What is Direct Message Injection?

Note: Microsoft has recently announced that the whitelisting process for Microsoft 365 environments has changed. We recommend whitelisting in Microsoft 365 using our How to Use Advanced Delivery Policies in Microsoft 365 article and whitelist according to those instructions.

The Direct Message Injection (DMI) feature eliminates the need to whitelist simulated phishing emails. DMI bypasses email filtering rules and places emails directly into your users’ inboxes. This feature works by creating a secure link between your KnowBe4 console and your Microsoft 365 account.

This secure connection is created by authorizing the DMI application in Azure. DMI will be connected to your Microsoft 365 account as an Enterprise Application. Once authorized, DMI uses the Microsoft Exchange Web Services (EWS) API to place simulated phishing emails directly into your users’ inboxes.

Note: We suggest that you attempt to whitelist using Microsoft's Advanced Delivery Policies before whitelisting using DMI. Please read the instructions in our How to Use Advanced Delivery Policies in Microsoft 365 article to learn how to whitelist KnowBe4.

DMI is only compatible with public instances of Microsoft Azure. Due to the permissions required, DMI cannot be used with Microsoft GCC High and DoD.

Use the links below to learn more about this feature. For a visual overview, watch our Direct Message Injection video.

Jump to:

Required Admin Roles

Requested Permissions

Connect DMI to Microsoft 365

Enable DMI

Troubleshooting

How to Fix a Failed Connection
How to Stop DMI Emails from Showing in the "Other" Mailbox
How to Add Banners on Phishing Emails

Disconnect DMI from Microsoft 365

Required Admin Roles

Before you set up DMI, we recommend creating an admin account specifically for DMI authorization. Your DMI authorization account will need to be assigned the following roles:

Application Impersonation found in your Microsoft 365 Exchange Admin Center.
Application Administrator found in your Azure Portal.

Note:

You will still need to assign the permissions listed above, even if an existing account is already assigned a high-level role, such as Global Administrator.

Click on a tab below for instructions on how to enable these permissions in each Microsoft 365 application.

Exchange Admin Center
Azure Portal

To add and enable the Application Impersonation role, follow the steps below.

Log in to your Microsoft 365 Exchange Admin Center.
From the menu on the left, click Roles and select Admin Roles.
Click on the Add Role Group button.
Enter a name and description for the new role group. Click Next.
On the Add Permissions page, select Application Impersonation and then click Next.
Select the user account that will be responsible for DMI authorization and then click Next.
Review your selections and click Add Role Group.

To enable the Application Administrator role, follow the steps below.

Log in to your Azure Portal.
Under the Azure Services header, select Users.
Click on the user account that will be responsible for DMI authorization.
From the menu on the left, click Assigned Roles.
On the Eligible Assignments tab, find Application Administrator and set the role to active.

If Application Administrator is not listed, follow the steps below.

1. Click on the Add Assignments button at the top of the page.
2. From the drop-down menu, select the Application Administrator.
3. For the scope type, select Directory and then click Next.
4. For the assignment type, select Active.
5. Click Assign to assign this role to the selected user.

Requested Permissions

In your Microsoft 365 account, you will see the permissions request below:

To guarantee a safe and secure connection, DMI must use EWS to connect to your users’ inboxes. The permissions for an EWS connection include the ability to read, send, and delete emails. The EWS connection can also configure mailbox settings. DMI will only use these permissions to place emails into your users’ inboxes.

Important:

DMI will never read emails, delete emails, or alter your organization’s mailbox settings in any way.

Accepting these permissions means that you understand and agree to KnowBe4’s terms of service and privacy statement.

Connect DMI to Microsoft 365

To use DMI, you’ll need to connect your KnowBe4 and Microsoft 365 accounts and enable DMI for your domains. If you are using Microsoft 365's Advanced Threat Protection (ATP), you will need to edit the ATP Link Policy to prevent link rewriting. Please see our How to Prevent Microsoft 365 ATP from Rewriting KnowBe4 Phishing Links article.

Follow the steps below to securely connect your KnowBe4 console to your Microsoft 365 account:

Log in to your KnowBe4 account and click your email in the top-right corner.
Select Account Settings and navigate to the Direct Message Injection section.
Click the Connect to Microsoft 365 button.
You will be directed to a Microsoft login page. Log in to the Microsoft account that will be responsible for DMI authorization.
- Make sure to use the Microsoft account that has been assigned our Required Admin Roles.
  
  Note: When using a Microsoft 365 account with two-factor authentication enabled, emails sent with DMI will show an impersonation error in the Bounced tab of your phishing campaigns. To prevent these errors, we recommend connecting DMI to Microsoft 365 through a service account that does not have two-factor authentication enabled.
Review the permissions requested in order to give KnowBe4 access to your Microsoft 365 information.
- For more information, see the Requested Permissions section below.
If you agree to these permissions, click Accept.
Once the window closes, see the Enable DMI section below to continue.

Enable DMI

Once your KnowBe4 console is connected to your Microsoft 365 account, follow the steps below to enable DMI:

1. Log in to your KnowBe4 account.
2. Click your email address in the top-right corner and select Account Settings.
3. Navigate to the Direct Message Injection section.
4. Click DMI Settings to expand the settings panel.
5. Check the box labeled Enable DMI for the selected domains.
6. Select one or more domains by typing the domain name or selecting domains from the drop-down menu.
  - DMI will only be enabled for Microsoft 365 users whose primary email address matches the selected domains.
7. In the field labeled If the DMI connection fails, send a notification to, enter the email addresses of anyone who should be notified if the DMI connection fails.
  - Email addresses entered here do not have to match the domains from Step 4.
8. Click the Save DMI Settings button.

Once enabled, DMI will be listed as an Enterprise Application in your Azure portal. You can view any granted permissions and usage logs from your Azure portal.

Note:

If your admin email address matches the domains selected here, DMI will also be used to deliver emails sent using our Send Me a Test Email feature. This test email will contain @injector.psm.knowbe4.com in the Message ID for the original email headers.

Troubleshooting

See below for a variety of issues that can occur with DMI and how you can fix them.

How to Fix a Failed Connection

If the Exchange Web Service token connecting your KnowBe4 console and your Microsoft 365 account becomes invalid, the DMI connection will fail.

Any phishing campaign emails that were scheduled to be delivered using DMI will not be sent.

Reconnect your Microsoft 365 account by following the instructions outlined in the Connect DMI to Microsoft 365 section above. If you have trouble reconnecting, please contact support.

How to Stop DMI Emails from Showing in the "Other" Inbox

If your users are seeing emails with DMI in their Other inbox instead of their Focused inbox, follow the steps below to resolve this issue:

In your KnowBe4 account, navigate to Account Settings.
Go to the Phishing Settings subtab.
Enable Add Custom Header.
In the Header Name (left box) enter the following text: "MS-Exchange-Organization-BypassFocusedInbox".
In the Header Value (right box) enter the following text: "true".
Click Save Settings.

How to Add Banners to Phishing Emails

When DMI is enabled, our phishing emails are able to bypass all mail flow rules which may include banners that appear on inbound emails. Follow the steps below to use our Placeholders feature and add banners back to our phishing emails.

Log in to your KnowBe4 account.
Click your email in the top-right corner and select Account Settings.
Navigate to the Branding section.
Click + Placeholders.
Select the Email Banner placeholder.
Enter your banner information into the field provided. You can enter any text in the field, including source code from an already existing email banner.
Select which phishing emails you want the banner to appear on.
Click Save Placeholders.

Disconnect DMI from Microsoft 365

When disabling DMI, we recommend removing the connection between your KnowBe4 console and your Microsoft 365 account. Follow the steps below to disconnect the two accounts:

Log in to your KnowBe4 account.
Click your email in the top-right corner and select Account Settings.
Navigate to the Direct Message Injection section.
Click Remove Microsoft 365 Connection.
When the confirmation message opens, click Confirm.

Note:

When your Microsoft 365 connection is removed, active phishing campaigns will send emails using Standard Email Protocol (SMTP). If the campaign was started using DMI, emails will still show as DMI Delivered on the campaign overview page.

If you re-enable DMI in the future, you will have to grant KnowBe4 access again. Follow the steps in the Connect DMI to Microsoft 365 section to re-enable DMI.

If you no longer have access to your KnowBe4 account and would like to disconnect DMI from your Microsoft 365 account, please contact support and we will be happy to help.

DMI Configuration Guide