Google Workspace account.

To use the Email Threat Simulator with a Google Workspace email account, the app requires a password.

Create an app password

Follow the steps to create the app password for the Google Workspace account.

1. Go to your (for test mail address)

2. Select Security.

3. Under “How to sign in to Google”, select 2-Step Verification.

4. At the bottom of the page, select App passwords.

5. Enter a name to help you remember where to use the app password.

6. Select Create.

7. Copy and save the app password for use in the Keepnet interface.

8. The app password is a 16-character code generated on your device.

9. Select Done.

How to start a simulation with a Google Workspace account?

This section describes the steps to start a scan with Google Workspace in the Email Threat Simulator product.

1. Go to Email Threat Simulator > Scans page from the left menu on the platform.

2. Click on the +NEW button to start a new simulation.

3. Read the warning message and then click on the “I Understand” button.

4. Fill in the Test Email Address field.

Use the document to understand the details of the scan report.

The Dashboard is the first page that the system administrator sees after logging into the platform. This section explains how to use the Dashboard widgets to enhance functionality to suit your needs.

Shortcuts

• How to manage Dashboard widgets

Help

Click the AI-Powered Assistant icon (...) at the bottom right of the Dashboard to get help about any information.

Video Tutorial

The following video tutorial contains information about how to manage dashboard.

By integrating Threat Intel partners you will automate identifying malicious emails. Each email reported through the Phishing Reporter add-in will automatically be analysed for malicious content via multiple integrations.

There are 2 steps to Integrating Threat Intel Partners:

1. Create a new integration

2. Follow relevant steps to install each threat intel partner

Creating New Integration

Navigate to Incident Responder > Integrations. Click the blue New button. You can find all our Threat Intel partners under Integration Type.

Quick links to install each Threat Intel Partner

You can install free threat intel partners or if you already have subscriptions for paid versions, you can integrate these too! All links to install all free and paid for intel threat partners below

Free Intel Threat Partners

​

​​

Paid Intel Threat Partners

​​

​​

​

This section will help you comprehend and utilize the fundamental features within the Phishing Scenarios page. Below, we have provided shortcuts to the parameters within the Phishing Scenarios page.

Shortcuts

• How to see or create phishing scenarios and launch the target users

Our Email Threat Simulator is an easy way to see how many real threats are currently able to bypass your email security. Quickly review which ones aren't blocked and take action to block these in the future. Each time there is a new threat vector, we will add this to Email Threat Simulator so you can consistently stay informed about which active threats can bypass your current SEGs.

How to Whitelist an IP Address in Google Workspace

Google Workspace IP Bypass

The below instructions will show you how to whitelist the emails such as notification, training, or phishing simulation emails that will be sent from the platform to users by whitelisting

The document show step by step how to synchronize users' information from the Onelogin identity provider to the platform.

Onelogin Configuration

1. Please log in to as an admin user.

Our collection of short, step-by-step video guides is designed to help you get the most out of Keepnet’s security awareness tools. From setting up and running phishing simulations, to delivering engaging training, through to deploying the Phishing Reporter button, each video provides clear, practical guidance to make every stage simple and effective.

1. Note the to be allowed.

2. Log in to your exchange admin center.

With over 5,500 quishing scenarios, our customers have a huge range of choice when planning their annual social engineering strategy. Our customer success team has cherry-picked our customers' most favourite scenarios across a number of different industries and tech stacks to help you streamline your efforts.

Top Tip: Simply copy and paste these Scenario Titles into Keepnet to find our favourites!

Microsoft: SharePoint has been set up for your account

Microsoft: Re-authenticate your account

LinkedIn Your organization can join LinkedIn Learning

DocuSign: Your Document Has Been Completed

Microsoft Teams : Urgent: Video Meeting Request

Microsoft: SharePoint has been set up for your account

Google Account Security Verification Required

Congratulations! You've Won a Reward as an Active Google User

This article section describes how to integrate the module with Google Workspace, Exchange, or Microsoft Office 365 email services. It's important to follow the steps accurately. Please contact your email server administrator if you don’t have the required permissions to make these configurations.

Benefit of Email Server Integration

The Incident Responder module investigation tool can detect malicious emails in user inboxes and remove them automatically or can be removed by the admin as well.

Server-based integration with your email service provides the most comprehensive protection. While email investigations can be conducted with the Phishing Reporter plug-in, the user must have Outlook open and the plug-in active for the investigation to be successful. If the Outlook application is closed for any reason, a complete investigation can only be performed using a server-based integration.

You will need to add all people responsible for managing and performing all activities on Keepnet to the platform. This should include any AD Admins required for technical setup.

Step 1.

Our requires a test account for making and reporting the tests listed here. This document contains sample configurations for making possible security and reliability checks with this test account.

The test account will only receive email and will not be able to send mail to any internal or external email address except us. This is a safe configuration option that will prevent potential violations.

Create Test Account

Customers who use an Exchange email server must create a restricted email account. Customers who use Google Workspace, Microsoft 365, or other services may skip this step.

Use the Exchange Server PowerShell administrative interface to create a test account with the command below.

Our allows institutions to defend against major attack vectors. In recent years, the number of target-oriented attacks has increased significantly. Most often, the targets of attacks are large corporations, government agencies, and political organizations. However, any institution that collects data seen as valuable faces a risk of cyberattack. Awareness of potential exposure and preparation to resist an attack are critical in today’s world.

Shortcuts

Your license model determines which widgets are available on the dashboard.

Phishing Campaign Trends

This widget shows a summary graph of the overall performance of your phishing campaign for the last 6 months. The graph is organized by the number of users(Y-axis) and date(X-axis). The widget represents how many users have fallen to the phishing campaign for Click Only, Data Submission, and Attachment types of campaigns.

You can view your phishing campaign reports by clicking on the Campaign Reports shortcut.

It is essential that your employees are able to receive all emails sent via Keepnet platform for you to accurately measure how your employees behave when faced with evolving social engineering threats.

To ensure emails are delivered in Microsoft 365, you have 2 options::

• ​

Step 1.

Navigate to Company > Target Users on the left hand side menu. Click the "+New" blue button.

This text has been prepared for customers to use who want to inform their users that Keepnet will be their new cybersecurity awareness training provider.

• Replace [Company Name] with your company name

Dear [Team Name],

We’re excited to announce that your cybersecurity awareness training will now be delivered through Keepnet! This is part of our ongoing efforts to make training simple, effective, and easy to complete.

Here’s what to expect:

• Emails from Keepnet: Look out for training invitations coming from [email protected].

• One-click access: Simply click the “Enroll” button in the email—you’ll go straight into the training. No logins or passwords required.

• Quick and interactive: Each session is interactive and takes only 3–5 minutes on average to complete.

• Seamless experience: We’ve designed the process to make completing training as smooth and hassle-free as possible.

By completing these sessions, you’ll be helping to strengthen our company’s cybersecurity posture and stay ahead of potential threats—all in just a few minutes.

Thank you for taking the time to stay informed and proactive. Together, we can make [Company Name] safer for everyone.

This text has been prepared for customers to use who want to inform their users about the Phishing Reporter add-in.

• Replace [Company Name] with your company name

• Replace "Suspicious (Phishing) E-mail Reporter" with the name of your add-in

Email Template

Dear Employees,

We’re excited to introduce a brand-new tool that puts the power of cybersecurity right at your fingertips: the “Suspicious (Phishing) E-mail Reporter”

What is it? This handy add-in adds a “Suspicious (Phishing) E-mail Reporter” button directly to your email menu bar. With a single click, you can report suspicious emails for our Information Security Team to investigate - helping us protect the company from potential threats before they become problems.

Why it matters:

• Protect yourself and your colleagues: Reporting suspicious emails helps prevent security incidents that could affect everyone.

• Strengthen our company’s cybersecurity: Timely alerts mean our security team can act quickly, keeping our systems safe.

• Stay cyber-savvy: Each report helps you recognise phishing attempts and sharpen your awareness.

How to use it:

1. Spot a suspicious email.

2. Click the “Suspicious (Phishing) E-mail Reporter” button in your email menu.

3. Choose whether you’d like to delete the email.

4. That’s it! The Information Security Team will analyse the email and send you a quick update on what we found.

Thank you for helping us keep [Company Name] safe and secure. Spotting and reporting suspicious emails protects the whole team.

Stay alert and stay safe,

You can integrate your EWS environment with the Incident Responder product by following the steps below.

First, you must have or create a Microsoft user identity with either impersonation or delegation permission.

Please refer to this document for information on how to create a service/admin user.

Impersonation

Impersonation gives one service account access to every mailbox in a database. This enables quick and easy investigation and response to an incident.

Restrictions may also be designated for the impersonation account, depending on the policies of the organization.

The following command can be used in the Exchange Management Shell to grant the impersonation privilege to a service account. This example assigns the service account [email protected] full access permission to all user mailboxes in the company.com organization.

Delegation

The delegation privilege requires that permissions be added individually to each mailbox. The platform can access the mailboxes within the Exchange designated by the organization.

Restrictions may also be designated for the account, depending on the policies of the organization.

The following command can be used in the Exchange Management Shell to grant delegation privilege to a service account. This example assigns the service account user [email protected] full access permission to the specified ‘TargetUserName’ user mailbox.

Test the Integration

To make sure that the integration is working, you can test it on the platform. Go to Incident Responder > Mail Configurations on the left sidebar menu of the dashboard and then click + NEW and choose the mail provider - in this case, Exchange EWS. Complete the following fields in the configuration table:

The integration details are:

The new configuration will now appear in the list of mail configurations if the test was successful.

Throttling Policy Configuration

What is Throttling Policy?

Throttling policy is a control mechanism designed to preserve server reliability and functionality by limiting the resources consumed by a single user or application.

The Microsoft Exchange throttling policy is a default setting that restricts users on various client access protocols, such as MAPI, Activesync, OWA, POP3, etc., intended to prevent a potential crash or denial of service (DoS) via repeated requests.

A successful integration between Exchange and the Incident Responder will lead to hundreds of connections on the Exchange server when an investigation begins.

The investigation may be obstructed by the throttling policy. Therefore, the default throttling policy rights of the service user defined in the Incident Responder product should be expanded to avoid this problem.

Choose a Throttling Policy

You can use the command below in Exchange Management to view all of the available throttling policies.

Add a New Throttling Policy

Open the Exchange Management Shell and use the command below to create a new throttling policy.

Configure Authorizations for the Throttling Policy

Once you have added a new throttling policy, please enter the following command to set the permissions of the new policy.

Assign Throttling Policy to a Service

User Use the command below to assign a throttling policy to a specific user. Replace “[email protected]” with the service user you designated in the Incident Responder.

This document shows how to synchronize users' information from the Azure AD identity provider to the platform. Please make sure to set up the mandatory settings from the ‘SCIM Integration’ page before following the below steps:

1. Add New Enterprise Application

2. Provisioning Settings

3. Synchronize Users / Groups

Add New Enterprise Application

Step 1. Login

Log in to as an Azure Admin.

Step 2. Add new Enterprise Application

1. Click on Microsoft Entra ID.

2. Click on +Add at the top left hand side.

3. On the drop down select Enterprise Application.

4. Click on +Create your own application.

Step 3: Create your own application

1. Enter a name for the application.

2. Select ‘Integrate any other application you don't find in the gallery (Non-gallery)’ option.

3. Click the Create button to create the application.

Provisioning Settings

1. Select the ‘Provisioning’ menu from the left side.

2. Click the ‘New Configuration’ button and then enter the following information.

Tenant URL: https://scim-api.keepnetlabs.com/scim

Secret Token: Enter the token which was created on the Keepnet platform.

1. Click the ‘Test Connection’ button to test your configuration. If it’s successful, click the Save button to save settings.

Synchronize Users and Groups

When synchronizing users, customers have 2 options:

• Synchronize all users in Entra-ID

• Synchronize only assigned users and groups

Synchronize all users and groups in your Entra-ID

1. Within the provisioning section, use the Settings drop down

2. You will notice it defaults to 'Synchronize only assigned users and groups'

3. Click on 'Synchronize all users and groups'

4. Save

Synchronize only assigned users and groups

1. Click on Users and Groups in the left hand menu under Manage

2. Click on 'Add users/groups'

3. Click on 'None Selected' on the left hand side

4. On the right, you will see a list of your users and groups populate

Start Provisioning

The final step is to start provisioning. Simply go to Overview on the left hand menu and select Start Provisioning on the top of the page.

Your users will sync from Microsoft to Keepnet every 40 minutes, ensuring any new employees who belong to one of your assigned groups is automatically added to Keepnet

✅ You have now added your first Target Users. Now you need to successfully ➡️

Tutorial Video

This video tutorial shows the documentation steps for synchronizing users' information from the Azure AD identity provider to the platform.

A

How to Install the Microsoft Ribbon Phishing Reporter

1. Customize Phishing Reporter for your organization's needs

2. Go to Phishing Reporter > Manage and Download section and click “Connect Account”

1. Log in to your Microsoft 365 account using your admin credentials.

2. Once you log in, the Permissions requested pop-up window will display. Read the permissions, then click Accept.

1. Once you accept the permissions, the GRAPH Authorization Successful window will display.

1. Click the Download icon below the Microsoft Ribbon Phishing Reporter option to download the PhishingReporterRibbon.xml file.

2. In a new tab of your browser, log in to your Microsoft 365 admin center.

1. From the menu on the left side of the page, click Settings.

2. From the Settings drop-down menu, select Integrated apps.

1. Click Add-ins at the top-right corner of the page. The Add-ins page will open

1. On the Add-ins page, click Deploy Add-In. The Deploy a new add-in pop-up window will open.

1. In the pop-up window, click Next.

1. Click Upload custom apps.

1. Select the I have the manifest file (.xml) on this device option. Then, click Choose File and select the PhishingReporterRibbon.xml file that you downloaded in step 6.

1. Click Upload to install the Phishing Reporter. The Configure add-in pop-up window will open.

1. From the pop-up window, select which users will have access to the Phishing Reporter and which method you would like to use to deploy the Phishing Reporter.

1. Click Next, and additional app permissions will display.

2. Once you have read the permissions, click Save. The Deploy Phishing Reporter pop-up window will open.

1. Once the pop-up window displays a confirmation that the add-in successfully deployed, click Next. The Announce add-in pop-up window will open and display a message about announcement recommendations from Microsoft.

1. Click Close to close the pop-up window.

Troubleshooting Microsoft Ribbon Phishing Reporter

We were unable to process this item. Please try again later.

"We were unable to process this item. Please try again later." message in the Ribbon Phishing Reporter in Outlook.

The suggested solution is to ""

Tutorial Video

This video tutorial shows the documentation steps for deploying Microsoft Ribbon Phishing Reporter add-in on M365.

Some customers like to customise the default behaviour of the Incident Responder and the relevant Notification Templates associated with the default workflow. Below are some popular customisation our customers request and how to achieve each one:

• Customise Notifications

• Auto-delete Malicious Emails

Customise Notifications

Customers can fully customise notifications employees and system admins receive when they report an email for Analysis Results & Investigation Updates. You can view the default notification template

To make customisations, please go to:

1. Company > Company Settings > Notification Templates

2. Filter Category by "Incident Responder"

3. Click on the 3 dots to the right then select "Duplicate" to be able to edit

4. Make all the customisations you would like, including:

Auto-delete Malicious Emails

As you will have seen, the automatically analyses reported email and then automatically runs an investigation for all emails which are found malicious. To take this one step further, you can automate the deletion of all instances of malicious emails.

This is not enabled by default, allowing system admins to decide whether emails should be deleted - especially in rare cases where a safe email may be incorrectly flagged as malicious.

To set this up, please follow the below instructions:

1. Incident Responder > Playbook

2. Create a new Playbook by click on the blue +NEW button

3. Rule Info: Name the playbook and add a description

4. Conditions: Set to From > exists (this will cover all reported emails)

Google Workspace IP Bypass

The below instructions will show you how to whitelist the emails such as notification, training, or phishing simulation emails that will be sent from the platform to users by whitelisting Sender IPs in the Google Workspace environment.

1. Note the to be allowed.

2. Sign in to

3. Select Apps > Google Workspace > Gmail from the left sidebar menu.

4. Go to the Spam, Phishing, and Malware page.

🚨 If you have additional security solutions (e.g. Mimecast) please make sure to whitelist in these security solutions by following these steps:

​✅ You have now ensured your target users will receive emails through Keepnet. Now you need to so your target users can successfully open Keepnet email links ➡️

Video Tutorial

How to Whitelist Using the Safe Links Feature in Office 365

The below instructions will show you how to whitelist the emails such as notification, training, or phishing simulation emails that will be sent from the platform to users by whitelisting Domains in the O365 environment in the Safe Links feature.

1. Find the list of the domains in Phishing Simulator > Settings > Domains.

2. Sign into the Microsoft Security & Compliance Center.

3. Click Policies and rules from the left sidebar menu, click Threat Policies and select Safe Links.

✅ You have now Whitelist Domains so your target users can successfully open Keepnet email links. Please also Whitelist in your security solutions if you haven't already.

Next step is to ➡️

Direct Email Creation

Direct Email Creation (DEC) is a feature that connects to your O365 with a few required API permissions. This feature creates the phishing simulation email directly in the user’s inbox instead of sending the emails over SMTP protocol.Key Benefits:

1. Remove false positives that whitelisting tools cause when analyzing links.

This integration allows your employees to continue using Microsoft’s Phishing Reporting button to report suspicious emails to your SOC team or Microsoft Defender. Along with that, this integration adds new benefits by forwarding reported emails to Keepnet’s Incident Responder. This ensures deeper analysis and tracking capabilities while maintaining your existing reporting process.

Key Benefits:

• Dual Reporting: Emails reported via the Microsoft Phishing Reporting Button are sent to both Microsoft Defender and Keepnet's Incident Responder product for advanced analysis.

This guide explains the Threat Intelligence product and how to use it.

This includes:

• What is Threat Intelligence?

• How to export a list of breached accounts?

How to Install the Microsoft Page View Phishing Reporter

1. Before deploying the button, we recommend customizing it. This can be done in the Add-In Settings tab under the menu on the Keepnet platform.

If you've installed the Phishing Reporter on the Microsoft Outlook Desktop version successfully but are unable to see the Phishing Reporter button, here are some steps you can follow to troubleshoot the issue.

Step 1: Check your Outlook Version

First, confirm that you are using a version of Outlook that is compatible with Phishing Reporter. It might be possible that your current Outlook version is outdated and not supported by the add-in. Phishing Reporter usually supports the most recent versions of Outlook, but you can double-check the specific versions from here.

Step 2: Verify Installation

Make sure the Phishing Reporter Add-in was installed correctly. If the installation was interrupted or not completed, it could result in the button not appearing.

• Press the Win+S button combination on your keyboard, and find ‘Installed Apps’.

• Locate 'Phishing Reporter Outlook AddIn' in the list of installed programs.

• If you cannot find it, try reinstalling the software.

Step 3: Enable Add-in

Sometimes, the add-in might not be enabled, or it may have been disabled. Here's how to check:

• In Outlook, go to 'File' > 'Options' > 'Add-ins'.

• In the 'Manage' dropdown, select 'COM Add-ins', then select 'Go'.

• If 'Phishing Reporter' is listed but not checked, tick the checkbox to enable it.

• If 'Phishing Reporter' is not listed, it means the add-in is not installed correctly. Try reinstalling.

Step 4: Check the Ribbon

In some cases, the button may not be visible because it's not added to your Outlook ribbon, or it's located under a different tab.

• Right-click on the ribbon and select 'Customize the Ribbon'.

• Look for 'Phishing Reporter Add-in Name' in the list. If it's there, make sure it's ticked and placed under the Home tab.

Step 5: Check Windows Event Logs

Sometimes, Outlook or the add-in may be experiencing issues that could be found in the Windows Event Logs.

• Type 'Event Viewer' in the Start menu and open it.

• On the left side, navigate to 'Windows Logs' > 'Application'.

• Look for any recent warnings or errors related to Outlook or the Phishing Reporter Add-in around the time you last launched Outlook. Pay particular attention to Event ID 45 and 59, which might be related to this issue.

5.1 - AddIn Disabled

When examining your Windows Event Logs, you may encounter a log entry indicating that the Phishing Reporter add-in has been disabled by Outlook. This typically occurs when the add-in takes too long to load at startup. Once identified, the disabled add-in can be enabled again, as outlined in Step 3 of this guide. If the issue continues after this action, please refer to Step 8 for further troubleshooting assistance.

5.2 - AddIn Load Times

Microsoft Outlook Desktop may occasionally deactivate add-ins to prevent the application from crashing. By leveraging the Windows Event Logs, you can acquire valuable insights about the loading times of all add-ins. This knowledge helps identify add-ins exceeding the optimal loading time of 1000 milliseconds.

Outlook loaded the following add-in(s):

7.3 - Unable to connect to the remote server

This log indicates a network connectivity error during an HTTP request.

This error usually stems from the following situations:

• The network connection dropped or there is a temporary problem in the network. In this case, the network connection should be checked and, if necessary, the network may need to be restarted or the network settings may need to be checked.

• The client side is using an incorrect IP address or port number. In this case, the target and parameters of the request should be checked.

• The connection is being blocked due to a firewall or other network security settings. In this case, the security settings should be checked.

Error Log:

7.4 - The remote name could not be resolved

This log represents a network error situation.

This error usually stems from the following situations:

• Network connection problems. In this case, the network connection should be checked, and it should be ensured that the computer has general access to the internet.

• The DNS server is not functioning correctly. In this case, the DNS server should be checked, if necessary, restarted, or DNS settings should be reviewed.

Error Log:

Step 8: Contact Support

If the above steps don't resolve your issue, it's suggested to ask for assistance from the Keepnet support team. There are two primary ways to get in touch with them:

1. Email: You can send an email to . Make sure to include all relevant details about your problem, such as your Outlook version, OS version, and any other pertinent information about your system.

2. Support Portal: Alternatively, you can submit a ticket directly via the Keepnet support portal at .

For additional information on how to contact support, please refer to our documentation.

Deployment Steps

To deploy the Phishing Reporter add-in to users in Google Workspace, follow these steps.

Create Script

• Go to and click on the New Project button.

• The new script file that is opened is saved with a project name.

• In the Code.gs, paste the script code provided by the platform and save it.

• Go to the settings icon and click Project Settings.

• In the project settings, click: Show "appsscript.json" manifest file in editor.

• Save the appscript.json file. Copy and save the manifest code.

Create Project

• Go to and create a new project.

• Name your project and select the location. Then click on Create to start your project.

• Go to the API & Services page. Open the OAuth content screen page from the left menu and select your project.

• Please make sure the

OAuth Content Screen Configuration

• On the OAuth content screen, fill in the App Name, User Support Email, App Logo and Developers Contact Email Address. Then click Save and Continue.

• After that, click the Save and Continue button again on the Scope screen without making any changes. Then click Back to Dashboard.

• Go to API & Services, open the Library page to search Gmail API, and then enable it.

Change the Project Number of Script

• Go to Project Settings, find the "Cloud Platform Project" title, and click on the Change Project button on

• Paste the Project Number in the designated field and click Set Project.

• Confirm the project change.

The change is enabled once the project change is confirmed.

Testing the Add-in

If you don't want to test the add-in in your Gmail account, please go to the "Enable Google Workspace Marketplace SDK" part to distribute the add-in to the organization.

If you want to test and see the add-in functionality, logos, add-in name, description, and more information, you can deploy the add-in to your Gmail account for test purposes and remove it anytime.

• Go to

• Select the add-in project.

• Click on Deploy >Test Deployments > Install button.

• Click Done.

The add-in will appear on your Gmail account shortly.

Enable Google Workspace Marketplace SDK

• From the Library page, search for the Google Workspace Marketplace SDK and click on it.

• Click the Enable button and activate Google Workspace Marketplace SDK.

• Go back to and click on the Deploy > New Deployment button.

Deploy Add-in

Please follow up the following steps to deploy the add-in to your target users.

• To deploy the add-in, go to and click on the Google Apps icon in the top right-hand corner of the screen.

• Scroll down to and click on it.

• Click Internal Apps and find the add-in

• Click the Admin Install

✅ You have now deployed the Phishing Reporter.

Next step is to (only for customers who have purchased the Incident Responder or SOC package)

This section describes the capabilities and features of the threat simulation reports that can be generated using the Email Threat Simulator > Scan > Report button.

The components of the Scan Reports page are explained below.

Summary

The Summary provides a brief synopsis of the threat scan and options for further action.

Summary Widgets

Scan Info

Threat Scan Score

The score is calculated based on the number of emails determined to be insecure and the severity value of the risk posed by these emails.

Stats

The attack vectors are listed by attack type or by email status: Malicious Attachments, Ransomware Samples or Insecure Emails.

Attacks Sent

This section provides a summary report of the attack vectors exploited to target an email address.

FAQ

Q: Can I download a list of the attack vectors sent?

A: Yes, you can download a detailed report of the launched attack vectors in .xls, .pdf, or .csv format using the Download button.

Q: Can I export reports into my own reporting tool (e.g., Qlik Sense, Tableau, PowerBI)?

A: Yes. You can transfer all of our reports through an API. This flexibility allows you to use the information as needed to suit your business.

You can integrate your Microsoft 365 environment with the Incident Responder product to start an investigation on users' email accounts by following the steps below.You must use an account with global administrator permission.

New Application

• Select App Registration on the Microsoft Azure portal.

• Click +New registration.

• In the Register an application section, enter the name of the new application (required field).

• Select supported accounts from the Accounts in this organizational directory only option (auth secure login only - single-tenant).

• Select Public client/native (mobile & desktop) from the dropdown menu to enter a Redirect URL.

• Click Register. (Leave the myapp://auth field section blank).

• The new application will now appear in the list of app registrations; click on the name of the new application.

• Under Essentials, you will see the following displayed:

  • Application (client) ID

  • Directory (tenant) ID

• Please take note of these as you will need this information later to set up the new configuration.

Now you are ready to proceed to the next step: the application secret key.

Application Secret Key

An application secret key must be created for the new registration.

• Under Manage from the left-side menu, select Certificates & Secrets.

• Select Client secrets.

• Select +New client secret.

• Enter the description and expiration date and click Add.

Application Permissions

The last step is to add application permissions.

• Select Manage > API Permissions and click +Add permission.

• Click Microsoft Graph and a new window called Request API permissions will appear.

• Click Application permissions and then choose Application Permission and in the Select permissions field, find and select the following required permissions:

You can find more information about these permissions at “”.

Test the Email Server Integration

You can test the integration on the platform to make sure that it is working. Go to Incident Responder > Mail Configurations on the left sidebar menu of the dashboard and then click + NEW and choose the mail provider - in this case, Office 365.

Complete the following fields in the Microsoft Office 365 configuration table. The integration details are:

If the test was successful, the new email server integration will be shown in the list of mail configurations.

About Permissions

Directory.Read.All (Get user list)

This permission allows the app to read data in your organization's directory, such as users, groups, and apps. Note: Users may consent to applications that require this permission if the application is registered with their organization’s tenant.

The platform uses this permission to retrieve the client's user list when an investigation is initiated and then to access the email addresses. For example, when a user finds a suspicious email, the platform can scan all users in the list retrieved.

Mail.ReadWrite (Get users mails)

This permission allows the app to create, read, update, and delete email in user mailboxes. It does not include permission to send mail. The platform uses this permission to scan and filter users' emails. For example, when the “From” filter is selected as a parameter to be used in an investigation, this authorization enables the creation of a list of the emails that meet this criterion. It is also used to send a warning message to users. This permission also allows the platform to scan the contents of the emails to find and match the designated investigation parameters. For example, specific filters such as regex, keywords, etc.

MailboxSettings.ReadWrite (Warning action)

This permission allows the app to create, read, update, and delete the user's mailbox settings. It does not include permission to send mail directly, but allows the app to create rules that can forward or redirect messages. The platform uses this permission to mark emails that will receive a warning message.

User.Read.All (Get user data)

This permission allows the app to read the full set of profile properties, reports, and managers of other users in your organization on behalf of the signed-in user. The platform uses this permission to read and filter user information during the scanning process. If user-related filters, such as specific users, are selected as scan criteria, the user information may need to be read. For example, an organization may elect to initiate an investigation of employees in a particular department.

FAQ

Q: Is it possible to run a suspicious email investigation on the platform 24/7?

A: Yes. The platform’s flexibility allows you to start an investigation at any time and specify how long it is to run, or to create a continuous, automatic search for harmful e-mails. Server-based integration with your email service provides the most comprehensive protection.

Q: Is it possible to start investigations and delete harmful emails without Office 365 and Exchange EWS integration?

A: Yes. The Phishing Reporter plug-in can be used to conduct investigations and mitigation. However, the user must have Outlook open and the plug-in active. Email server integration eliminates this limitation.

The Phishing Simulator allows you to create a realistic simulated phishing email that is sent to employees in order to assess their ability to recognize suspicious emails and their response to attacks that could compromise organizational data and systems.

The product provides the capability to customize and target a phishing campaign suited to your organization and to evaluate the results.

Shortcuts

FAQ

Q: When executing a phishing simulator attack, you will receive a “test” email prior to execution. Is there a way currently to turn that off?

A: Currently, no - it’s mandatory to see the campaign tested before making any mistake. You will receive the email on the Delivery Settings page. The system automatically sends a test email and notifies you about this action

Q: Some subdomains are banned such as Microsoft.domain.com. Is it possible for these to be unbanned?

A: If the microsoft name is used in a subdomain there are many threat intelligence services, chromium based browsers, URL filtering tools easily detect and block this domain. If you need this, please reach out to

Q: What would be the steps to get additional URLs added to Keepnet’s Phishing Simulator? For example, if you already own several through GoDaddy.

A: We can only host domains verified through Cloudflare. Please refer to for more information.

Q: How can I combine the Email Template and Landing Page to create a phishing scenario?

A: You can easily create a customized phishing scenario to suit your organization. You will find the instructions .

Q: Can I delete System Scenarios/Email/Landing Pages?

A: The System templates can't be deleted by the admin users. The admins are able to delete their custom templates.

Q: Which tracking domain is used for Attachment type campaigns?

A: The platform automatically generates unique tracking links for attached files for each target user for Attachment type campaigns. The domain that is used for the attachment type campaign are dynamics. Please make sure you whitelist all the simulation domains.

Q: Emails do not arrive to the target users

A: The delivery status can be checked on Sending Report menu in the campaign report to see if the emails have been delivered successfully to the users. If the emails are successfully delivered, please check your .

Q: Why the domain that is used for the campaign gives a red screen on Google?