All Collections
Message Injection
How to set up Message Injection in Microsoft 365
How to set up Message Injection in Microsoft 365
Deliver simulation emails seamlessly to mailboxes in Microsoft 365.
Courtney Leacock avatar
Written by Courtney Leacock
Updated over a week ago

Message Injection allows you to bypass regular email delivery and put emails directly into your users' mailboxes, increasing the delivery success rate and removing the requirement for allow-listing.

Here's how to configure Message Injection in Microsoft 365.


Go to Settings > uPhish > Message Injection

Scroll down to Microsoft 365 and click Sign in with Microsoft to start the authorisation process.

After you have logged into the chosen Microsoft Account, a screen to authorise the Message Injection integration will appear. Please click Accept.

NOTE: This will grant the platform permission to insert emails into the mailbox of any user on the authorised Microsoft 365 tenant. We only use this permission to deliver simulated phishing emails, no other communications will be sent via this integration.

Once accepted, you should see the authentication completion page below. You can now close this tab and Message Injection will be available as a delivery method in your uPhish campaigns. You should use the test message injection feature to confirm that it works as expected.

Authorisation Requirements

Authorising the Microsoft Message Injection integration uses Application Permissions authentication. This requires an account that can grant tenant-wide admin consent for an AD Enterprise Application. This combined with the MS Graph API permissions required by the integration mean that an account with the Global Administrator role is needed.

Advanced Options

You can re-authorise the Message Injection using the Sign In with Microsoft button on the Message Injection settings page. This is useful if message injection emails are failing due to authentication issues.

You can use the Revoke Authentication option if you wish to disable Message Injection. This deletes any authentication credentials we hold for the authorised Microsoft 365 tenant.

Did this answer your question?