The attack simulation tool mimics real-world phishing and other malicious attacks. It enables you to send emails to your users to ascertain who is vulnerable. The users can then be educated about these attacks via targeted training courses. Training all your end users to identify and report malicious or phishing emails is a sort of utopia imagined by many.
The following permissions are required in the Security & Compliance Center or in Azure Active Directory:
- You should be a member of Organization Management, a Security Administrator, or have either the Attack Simulator Administrators role or the Attack Simulator Payload Authors role.
- Your tenant must have a Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 license. You also need at least one E5 license assigned to at least one active user so that the email report generated after a simulation attack is visible.
The different techniques used in Attack simulation training
The Attack simulation training tool can be accessed from the new Security portal in Microsoft 365. The Attack simulator is the predecessor of the Attack simulation training. This version is now obsolete and cannot be used to run any new simulations.
Microsoft has provided five different techniques through which you can check the vulnerability of your users. Every technique has its own set of payloads. These attack techniques are based on the MITRE ATT&CK model.
The available techniques are listed below:
Credential Harvest: One of the most common methods used by fraudsters is to send emails to users enticing them to click on a link, which would lead them to a malicious site. There, the user enters their credentials and falls prey to this credentials harvesting attack. Microsoft 365 accounts are frequently targeted, as they provide fraudsters with a legitimate source to then send more malicious emails.
Malware Attachment: In this technique, you can email with an attachment and expect the user to click it. It would then install malware on the user's device and help the attacker to steal information. PDFs, Word files, other documents, etc. may be used for such an attack. Refer to this link for a detailed description and real-world examples of such attacks.
Link in Attachment: This is a combination of the credentials harvest and malware attachment techniques. The attacker will end an email with an attachment, which in turn will contain the URL to a malicious site or execute malignant code.
Drive-by-URL: Here, the attacker inserts a URL in the email. The URL would lead to a site where it might run some code to install hostile software on the user’s devices. The trick used is to clone a well-known site and gain the user's trust.
So, as seen here, you can choose the type of attack depending on your requirements. These are the commonly used techniques to lure users into sharing credentials or to surreptitiously install malware on machines.
Payloads are the content of the attack. This term has been borrowed from the aviation sector, where missiles carried by a fighter aircraft are termed "payloads." The simulation attack training techniques described in the previous section would contain items such as attachments and links that would perform the actions—these are the payloads.
Every attack technique has a set of templates. For example, the Credential Harvest technique has the following payloads:
2 Failed Messages—Here, the user is asked to click on a URL to check for two emails that weren't delivered to the mailbox. The user must enter the account credentials.
Black Friday Offer—This will have a link to some 'too good to be true' offers for a sale.
American Express Password reset and phone number verification—Again, users are lured into sharing their credentials to change their bank passwords or to verify phone numbers.
Likewise, there are many other payloads for you to choose from and explore for each technique.
If you select the "2 Failed Messages" template, the targeted users will receive an email, as shown below:
Selecting the other techniques, such as "Malware Attachment," would result in a different set of payloads, such as a fax file attachment or sales order data, among others.
As an administrator, you would use the data to gain insight into the types of attacks your tenant is subjected to. You can obtain this information from the Microsoft Threat Protection status report. You must decide the attack simulation training scenario based on your tenant's vulnerabilities and the latest global trends in the security domain.
Microsoft continually updates payloads based on the latest attacks found around the world. An example is the "Coronavirus Stimulus"; however, there are many such payloads.
Invariably, you will encounter a situation in which several users fall prey to the traps in such simulated attacks. This is where you can introduce related training courses for those users. Microsoft helps you here by assigning the relevant courses to those users; however, you can also choose the courses to be assigned. Users will also receive reminders to complete the training course, if you want.
Scope of the simulated attack
This will be important in certain scenarios. If you want to run simulation training on specific users, groups, or departments in your organization, you can do so. Also, you can target users who have repeatedly failed simulation tests in the past. You can strengthen the behavior of your users in phases by targeting a set of users and then moving ahead accordingly.
Scheduling the simulation
Attack simulation training can be launched immediately or can even be scheduled. It is better to plan the simulations well in advance and then schedule them for specific groups on certain dates.
If your user base is in different time zones, you can utilize the Enable region aware timezone delivery setting so that the simulations are started for the users according to their time zones.
You may refer to this link for more information.
Customized payload creation
An interesting feature is the ability to create your own payloads. In the Payloads tab, you can create different types of payloads and classify them under the available attack techniques. Let's create one and see how it behaves.
Access the Payloads section and start the creation process.
Select the type of payload. We will select Email for this demo.
On the next page, you can select one of the attack techniques. We will go with Credential Harvest.
After that, name the payload and write a brief description.
On the following page, configure the payload. For this demo, we will pose as Microsoft and elicit the user to share their credentials. There are several templates and options here to choose from.
On the same page, enter the email content and name the link.
The final task is to create indicators for your users. Here, you will create warnings and easy-to-detect indicators that will help them to identify such emails in the future. You can highlight some clear red flags, such as spelling or grammar mistakes, lack of company branding, spoofing famous brands, hyperlinks, and others.
Customized payloads would prove handy when you wanted to cover attacks in different languages. You can create those payloads and enter the text in the language of your choice. The FAQs released by Microsoft cover most of the questions around this.
The Automations tab conundrum
This is where you get that rough-around-the-edges feeling about this feature. You will notice an automation there by default called Payload Harvesting#1. It's turned off by default. There's not much documentation available on it. In all probability, this automation checks for new types of payloads that Microsoft 365 tenants may encounter globally and then makes those payloads available in your tenant.
Even when you try to create a new automation, the conditions to trigger the automation are provided; however, there aren't any actions associated with them. This may be simply to collect information about payloads in your tenant on the basis of the conditions set. It's not clear at present.
Attack simulation settings
This helps you determine the behavior for those users who repeatedly fail the attack simulation training.
End users failing these tests would have to complete a certain set of trainings. You can also send them automatic reminders via the settings here.
This tab will give you a bird's-eye view of the attack simulation trainings in your tenant. You can view details such as the percentage of users who participated in simulation training, those who completed the training courses, repeat offenders, and all the simulations that have been run in the tenant.
Admins must utilize attack simulation training with their users. In this day and age, where data security has assumed paramount importance, such training exercises are indispensable.
Subscribe to 4sysops newsletter!
Microsoft should improve the documentation for automations so that admins can clearly understand their purpose and use them efficiently. According to a community forum, this is being looked at by the Microsoft Product Group.