Direct Message Injection

Share

Is this article helpful?

Last updated:

Direct Message Injection (DMI) Configuration Guide

The Direct Message Injection (DMI) feature eliminates the need to whitelist simulated phishing emails. DMI bypasses email filtering rules and places emails into your users’ inboxes. This feature works by creating a secure link between your KSAT console and your mail server. DMI can be used to whitelist our phishing test emails, but training emails will still require additional whitelisting if you use this method. For more information, see our Whitelisting Guide.

Important:Some whitelisting configurations may not be available in environments outside of the US.

Setting Up DMI in Google

If you are using Google Workspace, this secure connection is created by authorizing the DMI application in Google Workspace. Once authorized, DMI uses the Google Workspace APIs to place simulated phishing emails into your users’ inboxes.

Note:You cannot use your Google Workspace DMI connection to send messages to alias email addresses.

Required Admin Roles for Google

If you are setting up a Google Workspace DMI, you will need an account with a super admin role. For more information, see Google’s Control API access with domain-wide delegation Control API access with domain-wide delegation (link opens in new window) article.

Connect DMI to Google

To connect DMI to Google Workspace, you will need to add a client ID and scopes to your Google Workspace Admin console. To add the client ID and scopes, follow the steps below:

  1. Navigate to admin.google.com.

  2. In the Google Workspace Admin console, select the Security section.

    Note:If you do not see Security, click More controls at the bottom of the page.

    Google Workspace Admin Security section

  3. Click Overview.
  4. Select the API controls section.

  5. In the Domain wide delegation section, click the Manage Domain Wide Delegation button.

    Manage Domain wide delegation button

  6. Click the Add new button.

    Add new button

  7. In the Client ID field, enter "117081416267426756182".

    Client ID field

  8. In the OAuth Scopes field, enter "https://www.googleapis.com/auth/gmail.insert".
  9. Click the Authorize button.
Important: To ensure that your user opens are being tracked properly, you may need to add our phish link domains to your Google Workspace’s Image URL proxy allowlist. For more information, see Google’s Set up an image URL proxy allowlist Set up an image URL proxy allowlist (link opens in new window) article.

Enable DMI for Google

After you have connected DMI to Google, you will need to enable DMI in your KSAT console. You will also need to enable the Overwrite Fixed Return-path Address with Sender Address setting. To enable DMI for Google Workspace, follow the steps below:

  1. Log in to your KSAT console.
  2. Click your email address in the top-right corner of the page and select Account Settings.
  3. Navigate to the Direct Message Injection (DMI) section.

  4. Click the Add DMI Connection drop-down menu and select Google Workspace.

    Add DMI Connection drop-down menu

  5. Fill out the fields in the configuration pop-up window. For more information, see the screenshot and list below:
    1. Connection Name: Enter a name for the DMI connection.

    2. Enable this connection for the selected domain: Select one or more domains by entering the domain name or selecting domains from the drop-down menu.

      Note:DMI will only be enabled for users whose primary email addresses match the selected domains.

    3. If the DMI connection fails, send a notification to: Enter the email addresses of anyone who should be notified if the DMI connection fails.

      Note:Email addresses entered in this field do not need to match the domains listed in the Enable this connection for the selected domain field.
    4. Enter an email address from your Google Workspace domain: Enter the email address where you would like to receive the test message.
  6. Repeat steps four and five for each domain you want to configure.
  7. Click the Save Connection Settings button.

You will also need to overwrite the return-path header for your phishing emails. The Overwrite Fixed Return-path Address with Sender Address setting is located in your account settings. For further information on enabling this setting, see our How to Change the Return-Path Header in Your Account Settings article.

Important:After configuring DMI for Google Workspace, post-delivery inbox filtering may still interfere with recorded email interactions, email delivery, or attachment functionality.

How to Fix a Connection Error in Google Workspace

If you receive an error message after clicking Authorize when connecting DMI to Google Workspace, your client ID and scopes may be incorrect.

To check your client ID and scopes, follow the steps below:

  1. Locate the new domain-wide delegation permissions that you created.
  2. Click View Details.
  3. Ensure that every scope is listed, there are no duplicate scopes, and that the client ID is correct.

  4. If a scope is missing or contains an error, click Edit, enter the missing scope, and click Authorize to apply the changes.

    Note:The client ID cannot be changed.

How to Add Banners, Prefixes, and Signatures to Phishing Emails

When DMI is enabled, our phishing emails are able to bypass all mail flow rules, which may include banners, prefixes, and signatures that appear on inbound emails.

Follow the steps below to use our placeholders to add banners, prefixes, and signatures back to our phishing emails:

  1. Log in to your KSAT console.
  2. Click your email in the top-right corner of the page and select Account Settings.
  3. Navigate to the Placeholders section.
  4. Click + Placeholders.
  5. Select the placeholder that you want to add back to the phishing email from the drop-down menu.
  6. Enter the placeholder's information into the field provided. You can enter any text into the field, including source code from an email banner, prefix, or signature that already exists.
  7. For the Email Banner and Subject Prefix placeholder, select which phishing emails you want the placeholder to appear on from the drop-down menu.
  8. Click Save Placeholders.

Disconnect a DMI Connection

When disabling DMI, we recommend removing the connection between your KSAT console and your mail client account.

To disconnect DMI, follow the steps below:

  1. Log in to your KSAT console.
  2. Click your email in the top-right corner of the page and select Account Settings.
  3. Navigate to the Direct Message Injection (DMI) section under Phishing.

  4. Locate the DMI connection you would like to delete, and click the Show Settings button.

    Note:The name of this button will change based on the name of your connection. For example, if the name of your connection is "DMI 1," this button will display as "Show DMI 1 Settings."
  5. Click the Remove DMI Connection button.
  6. When the confirmation message opens, click the Confirm button.
Important:When your DMI connection is removed, active phishing campaigns will send emails using Standard Email Protocol (SMTP). If DMI was enabled when the campaign was created, emails will still show as DMI-delivered on the campaign's Overview subtab.

If you re-enable DMI in the future, you will need to grant KnowBe4 access again. To re-enable DMI, follow the steps in the sections above for your mail server.

Tip:To ensure that you have whitelisted correctly, see our Verify Your Whitelisting article.

Was this article helpful?

24 out of 31 found this helpful

Can't find what you're looking for?

Contact Support