In this article, you will learn how to use the Microsoft 365 Attack simulation training tool effectively. By the end of this post, you will know how to launch simulated attacks in your tenant, analyze the results, and take preventive measures. By doing so, you will harden the security of your environment in the long run.

The attack simulation tool mimics real-world phishing and other malicious attacks. It enables you to send emails to your users to ascertain who is vulnerable. The users can then be educated about these attacks via targeted training courses. Training all your end users to identify and report malicious or phishing emails is a sort of utopia imagined by many.

Prerequisites ^

The following permissions are required in the Security & Compliance Center or in Azure Active Directory:

  • You should be a member of Organization Management, a Security Administrator, or have either the Attack Simulator Administrators role or the Attack Simulator Payload Authors role.
  • Your tenant must have a Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 license. You also need at least one E5 license assigned to at least one active user so that the email report generated after a simulation attack is visible.

The different techniques used in Attack simulation training ^

The Attack simulation training tool can be accessed from the new Security portal in Microsoft 365. The Attack simulator is the predecessor of the Attack simulation training. This version is now obsolete and cannot be used to run any new simulations.

Microsoft has provided five different techniques through which you can check the vulnerability of your users. Every technique has its own set of payloads. These attack techniques are based on the MITRE ATT&CK model.

The available techniques are listed below:

Credential Harvest: One of the most common methods used by fraudsters is to send emails to users enticing them to click on a link, which would lead them to a malicious site. There, the user enters their credentials and falls prey to this credentials harvesting attack. Microsoft 365 accounts are frequently targeted, as they provide fraudsters with a legitimate source to then send more malicious emails.

Malware Attachment: In this technique, you can email with an attachment and expect the user to click it. It would then install malware on the user's device and help the attacker to steal information. PDFs, Word files, other documents, etc. may be used for such an attack. Refer to this link for a detailed description and real-world examples of such attacks.

Link in Attachment: This is a combination of the credentials harvest and malware attachment techniques. The attacker will end an email with an attachment, which in turn will contain the URL to a malicious site or execute malignant code.

Drive-by-URL: Here, the attacker inserts a URL in the email. The URL would lead to a site where it might run some code to install hostile software on the user’s devices. The trick used is to clone a well-known site and gain the user's trust.

An admin can select one of the five techniques for simulated attack training. These are the most commonly used traps in real world attacks.

An admin can select one of the five techniques for simulated attack training. These are the most commonly used traps in real world attacks.

So, as seen here, you can choose the type of attack depending on your requirements. These are the commonly used techniques to lure users into sharing credentials or to surreptitiously install malware on machines.

Payloads ^

Payloads are the content of the attack. This term has been borrowed from the aviation sector, where missiles carried by a fighter aircraft are termed "payloads." The simulation attack training techniques described in the previous section would contain items such as attachments and links that would perform the actions—these are the payloads.

Every attack technique has a set of templates. For example, the Credential Harvest technique has the following payloads:

2 Failed Messages—Here, the user is asked to click on a URL to check for two emails that weren't delivered to the mailbox. The user must enter the account credentials.

Black Friday Offer—This will have a link to some 'too good to be true' offers for a sale.

American Express Password reset and phone number verification—Again, users are lured into sharing their credentials to change their bank passwords or to verify phone numbers.

Likewise, there are many other payloads for you to choose from and explore for each technique.

Microsoft provides several types of payloads for each technique. Here you are looking at the ones available for a Credential Harvest attack.

Microsoft provides several types of payloads for each technique. Here you are looking at the ones available for a Credential Harvest attack.

If you select the "2 Failed Messages" template, the targeted users will receive an email, as shown below:

The 2 Failed Messages payload. The user is prompted to check the emails by entering their credentials after clicking the hyperlink.

The 2 Failed Messages payload. The user is prompted to check the emails by entering their credentials after clicking the hyperlink.

Selecting the other techniques, such as "Malware Attachment," would result in a different set of payloads, such as a fax file attachment or sales order data, among others.

As an administrator, you would use the data to gain insight into the types of attacks your tenant is subjected to. You can obtain this information from the Microsoft Threat Protection status report. You must decide the attack simulation training scenario based on your tenant's vulnerabilities and the latest global trends in the security domain.

Microsoft continually updates payloads based on the latest attacks found around the world. An example is the "Coronavirus Stimulus"; however, there are many such payloads.

Here the users are lured to open the attachment and click a URL to share credentials

Here the users are lured to open the attachment and click a URL to share credentials

User training ^

Invariably, you will encounter a situation in which several users fall prey to the traps in such simulated attacks. This is where you can introduce related training courses for those users. Microsoft helps you here by assigning the relevant courses to those users; however, you can also choose the courses to be assigned. Users will also receive reminders to complete the training course, if you want.

Microsoft provides several types of payloads for each technique. Here you are looking at the ones available for a Credential Harvest attack. 1

Microsoft provides several types of payloads for each technique. Here you are looking at the ones available for a Credential Harvest attack. 1

Scope of the simulated attack ^

This will be important in certain scenarios. If you want to run simulation training on specific users, groups, or departments in your organization, you can do so. Also, you can target users who have repeatedly failed simulation tests in the past. You can strengthen the behavior of your users in phases by targeting a set of users and then moving ahead accordingly.

Scheduling the simulation ^

Attack simulation training can be launched immediately or can even be scheduled. It is better to plan the simulations well in advance and then schedule them for specific groups on certain dates.

Here an attack has been scheduled

Here an attack has been scheduled

If your user base is in different time zones, you can utilize the Enable region aware timezone delivery setting so that the simulations are started for the users according to their time zones.

You may refer to this link for more information.

Customized payload creation ^

An interesting feature is the ability to create your own payloads. In the Payloads tab, you can create different types of payloads and classify them under the available attack techniques. Let's create one and see how it behaves.

Access the Payloads section and start the creation process.

New payloads can be created by clicking this option

New payloads can be created by clicking this option

Select the type of payload. We will select Email for this demo.

New payloads can be created by clicking this option 1

New payloads can be created by clicking this option 1

On the next page, you can select one of the attack techniques. We will go with Credential Harvest.

After that, name the payload and write a brief description.

Give the payload a related name and description

Give the payload a related name and description

On the following page, configure the payload. For this demo, we will pose as Microsoft and elicit the user to share their credentials. There are several templates and options here to choose from.

Here you configure the various settings of the payload

Here you configure the various settings of the payload

On the same page, enter the email content and name the link.

You can enter any content in this box. It also includes the hyperlink in this example.

You can enter any content in this box. It also includes the hyperlink in this example.

The final task is to create indicators for your users. Here, you will create warnings and easy-to-detect indicators that will help them to identify such emails in the future. You can highlight some clear red flags, such as spelling or grammar mistakes, lack of company branding, spoofing famous brands, hyperlinks, and others.

Customized payloads would prove handy when you wanted to cover attacks in different languages. You can create those payloads and enter the text in the language of your choice. The FAQs released by Microsoft cover most of the questions around this.

The Automations tab conundrum ^

This is where you get that rough-around-the-edges feeling about this feature. You will notice an automation there by default called Payload Harvesting#1. It's turned off by default. There's not much documentation available on it. In all probability, this automation checks for new types of payloads that Microsoft 365 tenants may encounter globally and then makes those payloads available in your tenant.

The default automation called Payload Harvesting1

The default automation called Payload Harvesting1

Even when you try to create a new automation, the conditions to trigger the automation are provided; however, there aren't any actions associated with them. This may be simply to collect information about payloads in your tenant on the basis of the conditions set. It's not clear at present.

 

An example of conditional automation and the options available there

An example of conditional automation and the options available there

Attack simulation settings ^

This helps you determine the behavior for those users who repeatedly fail the attack simulation training.

The attack simulation training settings are configured here

The attack simulation training settings are configured here

End users failing these tests would have to complete a certain set of trainings. You can also send them automatic reminders via the settings here.

Simulation reports ^

This tab will give you a bird's-eye view of the attack simulation trainings in your tenant. You can view details such as the percentage of users who participated in simulation training, those who completed the training courses, repeat offenders, and all the simulations that have been run in the tenant.

An overview of the attack simulation training activities in the tenant

An overview of the attack simulation training activities in the tenant

Conclusion ^

Admins must utilize attack simulation training with their users. In this day and age, where data security has assumed paramount importance, such training exercises are indispensable.

Subscribe to 4sysops newsletter!

Microsoft should improve the documentation for automations so that admins can clearly understand their purpose and use them efficiently. According to a community forum, this is being looked at by the Microsoft Product Group.

+3
10 Comments
  1. Animesh Banerjee 4 months ago

    Very detailed and descriptive. Nicely documented Vignesh. You bring more insights with each and every blog. 

    +2
    avatar
  2. Amish Kumar 3 months ago

    Nicely described. Is there any new document for payload harvesting?

    0

  3. Viraj Virahsawmy 3 months ago

    Hi Vignesh,

     

    Found your article as I have just received the email below

    "Our server has detected some errors delivering 2 new messages to your inbox due to the synchronization delay.

    Click on View Returned Messages below to retrieve these messages."

     

    Is this a simulation attacked test?

    Regards,

    Viraj

    0

  4. Author

    Hi Viraj,

    There is a possibility of these message being phishing emails. However, to confirm you must analyze the message headers. Check for the "From" and "Return to" addresses. If they are different then its a malicious email. 

    Did the email pass the SPF check? After investigating these aspects you can determine if its a legitimate email or not.

    0

  5. Author

    You must also check the IP used to send the email. Is that IP blacklisted anywhere. This can be checked on https://talosintelligence.com/.

    In the message headers check the IP address reputation of the server from where the email originated. Sometimes, the sender IP listed in the email may be misleading as the attackers generally relay emails from servers with a good reputation.

    0

  6. Rashid 4 weeks ago

    Hi Vignesh,

    Highly useful article, it really helps.

    Would you know WHEN will users receive the email for training?
    Is it after they failed the simulation (i.e. after they clicked the phishing link) OR after the entire simulation has ended? Wondering if we can assign ad-hoc training to users?

    Regards,

    Rashid

    0

  7. Euro 2 weeks ago

    what's the difference between the tenant having the E5 license and a user having it in terms of this functionality?

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account