Authorize recipient domains for phishing simulations
Use the Authorized domains pane to approve the email domains of your synced users with PhishingBox so simulations can be delivered to them.
Before Hook can send a phishing simulation to a user, the email domain that user receives mail on has to be authorized for delivery with the underlying PhishingBox delivery system. Hook detects those domains automatically from your synced directory and surfaces them in the Authorized domains pane on your Microsoft Entra connection. You use this pane whenever a new domain shows up as Pending review or Unauthorized — approving it certifies you own (or are authorized to use) the domain and unblocks the users who've been waiting on it.
Before you start
Prerequisites
- You're signed in to Hook as an org admin and have the right organization selected in the sidebar org switcher if you manage more than one.
- Your organization has an active Microsoft Entra directory connection with at least one group synced. If you haven't connected yet, see Sync users from Microsoft Entra.
- Your organization has PhishingBox credentials configured. Domain authorization is keyed to your PhishingBox account; if those credentials are missing, the Authorize button returns a configuration error and the pane can't approve anything. Your Hook contact provisions these for you.
Where the pane lives
Open Settings → Integrations (/org/settings/integrations), then click
your Microsoft Entra row in Synced directories to expand its workspace
pane. The Authorized domains pane sits on the right of the workspace,
beside the Groups / All users tabs. Its subtitle reads Recipient
domains detected from synced groups.
The summary strip at the top of the connection card includes an Authorized domains metric — that count only reflects domains in the Authorized state, so it's a quick read on how much of your directory is ready to receive sends.

Read the domain statuses
Each row in the pane shows a domain (rendered as @example.com), the number
of synced users on that domain, and a status badge. There are four statuses:
- Authorized (green) — the domain is approved with PhishingBox. Users on it are eligible to receive simulations. No action needed.
- Pending review (amber) — Hook has a ledger entry for the domain but you haven't approved it yet. Shows an Authorize domain button.
- Unauthorized (red) — the last authorization attempt failed, PhishingBox rejected the domain, or no authorization result has been recorded yet. Also shows an Authorize domain button. Once the retry cap is hit the button stays visible but is disabled (see below).
- Blocked (gray) — the domain is on Hook's permanent blocklist and can never be authorized. There's no button on these rows.
The pane footer tallies the counts across all four states, e.g. 12 authorized · 1 pending · 2 unauthorized · 3 blocked. Use the search box at the top of the pane to filter rows by domain name.
Why this matters
Users whose recipient domain isn't Authorized can't receive phishing simulations. They stay in a waiting state until the domain is approved. Pending and Unauthorized rows show a callout naming how many users are blocked — for example, 8 users waiting on authorization.
Authorize a domain
Click Authorize domain
Find the Pending review or Unauthorized row you want to approve and click its Authorize domain button. If you haven't already accepted the current terms for that domain, a terms-acknowledgement dialog opens. (Domains that were certified earlier — for example during the first-sync preview — skip the dialog and authorize directly unless the terms have changed.)
Certify the domain in the dialog
When the dialog appears, the Authorize recipient domains dialog lists the domain(s) you're about to approve and states:
By authorizing these domains, you certify that your organization owns or is authorized to use them, and you approve their use for delivering phishing simulations.
Read it, then click Authorize domains to confirm, or Cancel to back out. Hook records who accepted the terms, when, and from what IP address as an audit trail.
Only authorize domains you control
Authorizing a domain certifies your organization owns or is permitted to use it for simulated phishing. Don't approve a domain you don't have authority over.
Wait for the result
Hook calls PhishingBox to authorize the domain, then refreshes the pane.
- On success the row flips to Authorized, and Hook starts a sweep that makes the waiting users on that domain eligible for simulations. A toast confirms the outcome and names how many users are syncing — for example, @example.com authorized — syncing 8 users. If no users were waiting, the toast simply reads @example.com authorized.
- If PhishingBox rejects the domain (for example, an unsupported TLD or a domain on PhishingBox's own blocklist), the row moves to Unauthorized and a toast explains it couldn't be authorized. Any users that were waiting are moved to an "unauthorized" state.

Domains you can't authorize
Blocked domains
Consumer and disposable mail providers (Gmail, Outlook.com, Yahoo, Proton,
Mailinator, and similar) and Microsoft tenant defaults (anything ending in
.onmicrosoft.com, including B2B guest addresses) are on a permanent
blocklist. These render as Blocked with a subline that names the reason —
Consumer / disposable provider or Microsoft tenant recipient domain.
There's no Authorize button, and no amount of retrying will change the state.
Hook never sends simulations to blocked domains, so users whose only address
is on one of these can't be tested.
The retry cap
If you authorize an Unauthorized domain and PhishingBox rejects it again, each attempt is counted. After 3 failed attempts, the Authorize domain button is disabled and the callout reads something like 8 users blocked — 3 attempts failed. Contact support. At that point, reach out to Hook support rather than continuing to retry.
Common pitfalls
- Authorizing doesn't help blocked domains. If a chunk of your directory
is on consumer or
.onmicrosoft.comaddresses, those users can't be tested no matter what. They need a real, owned company domain to receive simulations. - "Another sync is in progress." If you click Authorize domain while a directory sync is already running on this connection, Hook asks you to try again once it finishes — only one sync runs per connection at a time.
- A transient PhishingBox hiccup leaves the row unchanged. If the authorization call hits a network or service error (as opposed to an outright rejection), the row's status doesn't change and the button stays enabled so you can simply try again.
- You don't have to wait for the workspace pane. New domains also surface during the first-sync preview, when Hook detects domains it hasn't seen before. You can authorize them right there as part of confirming the sync, using the same certification dialog.
Related
Sync users from Microsoft Entra
Connect Hook to Entra, pick groups, preview members, and confirm — the source of the domains this pane detects.
Manage directory connections
See, refresh, and troubleshoot the directory connections that feed your synced user list.
Safelist Hook sending domains and IPs
Make sure your mail gateway lets Hook's simulations through to authorized recipients.