Overview
OutThink can deliver training notifications, email nudges and phishing simulation emails to your employees efficiently and reliably via our scalable email infrastructure.
This however typically requires a series of whitelisting steps to ensure that emails are not rejected as phishing or spam, not clicked by email filters, and correctly land in your user’s inboxes.
There are several reasons that OutThink recommend a new direct mail injection approach, which will create email directly into your employees’ inbox using Microsoft Graph API, without using any Email Infrastructure.
- Email whitelisting is notoriously difficult to accomplish, especially where complex and compounded email gateway infrastructure exists at your organization. This could result in emails not being consistently delivered, or phishing simulation links being falsely detonated, skewing campaign results.
- Customers want to have complete control over the originating sender of emails, such as to override the sender’s email address of a phishing simulation, or white-label training emails. This provides a very powerful means of presenting emails to your users that purport to come from your organization, relevant corporate bodies, or specific individuals. Such overriding of the address cannot be achieved via email infrastructure, due to the security requirements of DKIM and DMARC.
Unlike other vendors, OutThink’s solution complies with high security practices and security guidelines. We facilitate email delivery by introducing a novel proxy called the OutThink Direct Mail Injection App which is installed from the Microsoft Azure Marketplace, and is hosted within your own Microsoft Azure environment.
OutThink do not store or access any permissions directly from Microsoft Graph API directly to send, read or write email.
Direct Mail Injection can be configured to work with phishing simulations, training notifications, training reminders, email nudges and line manager escalations.
Step 1. Installation
Important:
Installation is required for every Microsoft 365 tenant (Entra ID) where your users reside across your
organizational hierarchy. If all users reside in a single Microsoft 365 tenant, only a single installation is needed.
There are five steps to each installation, which will require access to your Microsoft Azure environment and to the OutThink Command Center.
- Create an API Key from the OutThink Command Center. This provides the credentials for the DMI App to get email data from the OutThink platform.
- Create an Azure App Registration in your Microsoft Azure Tenant which provides appropriate permissions to connect with your Microsoft Graph API to inject email to user inboxes.
- Create a Microsoft Azure Key Vault in your Microsoft Azure Tenant which protects a Client Id and Client Secret of the App Registration, and the OutThink API Key.
- Install the OutThink Direct Mail Injection App from the Microsoft Azure Marketplace, which regularly polls the OutThink API to determine if simulations or training messages need to be delivered.
- Grant rights for the OutThink Direct Mail Injection App to access the secrets stored in the Azure Key Vault.
1.1. Create an API Key from the OutThink Command Center
Navigate to the Settings > Organization Management section of the Command Center, select the relevant Organization on the left hand side, then select the API tab on the right.
Firstly, make a note of the Customer ID at the top of this page. You will need this in the next step.
Now, click Create new secret key, give the key a memorable name, and generate the key.
Ensure that you Copy the key that has been generated, as you will not be able to retrieve this again.
1.2. Create an App Registration in Microsoft Azure
For the following steps, you will need to be granted permissions to be able to create resources in Microsoft Azure. If you do not have such permissions, contact your IT or Cloud Adminstrator.
1.2.1. Creating the App Registration
Sign In to the Microsoft Azure Portal and search for App Registrations.
Click + New Registration and provide a name such as OutThink Email Injection via Graph API.
Under Supported Account Types, ensure that
Accounts in this organizational directory only (OutThink only – Single tenant) is selected.
Leave the Redirect URI blank and click Register.
1.2.2. Creating a Secret
From the new App Registration, navigate to Certificates & Secrets in the left hand menu and click + New client secret. Provide any Description and set the Expires option to an appropriate period of time, such as 12 months.
The Expires time period should be long enough to ensure it doesn’t continually expire, and short enough for best practice security. Long lasting secrets are not advisable.
Once the secret is created, securely note down both the Value and Secret ID.
You will need these in the next section.
1.2.3. Granting Graph API Permissions
Next, we need to provide this App Registration with permission to inject emails. This is managed via the API permissions section from the left hand menu. From this section, click + Add a permission.
On the Request API permissions tab that appears, select Microsoft Graph.
On the following page, select Application Permissions and type Mail.ReadWrite in the Select permissions search box. Ensure the Mail.ReadWrite permission is selected, as shown below.
Go back to the search box and now type User.ReadBasic.All. Ensure this permission is also selected, then click Add Permissions at the bottom of the page.
Two permissions, Mail.ReadWrite and User.ReadBasic.All should now be showing under the Configured permissions section. To ensure that users aren’t asked to approve these manually, you must click the Grant admin consent option.
1.3. Create an Azure Key vault in Microsoft Azure
An Azure Key vault is needed to store access keys and secrets that will be used by the OutThink DMI App.
1.3.1. Creating the Azure Key vault
This can be created by navigating to the Key vaults section in the Microsoft Azure Portal, and clicking on the button titled + Create.
Select an appropriate Azure Subscription and Resource Group from the list. OutThink recommends that you create a brand new resource group to encompass all resources which are relevant to this installation.
If you do not have access to any Azure subscription, you will need to contact your IT or Cloud Administrator to ensure one is created, or access to one is provided for this project.
Select any appropriate name for this new Key vault, such as outthink-keyvault.
Select an appropriate region and Pricing Tier.
Next, you may wish to restrict this Key vault to your network, using the settings on the Networking tab. This is optional, but is considered best practice. Discuss this with your IT or Cloud Administrator.
Once all settings are configured, click Review + create. Review all settings and finally click Create.
1.3.2. Creating Key vault secrets
Once the Key vault is created, navigate to the new resource and select the Objects -> Secrets option on the left hand menu. Using the + Generate/Import option, you will need to create five new secrets as follows:
| Name | Secret value |
| ClientId | The Secret ID of the Secret created in the App Registration from the previous section. |
| ClientSecret | The Value of the Secret created in the App Registration from the previous section. |
| OtApiKey | The OutThink API secret key you noted down from section 1.1 |
| OTCustomerId | The OutThink Customer ID you noted down from section 1.1 |
| TenantId | Your Microsoft Entra Tenant ID For help finding this, see https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant. |
1.3.3. Make a note of the Key vault URI
Navigate to the Overview page in the left hand menu, and copy the Vault URI on the left hand side. You will need this in the following section.
1.4. Install the OutThink DMI App from the Azure Marketplace
Navigate to the Azure Marketplace from within the Microsoft Azure Portal, and search the marketplace for OutThink. Click on the result for OutThink Direct Message Injection (DMI) and on the offer page, select the Standard Plan and click Create.
The OutThink Direct Message Injection (DMI) App from the marketplace is free of charge and will not incur any cost on your Microsoft Azure subscription.
On the Basics configuration tab, select the same Subscription, Resource Group and Region that you selected when creating the Azure Key vault.
- Under App Service Plan SKU, select Basic – B1.
- For Key Vault URL, enter the Vault URI that you copied down from the previous section.
- Choose an appropriate Application Name, such as
OutThink Direct Mail Injection App. - Leave the default provided for Managed Resource Group.
Next, navigate to the Optional Settings tab.
- Ensure that the API Base URL is set to https://api.outthink.io
Click Review + create, and finally Create.
The App will now be created, and may take a few minutes to complete. Wait for this to complete before continuing with the section below.
1.5. Grant permissions to the OutThink DMI App
The final step of the installation is to ensure that the new OutThink DMI App that you just installed has access to read the secrets from the Key vault.
Navigate back to the Key vault that you created in the previous step, and select Access Policies in the left menu, and click + Create.
Under Secret Permissions, ensure that Get and List are checked, then click Next.
In the field Search by Object ID, name, or email address start typing the name of the OutThink DMI App that you installed in the previous step, and select the application that you find from the list.
Click Next, then Next again, and finally Create.
Step 2. Configuration
Enable DMI for Phishing and/or Training emails
From the OutThink Command Center, navigate to the Settings > Organization Management section. Select the relevant Organization on the left hand side, then select the Organization tab on the right.
The DMI Settings are at the bottom of the page under the heading Email Delivery Configuration.
To enable DMI for Phishing Simulations:
Select the Direct Mail Injection (DMI) option under the Phishing Simulation header and hit Save Changes.
The Email Address and From Name displayed on phishing simulation emails can now be chosen during phishing simulation campaign creation.
To enable DMI for Training Notifications, Reminders, Nudges and Escalations:
Select the Advanced Configuration option, and choose an appropriate Sender Email Address and Sender From Name that you would like to apply to all outgoing training emails.
Next, ensure the Direct Mail Injection (DMI) option is selected, and hit Save Changes.
Step 3. Testing
Once Installation and configuration are complete, it’s time to test email injection.
Create any Training or Phishing Simulation campaign (as appropriate) using the Command Center, and add yourself to the campaign. Ensure the campaign is marked as a Test. After a few minutes, check that you have received the email in Outlook, and that you can interact with it successfully.
For a Phishing Simulation Campaign, click the hyperlink and ensure that the Clicked status is correctly reported for your user on the Phishing Campaign Dashboard in the Command Center.
For a Training Campaign, ensure that you can launch the training successfully and the In Progress status is flagged for your user on the Training Campaign Dashboard in the Command Center.
For more details on how to create campaigns and analyze the results, see https://help.outthink.io/category/create-campaign/
Was this helpful?
1 / 0