- Whitelist a domain in Microsoft 365 - Wed, Nov 29 2023
- Anti-spam policies in Microsoft 365 (Office 365) - Thu, Nov 23 2023
- Configure Quarantine Policies in Microsoft 365 - Fri, Aug 12 2022
The attack simulation tool mimics real-world phishing and other malicious attacks. It enables you to send emails to your users to ascertain who is vulnerable. The users can then be educated about these attacks via targeted training courses. Training all your end users to identify and report malicious or phishing emails is a sort of utopia imagined by many.
Prerequisites
The following permissions are required in the Security & Compliance Center or in Azure Active Directory:
- You should be a member of Organization Management, a Security Administrator, or have either the Attack Simulator Administrators role or the Attack Simulator Payload Authors role.
- Your tenant must have a Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 license. You also need at least one E5 license assigned to at least one active user so that the email report generated after a simulation attack is visible.
The different techniques used in Attack simulation training
The Attack simulation training tool can be accessed from the new Security portal in Microsoft 365. The Attack simulator is the predecessor of the Attack simulation training. This version is now obsolete and cannot be used to run any new simulations.
Microsoft has provided five different techniques through which you can check the vulnerability of your users. Every technique has its own set of payloads. These attack techniques are based on the MITRE ATT&CK model.
The available techniques are listed below:
Credential Harvest: One of the most common methods used by fraudsters is to send emails to users enticing them to click on a link, which would lead them to a malicious site. There, the user enters their credentials and falls prey to this credentials harvesting attack. Microsoft 365 accounts are frequently targeted, as they provide fraudsters with a legitimate source to then send more malicious emails.
Malware Attachment: In this technique, you can email with an attachment and expect the user to click it. It would then install malware on the user's device and help the attacker to steal information. PDFs, Word files, other documents, etc. may be used for such an attack. Refer to this link for a detailed description and real-world examples of such attacks.
Link in Attachment: This is a combination of the credentials harvest and malware attachment techniques. The attacker will end an email with an attachment, which in turn will contain the URL to a malicious site or execute malignant code.
Drive-by-URL: Here, the attacker inserts a URL in the email. The URL would lead to a site where it might run some code to install hostile software on the user’s devices. The trick used is to clone a well-known site and gain the user's trust.
An admin can select one of the five techniques for simulated attack training. These are the most commonly used traps in real world attacks.
So, as seen here, you can choose the type of attack depending on your requirements. These are the commonly used techniques to lure users into sharing credentials or to surreptitiously install malware on machines.
Payloads
Payloads are the content of the attack. This term has been borrowed from the aviation sector, where missiles carried by a fighter aircraft are termed "payloads." The simulation attack training techniques described in the previous section would contain items such as attachments and links that would perform the actions—these are the payloads.
Every attack technique has a set of templates. For example, the Credential Harvest technique has the following payloads:
2 Failed Messages—Here, the user is asked to click on a URL to check for two emails that weren't delivered to the mailbox. The user must enter the account credentials.
Black Friday Offer—This will have a link to some 'too good to be true' offers for a sale.
American Express Password reset and phone number verification—Again, users are lured into sharing their credentials to change their bank passwords or to verify phone numbers.
Likewise, there are many other payloads for you to choose from and explore for each technique.
Microsoft provides several types of payloads for each technique. Here you are looking at the ones available for a Credential Harvest attack.
If you select the "2 Failed Messages" template, the targeted users will receive an email, as shown below:
The 2 Failed Messages payload. The user is prompted to check the emails by entering their credentials after clicking the hyperlink.
Selecting the other techniques, such as "Malware Attachment," would result in a different set of payloads, such as a fax file attachment or sales order data, among others.
As an administrator, you would use the data to gain insight into the types of attacks your tenant is subjected to. You can obtain this information from the Microsoft Threat Protection status report. You must decide the attack simulation training scenario based on your tenant's vulnerabilities and the latest global trends in the security domain.
Microsoft continually updates payloads based on the latest attacks found around the world. An example is the "Coronavirus Stimulus"; however, there are many such payloads.
Here the users are lured to open the attachment and click a URL to share credentials
User training
Invariably, you will encounter a situation in which several users fall prey to the traps in such simulated attacks. This is where you can introduce related training courses for those users. Microsoft helps you here by assigning the relevant courses to those users; however, you can also choose the courses to be assigned. Users will also receive reminders to complete the training course, if you want.
Microsoft provides several types of payloads for each technique. Here you are looking at the ones available for a Credential Harvest attack. 1
Scope of the simulated attack
This will be important in certain scenarios. If you want to run simulation training on specific users, groups, or departments in your organization, you can do so. Also, you can target users who have repeatedly failed simulation tests in the past. You can strengthen the behavior of your users in phases by targeting a set of users and then moving ahead accordingly.
Scheduling the simulation
Attack simulation training can be launched immediately or can even be scheduled. It is better to plan the simulations well in advance and then schedule them for specific groups on certain dates.
Here an attack has been scheduled
If your user base is in different time zones, you can utilize the Enable region aware timezone delivery setting so that the simulations are started for the users according to their time zones.
You may refer to this link for more information.
Customized payload creation
An interesting feature is the ability to create your own payloads. In the Payloads tab, you can create different types of payloads and classify them under the available attack techniques. Let's create one and see how it behaves.
Access the Payloads section and start the creation process.
New payloads can be created by clicking this option
Select the type of payload. We will select Email for this demo.
New payloads can be created by clicking this option 1
On the next page, you can select one of the attack techniques. We will go with Credential Harvest.
After that, name the payload and write a brief description.
Give the payload a related name and description
On the following page, configure the payload. For this demo, we will pose as Microsoft and elicit the user to share their credentials. There are several templates and options here to choose from.
Here you configure the various settings of the payload
On the same page, enter the email content and name the link.
You can enter any content in this box. It also includes the hyperlink in this example.
The final task is to create indicators for your users. Here, you will create warnings and easy-to-detect indicators that will help them to identify such emails in the future. You can highlight some clear red flags, such as spelling or grammar mistakes, lack of company branding, spoofing famous brands, hyperlinks, and others.
Customized payloads would prove handy when you wanted to cover attacks in different languages. You can create those payloads and enter the text in the language of your choice. The FAQs released by Microsoft cover most of the questions around this.
The Automations tab conundrum
This is where you get that rough-around-the-edges feeling about this feature. You will notice an automation there by default called Payload Harvesting#1. It's turned off by default. There's not much documentation available on it. In all probability, this automation checks for new types of payloads that Microsoft 365 tenants may encounter globally and then makes those payloads available in your tenant.
The default automation called Payload Harvesting1
Even when you try to create a new automation, the conditions to trigger the automation are provided; however, there aren't any actions associated with them. This may be simply to collect information about payloads in your tenant on the basis of the conditions set. It's not clear at present.
An example of conditional automation and the options available there
Attack simulation settings
This helps you determine the behavior for those users who repeatedly fail the attack simulation training.
The attack simulation training settings are configured here
End users failing these tests would have to complete a certain set of trainings. You can also send them automatic reminders via the settings here.
Simulation reports
This tab will give you a bird's-eye view of the attack simulation trainings in your tenant. You can view details such as the percentage of users who participated in simulation training, those who completed the training courses, repeat offenders, and all the simulations that have been run in the tenant.
An overview of the attack simulation training activities in the tenant
Conclusion
Admins must utilize attack simulation training with their users. In this day and age, where data security has assumed paramount importance, such training exercises are indispensable.
Subscribe to 4sysops newsletter!
Microsoft should improve the documentation for automations so that admins can clearly understand their purpose and use them efficiently. According to a community forum, this is being looked at by the Microsoft Product Group.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.
Very detailed and descriptive. Nicely documented Vignesh. You bring more insights with each and every blog.
Thank you!
Nicely described. Is there any new document for payload harvesting?
Microsoft hasn't updated anything as yet on this.
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/attack-simulation-training-in-microsoft-defender-for-office-365/ba-p/2037291
you can follow this link for the latest on it.
Hi Vignesh,
Found your article as I have just received the email below
"Our server has detected some errors delivering 2 new messages to your inbox due to the synchronization delay.
Click on View Returned Messages below to retrieve these messages."
Is this a simulation attacked test?
Regards,
Viraj
Its difficult to comment with the information you have provided. You should check the message header to see who is the actual sender. Does the sender address match with the return-to address? What is the SCL value? Did the email pass the SPF/DMARC and DKIM tests?
You should report such messages to your email admin as they would be in a position to analyse it and decide.
Hi Viraj,
There is a possibility of these message being phishing emails. However, to confirm you must analyze the message headers. Check for the "From" and "Return to" addresses. If they are different then its a malicious email.
Did the email pass the SPF check? After investigating these aspects you can determine if its a legitimate email or not.
You must also check the IP used to send the email. Is that IP blacklisted anywhere. This can be checked on https://talosintelligence.com/.
In the message headers check the IP address reputation of the server from where the email originated. Sometimes, the sender IP listed in the email may be misleading as the attackers generally relay emails from servers with a good reputation.
Hi Vignesh,
Highly useful article, it really helps.
Would you know WHEN will users receive the email for training?
Is it after they failed the simulation (i.e. after they clicked the phishing link) OR after the entire simulation has ended? Wondering if we can assign ad-hoc training to users?
Regards,
Rashid
They should receive the training after they fail the simulation test.
what’s the difference between the tenant having the E5 license and a user having it in terms of this functionality?
Does Microsoft Attack Simulator exclude the admin who is setting up the simulation? I have tried to run two simulations and both seem to exclude me from the simulation (i.e., it did not send me an email). We are a small firm, and we need to document training for compliance purposes.
I did notice the same back when I was testing it. However, I haven’t checked it since.
Hi Vignesh,
Can we change the user training for those who click on these links and attachments?
Yes. You can create your own training for end users and also define the frequency.
By mistake I have tried this simulation ( Malware Attachment) in my personal laptop directly, worried how to remove that malicious thing running in my personal laptop, any idea like where that malicious file gets stored, Thanks in Advance
Does MS log or capture user credentials when they are entered during a credential harvesting simulation? If not, what happens to the user credentials when they are entered?
Coronavirus stimulus check? For an internal simulation, anybody that doesn’t understand how dangerous that simulation is should NOT be running phishing simulations. While hackers don’t follow ethical guidelines, an internal phishing awareness program must be very careful in the simulations they choose. This is exactly why these COTS applications end up in the news:
https://www.cbsnews.com/news/tribune-bonus-email-hoax-cybersecurity-test/
For a company like Microisoft to even have this as an option is mind boggling.