Microsoft Teams in Attack simulation training
Important
Microsoft Teams' Attack simulation training is currently in Private Preview, and the intake for this preview is now closed. The information in this article is subject to change.
In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR, admins can now use Attack simulation training to deliver simulated phishing messages in Microsoft Teams. For more information about attack simulation training, see Get started using Attack simulation training in Defender for Office 365.
The addition of Teams in Attack simulation training affects the following features:
Payload automations, end-user notifications, login pages, and landing pages aren't affected by Teams in Attack simulation training.
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
Teams simulation configuration
Note
Currently, the steps in this section apply only if your organization is enrolled in the Private Preview of Attack simulation training for Teams.
In addition to having user reporting for Teams messages turned on as described in User reported message settings in Microsoft Teams, you also need to configure the Teams accounts that can be used as sources for simulation messages in Attack simulation training. To configure the accounts, do the following steps:
Identify or create a user who's a member of the Global Administrator*, Security Administrator, or Attack Simulation Administrator roles in Microsoft Entra ID. Assign a Microsoft 365, Office 365, Microsoft Teams Essentials, Microsoft 365 Business Basic, or a Microsoft 365 Business Standard license for Microsoft Teams. You need to know the password.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Using the account from Step 1, open the Microsoft Defender portal at https://security.microsoft.com and go to Email & collaboration > Attack simulation training > Settings tab. Or, to go directly to the Settings tab, use https://security.microsoft.com/attacksimulator?viewid=setting.
On the Settings tab, select Manager user accounts in the Teams simulation configuration section.
In the Teams simulation configuration flyout that opens, select Generate token. Read the information in the confirmation dialog, and then select I agree.
Back on the Settings tab, select Manager user accounts in the Teams simulation configuration section again to reopen the Teams simulation configuration flyout. The user account that you were logged in as now appears in the User accounts available for Teams phishing section.
To remove a user from the list, select the check box next to the display name value without clicking anywhere else in the row. Select the Delete action that appears, and then select Delete in the confirmation dialog.
To prevent the account from being used in Teams simulations but keep the linked simulations history for the account, select the check box next to the display name value without clicking anywhere else in the row. Select the Deactivate action that appears.
Changes in simulations for Microsoft Teams
Teams introduces the following changes to viewing and creating simulations as described in Simulate a phishing attack with Attack simulation training in Defender for Office 365:
On the Simulations tab at https://security.microsoft.com/attacksimulator?viewid=simulations, the Platform column shows the value Teams for simulations that use Teams messages.
If you select Launch a simulation on the Simulations tab to create a simulation, the first page of the new simulation wizard is Select delivery platform where you can select Microsoft Teams. Selecting Microsoft Teams introduces the following changes to the rest of the new simulation wizard:
On the Select technique page, the following social engineering techniques aren't available:
- Malware Attachment
- Link in Attachment
- How-to Guide
On the Name simulation page, a Select sender's Microsoft Teams account section and Select user account link are present. Select Select user account to find and select the account to use as the source for the Teams message.
The list of users comes from the Teams simulation configuration section on the Settings tab of Attack simulation training at https://security.microsoft.com/attacksimulator?viewid=setting. Configuring accounts is described in the Teams simulation configuration section earlier in this article.
On the Select payload and login page, no payloads are listed by default because there are no built-in payloads for Teams. You need to create a payload for the combination of Teams and the social engineering technique that you selected.
The differences in creating payloads for Teams are described in the Changes in payloads for Microsoft Teams section in this article.
On the Target users page, the following settings are different for Teams:
- As noted on the page, guest users in Teams are excluded from simulations.
Other settings related to simulations are the same for Teams messages as described in the existing content for email messages.
Changes in payloads for Microsoft Teams
Whether you create a payload on the Payloads page of the Content library tab or on the Select payload and login page page in the new simulation wizard, Teams introduces the following changes to viewing and creating payloads as described in Payloads in Attack simulation training in Defender for Office 365:
On the Global payloads and Tenant payloads tabs on Payloads page of the Content library tab at https://security.microsoft.com/attacksimulator?viewid=contentlibrary, the Platform column shows the value Teams for payloads that use Teams messages.
If you select Filter to filter the list of existing payloads, a Platform section is available where you can select Email and Teams.
As previously described, there are no built-in payloads for Teams, so if you filter by Status > Teams on the Global payloads tab, the list will be empty.
If you select Create a payload on the Tenant payload tab to create a payload, the first page of the new payload wizard is Select type where you can select Teams. Selecting Teams introduces the following changes to the rest of the new payload wizard:
On the Select technique page, the Malware Attachment and Link in Attachment social engineering techniques aren't available for Teams.
The Configure payload page has the following changes for Teams:
- Sender details section: The only available setting for Teams is Chat topic where you enter a tile for the Teams message.
- The last section isn't named Email message, but it functions the same way for Teams messages as it does for email messages:
- There's an Import Teams message button to import an existing plain text message file to use as a starting point.
- The Dynamic tag and Phishing link controls are available on the Text tab, and Code tab is available as with email messages.
Other settings related to payloads are the same for Teams messages as described in the existing content for email messages.
Changes in simulation automations for Microsoft Teams
Teams introduces the following changes to viewing and creating simulation automations as described in Simulation automations for Attack simulation training:
On the Simulation automations page of the Automations tab at https://security.microsoft.com/attacksimulator?viewid=automations, the following columns are also available:
- Type: Currently, this value is always Social engineering.
- Platform: Shows the value Teams for payload automations that use Teams messages or Email for payload automations that use email messages.
If you select Create automation on the Simulation automations page to create a simulation automation, the first page of the new simulation automation wizard is Select delivery platform where you can select Teams. Selecting Teams introduces the following changes to the rest of the new simulation automation wizard:
On the Automation name page, the following settings are available for Teams in the Select method for choosing sender accounts section:
- Manually select: This value is selected by default. In the Select sender's Microsoft Teams account section, select the Select user account to find and select the account to use as the source for the Teams message.
- Randomize: Randomly select from the available accounts to use as the source for the Teams message.
On the Select social engineering techniques page, the Malware Attachment and Link in Attachment social engineering techniques aren't available for Teams.
On the Select payloads and login page page, no payloads are listed by default because there are no built-in payloads for Teams. You might need to create a payload for the combination of Teams and the social engineering techniques that you selected.
The differences in creating payloads for Teams are described in the Changes in payloads for Microsoft Teams section in this article.
On the Target users page, the following settings are different for Teams:
- As noted on the page, simulation automations that use Teams can target a maximum of 1000 users.
- if you select Include only specific users and groups, City isn't an available filter in the Filter users by category section.
Other settings related to simulation automations are the same for Teams messages as described in the existing content for email messages.