Dynamics Community Forum Thread Details

Creating triggers in Dynamics 365 using trigger tracker

I would like to understand the risk in using dynamics trigger which expose the ingestion key in popular CMS like Wordpress.

Ideally I would like to identify the leads using email address, however security wise I was told it was a bad idea since it is published at the front-end, isn't it similar to other marketing automation platform like Hubspot, Active Campaign.

Why doesn't marketing automation is simpler for trigger based on unique lead identifying in dynamics anybody else was able to use them in CMS like Wordpress.

Is the security highlight that Microsoft details valid:

Some integration of custom triggers can present security implications. The code snippet that is provided with the trigger contains an ingestion key that uniquely identifies the Customer Insights - Journeys instance. An attacker with access to the ingestion key could possibly send spurious triggers that can trigger unintended customer journeys. It's a good practice to:

Protect the ingestion key wherever possible.
Limit the use of attributes in custom triggers, especially when those attributes can be used to personalize content and act as potential attack vectors such as cross-site scripting.

Categories:

Dynamics 365 Customer Insights - Journeys

Dynamics Customer Insights – Journeys custom triggers were originally designed for server-side systems, not for front-end CMS environments like WordPress, where code is visible to everyone.

Why exposing the ingestion key in WordPress is a security risk
The ingestion key in CI-Journeys is not just an “account identifier” like HubSpot’s portal ID.
It is an authentication key that allows anyone who has it to POST events into your environment.
If an attacker gets it (via View Source, browser DevTools, scraping the JS file, etc.) they could:
Send fake triggers
(e.g., “LeadSubmitted”, “FormCompleted”, “TrialStarted”)
Flood your system with thousands of bogus entries
→ causing runaway journeys, emails, or SMS sends
→ damaging sender reputation, burning through Twilio credits, or creating compliance violations
Inject harmful attribute values
If your journey uses those attributes to personalize email/SMS, an attacker could insert:

Script tags
Spam links
HTML payloads

(especially dangerous if any internal preview tool renders HTML)
This is why Microsoft warns explicitly about attributes becoming attack vectors.
The ingestion key is effectively a write permission to your CI–Journeys instance.
That is different from HubSpot or ActiveCampaign.

Quick Links