web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Customer experience | Sales, Customer Insights,... / Creating triggers in D...
Customer experience | Sales, Customer Insights,...
Suggested Answer

Creating triggers in Dynamics 365 using trigger tracker

(1) ShareShare
ReportReport
Posted on by PM-15111454-0 2
I would like to understand the risk in using dynamics trigger which expose the ingestion key in popular CMS like Wordpress.
 
Ideally I would like to identify the leads using email address, however security wise I was told it was a bad idea since it is published at the front-end, isn't it similar to other marketing automation platform like Hubspot, Active Campaign.
 
Why doesn't marketing automation is simpler for trigger based on unique lead identifying in dynamics anybody else was able to use them in CMS like Wordpress.
 
Is the security highlight that Microsoft details valid:
 

Some integration of custom triggers can present security implications. The code snippet that is provided with the trigger contains an ingestion key that uniquely identifies the Customer Insights - Journeys instance. An attacker with access to the ingestion key could possibly send spurious triggers that can trigger unintended customer journeys. It's a good practice to:

  • Protect the ingestion key wherever possible.
  • Limit the use of attributes in custom triggers, especially when those attributes can be used to personalize content and act as potential attack vectors such as cross-site scripting.
Categories:
Dynamics 365 Customer Insights - Journeys
I have the same question (0)
  • Suggested answer
    Daniyal Khaleel Profile Picture
    Daniyal Khaleel 764 Most Valuable Professional on at
    Dynamics Customer Insights – Journeys custom triggers were originally designed for server-side systems, not for front-end CMS environments like WordPress, where code is visible to everyone.
    Why exposing the ingestion key in WordPress is a security risk
    The ingestion key in CI-Journeys is not just an “account identifier” like HubSpot’s portal ID.
    It is an authentication key that allows anyone who has it to POST events into your environment.
    If an attacker gets it (via View Source, browser DevTools, scraping the JS file, etc.) they could:
    Send fake triggers
    (e.g., “LeadSubmitted”, “FormCompleted”, “TrialStarted”)
    Flood your system with thousands of bogus entries
    → causing runaway journeys, emails, or SMS sends
    → damaging sender reputation, burning through Twilio credits, or creating compliance violations
    Inject harmful attribute values
    If your journey uses those attributes to personalize email/SMS, an attacker could insert:
    • Script tags
    • Spam links
    • HTML payloads
    (especially dangerous if any internal preview tool renders HTML)
    This is why Microsoft warns explicitly about attributes becoming attack vectors.
    The ingestion key is effectively a write permission to your CI–Journeys instance.
    That is different from HubSpot or ActiveCampaign.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Stars!

Congratulations to our 2025 Community Spotlights

Thanks to all of our 2025 Community Spotlight stars!

Congratulations to the February Top 10 Community Leaders

These are the community rock stars!

Leaderboard > Customer experience | Sales, Customer Insights, CRM

#1
ManoVerse Profile Picture

ManoVerse 180 Super User 2026 Season 1

#2
11manish Profile Picture

11manish 123

#3
CU11031447-0 Profile Picture

CU11031447-0 100

Last 30 days Overall leaderboard

Featured topics

Hide selecting Contact for potential customer when creating quote

Product updates

Dynamics 365 release plans