This article will explain how to configure Google Instant Sync and Gmail Active Delivery. This will allow you to synchronise your users to the platform and enable direct delivery to your users' Gmail mailboxes. Google Instant Sync is our latest synchronisation tool, recommended for syncing from the Google directory. Configuring Google Active Delivery will allow our simulated phishing emails to bypass most Gmail scanning and classification.
- Part 1 - Enabling the Admin SDK (required for Google Instant Sync) and Gmail API (Required for Gmail Active Delivery)
- Part 2 - Creating a service account (required for Google synchronisation and Delivery)
- Part 3 - Authorising the service accounts client ID (required for Google Instant Sync and Gmail Active Delivery)
- Part 4 - Upload the JSON file to the Phishing Tackle platform (required for Google Instant Sync and Gmail Active Delivery)
- Part 5 - Add the domain wide delegation user (required for Google Instant Sync)
Part 1 - Enabling the Admin SDK and Gmail API (required for Google Instant Sync and Gmail Active Delivery)
Note: You'll need access to the Google API console to complete this step.
To enable the Admin SDK and Gmail API from the Google API console:
- Log onto the Google API Console at https://console.developers.google.com.
- Create a project with the name "Instant Sync And Delivery". You can click here to create a new Google Cloud Console project. For Google's technical documentation and further details, you can visit Creating a Project page.
-
Once the project is created, select it using the drop-down button at the top of the Google Cloud Console.
-
Next open the side menu by clicking the three horizontal lines in the above image and select APIs & Services | Enabled APIs and services (Steps 1 & 2) in the below image. NOTE: This page may already be displayed.
- When the Dashboard opens, click 'ENABLE APIS AND SERVICES' as per the below image.
- Enable the API for the service you would like to use.
To configure Google Instant Sync, you must enable Admin SDK API.
- On the Welcome to the API Library page, search for "Admin SDK API".
- Select the "Admin SDK API" tile and click "Enable".
To configure Gmail Active Delivery, you must enable Gmail API.
- On the Welcome to the API Library page, search for "Gmail API".
- Select the "Gmail API" tile and click Enable.
Please ensure you have the correct settings enabled for the service you are trying to use.
- Admin SDK API - Is required if you want to use Google Instant Sync.
- Gmail API - Is required if you want to use Gmail Active Delivery.
Part 2 - Creating a service account (required for Google Instant Sync and Delivery)
Note: You will need admin access to the Google API console to complete this step. To create a Service Account from the Google API Console:
- Log on to the Google API Console at https://console.cloud.google.com and select the Instant Sync And Delivery project from the list at the top.
- Open the side menu by clicking the three horizontal bars at the top left and select IAM & Admin | Service Accounts.
- Click 'CREATE SERVICE ACCOUNT' which can be found at the top of the page.
- On the Create service account page enter the following details (the Service account ID will populate automatically once you start typing the Service account name) and click CREATE.
- When the Select a role option is shown, select Service Accounts | Service Account User as per the following image:
- Select DONE.
- On the Service accounts for the 'Instant Sync And Delivery' project page, select the vertical ellipsis on the far-right side of the new Service Account you just created and choose 'Manage Keys'.
- On the Keys page select 'ADD KEY' and then 'Create new key' from the drop-down menu:
- Select the JSON radio button and click 'CREATE'.
- After the key is created, you will be prompted to save the JSON file. Please ensure this is saved to a secure location, as you will need this file to upload to your Phishing Tackle account.
- Once the key is saved, you should see the following message. Click 'Close'.
- Click DETAILS from the list of tabs under the name of your Service Account.
- On the Service account details page, click "SHOW ADVANCED SETTINGS" link which should then expand.
-
You should now see a value in the Client ID box. Make a note of this Client ID as you will need it for the next part of this article.
Part 3 - Authorising the Service Accounts Client ID (required for Google Instant Sync and Gmail Active Delivery)
You will be required to perform Google Workspace domain-wide delegation of authority. You can refer to the Google Workspace Domain Wide Delegation documentation if you require further clarity on this subject.
To authorise the service accounts client ID from the Google API Console:
- Log on to the Google Admin Console at https://admin.google.com/.
- Click on the menu item "Show More".
-
Click on the menu item "Security" > click "Overview".
-
Click the 'API controls' menu (you may need to scroll down the page to find it).
- On the API controls page, select 'MANAGE DOMAIN WIDE DELEGATION' (you may need to scroll down the page to find it).
- On the Domain-wide Delegation page click the Add New button.
- Enter the Client ID from Part 2 - Stage 14.
-
Enter the OAuth Scopes for the service you would like to configure.
-
The following OAuth Scopes (permissions) for Google Synchronisation and Google Active Delivery can be added to the same API Client if you intend to use both. We will also explain what to do if you decide to only use Google Synchronisation or Delivery not both. All three methods are explained below.
-
For Google Synchronisation and Google Active Delivery you can create a single API client with all required OAuth scopes. Please ensure your OAuth scopes are the same as the box below:
Client ID Enter the value from Part 2, Step 14 above. OAuth Scopes
(Comma-delimited)
https://www.googleapis.com/auth/gmail.insert
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
- If you decide to configure only Google Active Delivery, please ensure your OAuth scopes are the same as the box below.
Client ID Enter the value from Part 2, Step 14 above. OAuth Scopes
(Comma-delimited)
https://www.googleapis.com/auth/gmail.insert
- If you decide to configure only Google Instant Sync, please ensure your OAuth scopes are the same as the box below.
Client ID Enter the value from Part 2, Step 14 above. OAuth Scopes
(Comma-delimited)
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
-
For Google Synchronisation and Google Active Delivery you can create a single API client with all required OAuth scopes. Please ensure your OAuth scopes are the same as the box below:
- Click Authorise.
Part 4 - Upload the JSON to the Phishing Tackle platform. (Required for Google Instant Sync and Gmail Active Delivery)
- Log on to the Phishing Tackle Platform at https://uk.phishingtackle.com.
-
Under 'Setup' in the left-hand column, navigate to Organization > Settings > Integrations and click + 'ADD INTEGRATION'.
- From the dropdown menu, select 'Google Instant Sync'.
- In the Add Google Instant Sync Integration window, click BROWSE and select the JSON file saved during Service Account creation in Part 2 - Creating a Service Account, then hit 'SAVE'.
-
You will now see your Google Instant Sync integration. Once this step is completed, Google Gmail Active Delivery has been configured. You should now be able to use Gmail Active Delivery to send simulated phishing campaigns. If you would also like to synchronise your recipients to Phishing Tackle, please complete Part 5.
Part 5 - Add a domain wide delegation user. (Required for Google Instant Sync)
- In the left-hand column navigate to SETUP > Organisation > Settings > Integrations.
- For your previously created Google Instant Sync, click on the drop-down arrow and then click edit.
- Specify the Domain Wide Delegation User (this must be the email address of the admin that created the JSON file).
- Click 'Save'.
Please let us know if you require any further assistance, you can contact our support team by clicking here. Or by sending an email to support@phishingtackle.com