NINJIO Platform FAQ

General FAQs

Emails are not deleting after I report with the XML based phish reporter button.

We recently pushed an update with the XML button whereby users were only seeing a pop-up when they reported an email without the email actually being processed. If you are observing the issue only occur on Outlook desktop, users may need to clear their cache by deleting all the files in this path:

%LOCALAPPDATA%\Microsoft\Office\16.0\Wef

How do I login?

Navigate to https://admin.goninjio.com/ to access your admin account. Your email is your username, please use the "forgot password" function on first access.

What does "Lured" mean within the reports?

"Lured" is a general term used to describe user engagement on the platform. When looking at the status of a campaign, this metric includes users who opened the email. In the phishing reports, you can alter the meaning of this metric by clicking the "Lured event types" drop down list and selecting  different forms of engagement. 

What does each lured event type mean? 

Email interaction - The user opened the email. Note: If you are on Outlook, you may need to download images for this to track. Attachment opened - The user downloaded the attachment on the email. Note: They may need to enable content within the document for this to track. Web page interaction - The user clicked the link within the email. Form interaction - The user submitted credentials on the landing page. QR interaction - The user has scanned a QR code on the email.  

Do I have to allowlist? 

Yes – allowlisting the IPs ensures training/phishing emails will be delivered. When sending out sample simulated phish campaigns, we will simply need to ensure that the approved domains are allowlisted alongside the IPs.   

Emails are going to junk.

If you're in M365, perform a message trace and see what sender IP is showing up for the email. If you're seeing the NINJIO IP, please confirm that you have created a Bypass Spam rule in M365. You can find instructions for this process in Part A of our allowlisting guide. If you are seeing a different IP (likely from an email gateway), please confirm that you have created an email connector rule within M365. You can find more information here. You may need to adjust any custom policies in your network to follow a similar process. If you have any questions, please email support@ninjio.com.  

Emails are going to Quarantine.

Please ensure that the platforms IP/domains have been added to the advanced delivery policy within M365 Defender (allowlisting guide). If you do not have the platform IP/domains or have any other questions, please email support@ninjio.com.  

Why Are my campaigns stuck in "scheduled"? 

Edit your campaign's schedule and confirm that the time range is large enough for emails to go out in a full batch. The Time end should not be the same as the Time begin.  If I choose to sign up as a client, may I customize my content release schedule? 

Yes – the PRO subscription allows for content release customization.   

Can I sync my users in my NINJIO portal using my Active directory?

Yes – NINJIO has the capability to integrate with the following platforms (you can click on the link next to the platform name to get more details on the integration process):  Azure AD - AZURE AD | NINJIO  Okta - Okta | NINJIO   

What is the difference between Pass/Fail vs Completed? 

An End user can officially complete a training just by viewing the content and taking the quiz.  Pass/Fail involves the scoring of the concluding True or False Quiz summarizing the teachable moments. The scoring is as follows:  1. If you answer the quiz correctly on the first try, you get 100% for 3 points  2. If you answer the quiz correctly on the second try, you get 75% for 2 points.  3. If you answer the quiz correctly on the third try, you get 50% for 1 point.   4. After the third try, no points will be awarded, but you still must answer the quiz correctly to receive your completion credit. 50% is still considered a Pass   

Why didn’t I get a certificate for my PCI training? 

The end users do not receive certificates of completion from PCI Trainings because those quizzes are not graded.    What subscription level of NINJIO do we need for uploading SCORM?   NINJIO PRO  

How do we configure SSL notes? 

Two CNAME records must be created.  The first record points to NINJIO.  The second record validates ownership of the domain.  NINJIO is on AWS which can publish a public certificate.  For more information, click here.   

Is the certificate coming from a public CA? 

Yes, we use AWS root certificate authority.   

Why are emails going into the Microsoft 365 quarantine?  Please ensure that the allowlisting process was followed.  

Is User management the same on the New NINJIO Platform?

The short answer is it is not the same. Here’s why:

- Unique Users- Users are managed differently on the New Platform. Unlike the DOJO platform, Users have unique IDs and profiles. They can exist within/without a group.

- Deprovisioning Users - Users are deleted using the trash can icon, their training history will be permanently deleted.

We recommend un-assigning users from the group if you need to disable them but also keep their training history intact for compliance reasons. You can also create an “Inactive group” to filter these users into if needed. If you’re using SCIM, when users are deprovisioned it will automatically orphan them from the SCIM group.

Hence these users will remain on the platform but group-less.

- Group Deletion – Deleting a group will only remove the group from the platform and not the users.   Are domains case sensitive on the New NINJIO Platform?

Yes, domains are case sensitive on the New Platform. Domains need to be matched for User Management to be successful. We recommend you provide the NINJIO support team with a list of domains that need to be authorized prior to the user provisioning process.  

What formats can I download campaign reports in? 

We can currently export reports to either .DOCX or .CSV format depending on which report you are downloading.  

Does NINJIO have any integration capabilities?  Yes! We offer different integrations within the NINJIO platform. For more information, click here. API integrations are coming soon!  

I am unable to launch content to certain email addresses. 

The NINJIO platform is programmed to only launch content to authorized email domains for security purposes. If you would like to update your restrict email list, please reach out to support@ninjio.com.    Emails will not show up in my inbox.  Make sure you follow our essential allowlisting guides prior to onboarding. Click here to see our most up-to-date list of IPs and domains.   

How does NINJIO deliver emails?  NINJIO uses dedicated SMTP servers on SendGrid and Mailgun. SendGrid and Mailgun do not share these IPs with anyone else. All IP addresses belong to the platform and can only be used by authorized users in the platform by way of credentials and IP allowlisting. Please have a look at  SendGrid’s dedicated IP documentation and Mailgun’s dedicated IP documentation for more information on our dedicated IPs. Further, companies are only authorized to send phishing/training emails to their own permitted domains that NINJIO authorizes on behalf of each client during the onboarding process.  

How to Add/Remove Target Users & Groups Manually

You can follow our instructions on how to add/remove users on the platform here.  

I'm getting an error when importing a user spreadsheet.

Errors may occur if the spreadsheet isn't formatted properly. Avoid using special characters like ï, ö, ß, é, ü, č, ć, ú, or ä. If you're still seeing errors, make sure the phone numbers column is blank then try again. If you're still having trouble, please reach out to support@ninjio.com.   

SCIM

The 5 Basic Troubleshooting Steps for SCIM Integration   

Is this a new SCIM integration? (Knowing this can reveal what the potential problems are) 

A. If yes, this could indicate there was something that went wrong with the initial setup. 

B. If not, then there is another underlying issue.   

Confirm the connection between their Active Directory (Azure) and the platform.  (Confirm provisioning service is running, test the bearer token is valid) 

A. If there is no connection, or the bearer token test fails: provide the SCIM token again, and make sure the tenant URL is correct. This is the same regardless of the tenant. (https://scim.goninjio.com/scim/v2)    Are the users assigned to the enterprise application? 

A. They MUST be assigned to the application before they are provisioned to the platform. It is best practice to assign a group (or groups) of non-nested users for automation. Users can also be assigned individually. Azure clients can use scoping filters to automate user assignment if groups are not available.  Are all the necessary fields entered for the users that are being provisioned to the platform? 

A. At least First, Last Name, and email address must be entered in the user’s account. 

B. If that info is not in the correct field, then it must be remapped to point to the correct field. 

C. Users must also be licensed/active in the IdP.   

Is the provisioning service turned on? 

In Azure: If it is not on, Provisioning > Edit Provisioning > Status: On. If it is on Stop and Restart the service.   

AWARE

How To Add/Remove Users & Groups?  

You can find instructions on adding/removing users here.  

Why can’t I add certain users to the platform?    

Admins are prohibited from adding users to the platform unless the domain has been allowlisted. Make sure the user's email address has an authorized domain.  

Why is my training link not working? 

If you’re experiencing any issues with your training link, we encourage you to try these basic troubleshooting steps: 

1. Clear your web browser's cache 

2. Troubleshoot on another web browser/device 

3. Confirm that you have an active network connection 

4. Restart your device

5. Confirm that your browser is up-to-date If you have followed these steps and the issue persists, please get in touch with support@ninjio.com for further assistance.   

How to download/schedule reports in Dashboard? 

You can configure a scheduled report by going to Reporting & Insights > Training Reporting > Reports Article.  You can find a step by step guide here.  

How does our gamification work? 

Our point system is based on how quickly users engage in the training and how well they do on the exam. Here is a breakdown of our points system:  Engagement Breakdown:  View course within 24 hours= 2 points   View course within 72 hours= 1 point   View course after 72 hours= 0 points   Exam Breakdown:  Complete quiz within the 1st attempt with 100%= 3 points   Complete quiz within the 2nd attempt with 75%= 2 points   Complete quiz within the 3rd attempt with 50%= 1 points   Any attempt after will result in 0 points and a “Failed” course.    

Why are users showing up in the reports even after they have been removed from the target group?

The Dashboard reflects the all-time training history for users who have existed in the tenant. To remove a user’s history permanently, you will need to delete them from the Users submodule by going to Users & Groups > Users. Here is an article to show how this is performed.  

PHISH3D

How do I Launch a phishing campaign? Launching a phishing campaign is really simple! The video below will walk you through the process of administering the phishing simulator on the New NINJIO Platform.

 How do I launch remedial training to users who failed a phishing simulation?

7. Now you can go to Campaign Management - Training to launch the training. 8. Follow our instructions on launching training to the users but this time you'll need to select Dynamic Groups to find the new group you created.  

Why are my emails going to junk? Confirm you’ve completed the allowlisting process. Here are some more extra steps that you can take to help prevent false positives: Verify the user's Outlook Junk Email Filter settings: - Verify the Outlook Junk Email Filter is disabled: When the Outlook Junk Email Filter is set to the default value No automatic filtering, Outlook doesn’t attempt to classify messages as spam. When it’s set to Low or High, the Outlook Junk Email Filter uses its own SmartScreen filter technology to identify and move spam to the Junk Email folder, which may result in false positives. Note that Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and Outlook in November of 2016. The existing SmartScreen spam definitions were left in place, but their effectiveness will likely degrade over time. - Verify the Outlook ‘Safe Lists Only’ setting is disabled: When this setting is enabled, only messages from senders in the user’s Safe Senders list or Safe Recipients list are delivered to the Inbox; email from everyone else is automatically moved to the Junk Email folder. - Use the available safe sender lists: For information, click here. - Verify that users are within the sending and receiving limits as described here. For more details on configuring anti-spam policies in Microsoft 365/Exchange, click Receiving and sending limits in the Exchange Online service description.  

What security does NINJIO use for SMTP servers?

We use MailGun as our SMTP server solution.  

How often should I launch a campaign?

The industry standard is once a month, although you can launch them at your convenience.  

How do I target repeat offenders?

You can create dynamic groups to target users who failed a simulation.  

What if the user claims they didn’t click? We encourage admins to run a regulated test in real-time with the user. Try and simulate the same environment as much as possible to observe the reports' behavior.  

Why are the simulated phishing emails going to junk? 

Simulated phishing emails will go to junk if the IPs aren't allowlisted properly.

If you have an email gateway like Barracuda or Proofpoint, the IPs in the email header might be rewritten by the gateways.

Check the header of the email going to junk and see if the sender IP is one of the NINJIO IPs.

How frequently should I run campaigns? 

It is common for clients to run campaigns once a month or quarterly at least.   

Do phishing campaigns store/collect passwords? 

NINJIO does not collect sensitive data like passwords or documents as part of the phishing campaigns.    

I want something specific that is not in your template library. 

We are always open to suggestions! Send your feedback to support@ninjio.com and we will do our best to incorporate your ideas into our templates!   

If a user responds to a phish email, where does it go?  The response will be sent to the from address of the email template.  

My phish campaigns will not launch. 

Please confirm that the end user’s email address is not from outside the organization. Reach out to support@ninjio.com so we can authenticate the domains before launching campaigns to them.   

Why are there false positives? 

The New NINJIO Platform utilizes an Udger database system that filters out known IPs and agents from the reports. If you still believe that the false positives are legitimate, please confirm that the sender IPs and domains have been allowlisted on all security layers within your organization. This includes email gateways like Barracuda, Mimecast, Proofpoint, etc. If emails are not allowlisted properly, false positives may occur after a user reports a simulated phishing email. We also encourage you to run a test campaign to see if you receive any false positives. If you have any questions, please reach out to support@ninjio.com.   

Can the phish reporter button deploy to a shared inbox? 

No, the PHISH Alert button is not currently compatible with Shared mailboxes. The new NINJIO platform uses the button to notate which users reported a simulated phishing email.  

DKIM

The new NINJIO platform features a more robust security policy. This includes requiring DKIM signatures for any platform emails sent using your domain as the mail sender. DKIM prevents spoofing of your domain from the platform and tells your mail server that platform mail server is allowed to send messages from your domain. The authentication happens behind the scenes, between receiving mail servers and your public DNS records. To enable DKIM for your domain, please refer to your document for the CNAME records to publish on your DNS. Once you have published these records, please let us know so that we can validate and finalize the DKIM authentication. If you no longer wish to use your domain as the sender, or you have any questions related to DKIM, please reach out to support@ninjio.com. We will gladly reset your portal to our default mail sender no-reply@goninjio.com.  

How do I launch remedial training?

There are two ways to enroll failed users into remedial training. The first, and easiest way to enroll users into remedial training is by selecting an episode during the campaign creation process. When you reach the "Teachable Template" step of the campaign creation process, select the episode you would like the failed user to be redirected to. We generally recommend a NINJIO SENSE episode with the corresponding emotion. If you are launching a simulation and not a smart campaign, you'll need to remove the silent page from the simulation workflow. With this, users who fail the simulation will be redirected to the episode immediately after they fail. While this method is not recommended, it is the simplest way to enroll users into remedial training. The second way involves the creation of a dynamic group. You can find our instructions on launching via dynamic group here: https://demo.ninjio.com/share/wuaufdgom2df If you'd like users to be enrolled automatically after the campaign is created, You'll need to follow the steps below:

1. Create your PHISH3D campaign.

2. Create a dynamic group and select your PHISH3D campaign. And save your changes. You should not see any users in your new dynamic group.

3. After you created your dynamic group, go ahead and create a smart training campaign, select your episode of choice, select yourself yourself (the admin), and proceed with the campaign creation.

4. Once the campaign is created, edit your training simulation and change the users from the admin to the new dynamic group that was just created. You might want to change the body of the training to have the users know they were enrolled into this training for failing a phish campaign. 5. Launch the training.

6. Failed users will now receive training emails from the auto-enrollment process. If you have any questions, please reach out to support@ninjio.com.