What is Message Injection?
Message Injection is an API-based delivery method that places phishing simulation emails directly into user mailboxes using authorised Microsoft services, rather than routing them through external email infrastructure.
This approach is designed to:
Accurately measure user susceptibility to social engineering
Simulate internal, post-compromise attack scenarios
Generate cleaner, more reliable behavioural metrics
Importantly, message injection is intended to complement, rather than replace, traditional
email security controls, providing an additional layer of insight into human-layer risk.
How does Message Injection work?
Message Injection operates through an administrator-approved enterprise application registered in Microsoft Entra ID.
The integration uses Microsoft Graph Application Permissions, which operate at the tenant level and therefore require Global Administrator consent. The application is granted a specific set of Microsoft Graph permissions that allow it to programmatically place simulation emails directly into Microsoft 365 mailboxes.
All access:
Requires administrator consent
Is governed by Microsoft identity and access controls
Is fully logged and auditable
Can be revoked at any time
In simple terms, Message Injection uses secure, approved API access to place a simulated phishing email into a mailbox without relying on traditional external email delivery routes.
What Graph API permissions does it require?
The usecure Message Injection integration requests the Mail.ReadWrite Microsoft Graph permission.
This is a high-privilege Microsoft Graph Application Permission that enables an authorised application to manage mailbox content programmatically. For Message Injection, the permission is used solely to deliver simulated phishing emails.
When granted, this permission enables an application to:
Read existing messages within a mailbox
Create new draft messages
Insert messages into folders such as the Inbox
Modify message properties (for example, mark as read or unread)
Delete messages
Move messages between folders
For phishing simulation use cases, the primary capability required is the ability to programmatically create and place a message into a mailbox.
What are the Enterprise Application best practices?
Usecure operates phishing simulations through a dedicated, simulation-only app registration. Organisations should enable Unified Audit Logs within Microsoft 365, actively monitor application activity, and configure alerts to detect unusual message volume or anomalous behaviour.
From a governance perspective, the solution should operate through a dedicated,
simulation-only app registration, be supported by documented risk acceptance, and undergo periodic access reviews to ensure permissions remain appropriate and aligned with enterprise security standards.
Is Message Injection a security bypass?
Modern attackers frequently circumvent email filtering not by defeating the gateway directly, but by compromising accounts and operating from within the trusted environment.
Contemporary phishing campaigns increasingly rely on internal thread hijacking, Business Email Compromise (BEC), and OAuth token abuse to evade perimeter defences.
Injection-based simulations replicate these same tactics by modelling internal trust
exploitation, lateral phishing from compromised users, and executive impersonation
scenarios. Rather than weakening security, this approach tests resilience against a realistic and increasingly common threat model that perimeter filtering alone cannot prevent.
Why use Message Injection?
Traditional SMTP-based phishing simulations are designed to validate technical defences; they measure how effectively your email security stack (e.g., filtering, authentication enforcement, and anti-phishing policies) detects and blocks malicious messages. In other words, SMTP testing evaluates whether your preventive controls are functioning as intended.
Message injection, by contrast, is not meant to test filtering effectiveness; it deliberately isolates the human layer of risk by placing a message directly into the inbox and measuring how users interpret, trust, and act on it. This approach assesses decision-making, susceptibility, and reporting behaviour without interference from security tooling.
Mature security programs recognise that both layers must be evaluated independently to understand overall phishing risk.
Should I only use Message Injection?
Rather than message injection being a replacement for traditional phishing simulations, the most effective approach is a hybrid strategy that evaluates both technical and human risk layers.
Tier 1: SMTP-based phishing simulations
Tier 1 should consist of SMTP-based campaigns, which measure filtering effectiveness, validate SPF/DMARC enforcement, and test detection capabilities within tools such as Microsoft Defender for Office 365. This tier ensures that your preventative controls are functioning as designed.
Tier 2: Message Injection simulations
Tier 2 should leverage message injection within Microsoft 365 to measure human
susceptibility, simulate realistic post-compromise or internal phishing scenarios, and remove security artefact bias such as rewritten URLs or warning banners.
By separating technical control validation from behavioural risk measurement, organisations gain cleaner data across both domains. Most mature enterprises ultimately adopt this layered model because it provides a more comprehensive and defensible view of phishing risk.