How to set up Message Injection in Microsoft 365

Deliver simulation emails seamlessly to mailboxes in Microsoft 365.


Message Injection allows you to bypass regular email delivery and put emails directly into your users' mailboxes, increasing the delivery success rate and removing the requirement for allow-listing.


Here's how to configure Message Injection in Microsoft 365.

Authorization

Go to Settings > SMPhish > Message Injection


Scroll down to Microsoft 365 and click Sign in with Microsoft to start the authorization process.


After you have logged into the chosen Microsoft Account, a screen to authorize the Message Injection integration will appear. Please click Accept.


NOTE: This will grant the platform permission to insert emails into the mailbox of any user on the authorized Microsoft 365 tenant. We only use this permission to deliver simulated phishing emails, no other communications will be sent via this integration.


usecure is SiberMate's partner in enabling the message injection API.

Once accepted, you should see the authentication completion page below. You can now close this tab and Message Injection will be available as a delivery method in your SMPhish campaigns. You should use the test message injection feature to confirm that it works as expected.


Authorization Requirements

Authorizing the Microsoft Message Injection integration uses Application Permission authentication.

This requires an account that can grant tenant-wide admin consent for an AD Enterprise Application.

This combined with the MS Graph API permissions required by the integration means that an account with the Global Administrator role is needed.

Activation

After setting up Message Injection, a toggle on button appears on the settings page where you can add Message Injection as the default delivery method.


To enable Message Injection by default, go to Settings > SMPhish > Message Injection and scroll to Additional Settings.

Advanced Options

You can re-authorize the Message Injection using the Sign In with Microsoft button on the Message Injection settings page. This is useful if message injection emails are failing due to authentication issues.


You can use the Revoke Authentication option if you wish to disable Message Injection. This deletes any authentication credentials we hold for the authorized Microsoft 365 tenant.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.