Technical Implementation Overview for Microsoft Exchange


This article gives you an overview of how to implement Hoxhunt for Outlook in Microsoft 365 and On-premise Exchange.

If you would like to learn more about how to implement Hoxhunt for Google Workspace, please refer to Technical Implementation Overview for Google Workspace.


Implementing Hoxhunt in M365 and On-premise Exchange 

1. Ensuring mail delivery

Reason for implementation

Ensuring that Hoxhunt phishing simulations can be delivered to end users' focused inboxes. Any mail filtering or phish detection should be allow/whitelisted to ensure uninterrupted email delivery. 

Mandatory for all Microsoft 365 and On-premise Exchange customers

Optional as relevant for Microsoft 365 and Exchange customers

In general Hoxhunt supports allowlisting through:

1. IPs

2. DKIM domain

3. Static email header

4.  Domains (Please note: Hoxhunt uses hundreds of domains to send simulations, so the maintenance of domain allowlisting can be quite resource intense for your team)


2. Allow/whitelisting proxies, VPNs, firewalls, and link scanners

Reason for implementation

Ensure nothing is blocking:

  • Hoxhunt pop-up from opening when user clicks Hoxhunt button
  • User from failing Hoxhunt simulations by clicking fail link in a training email
  • User from accessing Hoxhunt UI’s in the browser

Allow/whitelisting proxies, VPNs, firewalls and link scanners overview


3. Distributing / installing Hoxhunt button

Reason for implementation

Ensuring that all employees who should participate in the Hoxhunt phishing training have the Hoxhunt button integrated to their inbox across interfaces (Outlook on Desktop, Outlook on the Web, Outlook on Mobile)


Client requirements for using Hoxhunt

For M365, Hybrid and Mobile 

Centralized Deployment of Hoxhunt Outlook add-in

For On-premise Exchange 

Deploying Hoxhunt add-in via Exchange Admin Center


4. SSO configuration 

Reason for implementation

Allowing admins and end users can log into the Hoxhunt dashboards in the browser through SSO.

Read more here: Single sign-on (SSO) overview


If SSO is not implemented, Magic Links will be used instead.


5. SCIM (automated user provisioning) configuration

Reason for implementation

Allowing admins to manage users automatically through SCIM (System for Cross-domain Identity Management). 

User Management: Automatic user provisioning (SCIM) overview


If SCIM is not enabled, users can be managed through CSV List uploads in the Hoxhunt Admin Portal. Read more here: Admin Portal: User Management through User Import Tool or CSV Lists



If you have any questions about the implementation, please reach out to your Hoxhunt Onboarding Manager or support at 



Was this article helpful?

24 out of 26 found this helpful

Have more questions? Submit a request