Get started using Attack simulation training
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), you can use Attack simulation training in the Microsoft Defender portal to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line.
This article explains the basics of Attack simulation training.
Watch this short video to learn more about Attack simulation training.
Note
Attack simulation training replaces the old Attack Simulator v1 experience that was available in the Security & Compliance Center at Threat management > Attack simulator or https://protection.office.com/attacksimulator.
What do you need to know before you begin?
Attack simulation training requires a Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 license. For more information about licensing requirements, see Licensing terms.
Attack simulation training supports on-premises mailboxes, but with reduced reporting functionality. For more information, see Reporting issues with on-premises mailboxes.
To open the Microsoft Defender portal, go to https://security.microsoft.com. Attack simulation training is available at Email and collaboration > Attack simulation training. To go directly to Attack simulation training, use https://security.microsoft.com/attacksimulator.
For more information about the availability of Attack simulation training across different Microsoft 365 subscriptions, see Microsoft Defender for Office 365 service description.
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
Microsoft Entra permissions: You need membership in one of the following roles:
- Global Administrator¹
- Security Administrator
- Attack Simulation Administrators²: Create and manage all aspects of attack simulation campaigns.
- Attack Payload Author²: Create attack payloads that an admin can initiate later.
Important
¹ Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
² Adding users to this role group in Email & collaboration permissions in the Microsoft Defender portal is currently unsupported.
Currently, Microsoft Defender XDR Unified role based access control (RBAC) isn't supported.
There are no corresponding PowerShell cmdlets for Attack simulation training.
Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information, see Microsoft 365 data locations. Attack simulation training is available in the following regions: APC, EUR, and NAM. Countries within these regions where Attack simulation training is available include ARE, AUS, BRA, CAN, CHE, DEU, ESP, FRA, GBR, IND, ISR, ITA, JPN, KOR, LAM, MEX, NOR, NZL, POL, QAT, SGP, SWE, TWN and ZAF.
Note
NOR, ZAF, ARE and DEU are the latest additions. All features except reported email telemetry are available in these regions. We're working to enable the features and we'll notify customers as soon as reported email telemetry becomes available.
Attack simulation training is available in Microsoft 365 GCC, GCC High and DoD environments, but certain advanced features aren't available in GCC High and DoD (for example, payload automation, recommended payloads, the predicted compromised rate). If your organization has Microsoft 365 G5, Office 365 G5 or Microsoft Defender for Office 365 (Plan 2) for Government, you can use Attack simulation training as described in this article.
Note
Attack simulation training offers a subset of capabilities to E3 customers as a trial. The trial offering contains the ability to use a Credential Harvest payload and the ability to select 'ISA Phishing' or 'Mass Market Phishing' training experiences. No other capabilities are part of the E3 trial offering.
Simulations
A simulation in Attack simulation training is the overall campaign that delivers realistic but harmless phishing messages to users. The basic elements of a simulation are:
- Who gets the simulated phishing message and on what schedule.
- Training that users get based on their action or lack of action (for both correct and incorrect actions) on the simulated phishing message.
- The payload that's used in the simulated phishing message (a link or an attachment), and the composition of the phishing message (for example, package delivered, problem with your account, or you won a prize).
- The social engineering technique that's used. The payload and social engineering technique are closely related.
In Attack simulation training, multiple types of social engineering techniques are available. Except for How-to Guide, these techniques were curated from the MITRE ATT&CK® framework. Different payloads are available for different techniques.
The following social engineering techniques are available:
Credential Harvest: An attacker sends the recipient a message that contains a link*. When the recipient clicks on the link, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
Malware Attachment: An attacker sends the recipient a message that contains an attachment. When the recipient opens the attachment, arbitrary code (for example, a macro) runs on the user's device to help the attacker install additional code or further entrench themselves.
Link in Attachment: This technique is a hybrid of a credential harvest. An attacker sends the recipient a message that contains a link inside of an attachment. When the recipient opens the attachment and clicks on the link, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
Link to Malware*: An attacker sends the recipient a message that contains a link to an attachment on a well-known file sharing site (for example, SharePoint Online or Dropbox). When the recipient clicks on the link, the attachment opens, and arbitrary code (for example, a macro) runs on the user's device to help the attacker install additional code or further entrench themselves.
Drive-by-url*: An attacker sends the recipient a message that contains a link. When the recipient clicks on the link, they're taken to a website that tries to run background code. This background code attempts to gather information about the recipient or deploy arbitrary code on their device. Typically, the destination website is a well-known website that has been compromised or a clone of a well-known website. Familiarity with the website helps convince the user that the link is safe to click. This technique is also known as a watering hole attack.
OAuth Consent Grant*: An attacker creates a malicious Azure Application that seeks to gain access to data. The application sends an email request that contains a link. When the recipient clicks on the link, the consent grant mechanism of the application asks for access to the data (for example, the user's Inbox).
How-to Guide: A teaching guide that contains instructions for users (for example, how to report phishing messages).
* The link can be a URL or a QR code.
The URLs that are used by Attack simulation training are listed in the following table:
Note
Check the availability of the simulated phishing URL in your supported web browsers before you use the URL in a phishing campaign. For more information, see Phishing simulation URLs blocked by Google Safe Browsing.
Create simulations
For instructions on how to create and launch simulations, see Simulate a phishing attack.
The landing page in the simulation is where users go when they open the payload. When you create a simulation, you select the landing page to use. You can select from built-in landing pages, custom landing pages that you already created, or you can create a new landing page to use during the creation of the simulation. To create landing pages, see Landing pages in Attack simulation training.
End user notifications in the simulation send periodic reminders to users (for example, training assignment and reminder notifications). You can select from built-in notifications, custom notifications that you already created, or you can create new notifications to use during the creation of the simulation. To create notifications, see End-user notifications for Attack simulation training.
Tip
Simulation automations provide the following improvements over traditional simulations:
- Simulation automations can include multiple social engineering techniques and related payloads (simulations contain only one).
- Simulation automations support automated scheduling options (more than just the start date and end date in simulations).
For more information, see Simulation automations for Attack simulation training.
Payloads
Although Attack simulation training contains many built-in payloads for the available social engineering techniques, you can create custom payloads to better suit your business needs, including copying and customizing an existing payload. You can create payloads at any time before you create the simulation or during the creation of the simulation. To create payloads, see Create a custom payload for Attack simulation training.
In simulations that use Credential Harvest or Link in Attachment social engineering techniques, login pages are part of the payload that you select. The login page is the web page where users enter their credentials. Each applicable payload uses a default login page, but you can change the login page that's used. You can select from built-in login pages, custom login pages that you already created, or you can create a new login page to use during the creation of the simulation or the payload. To create login pages, see Login pages in Attack simulation training.
The best training experience for simulated phishing messages is to make them as close as possible to real phishing attacks that your organization might experience. What if you could capture and use harmless versions of real-world phishing messages that were detected in Microsoft 365 and use them in simulated phishing campaigns? You can, with payload automations (also known as payload harvesting). To create payload automations, see Payload automations for Attack simulation training.
Attack simulation training also supports using QR codes in payloads. You can choose from the list of built-in QR code payloads, or you can create custom QR code payloads. For more information, see QR code payloads in Attack simulation training.
Reports and insights
After you create and launch the simulation, you need to see how it's going. For example:
- Did everyone receive it?
- Who did what to the simulated phishing message and the payload within it (delete, report, open the payload, enter credentials, etc.).
- Who completed the assigned training.
The available reports and insights for Attack simulation training are described in Insights and reports for Attack simulation training.
Predicted compromise rate
You often need to tailor a simulated phishing campaign for specific audiences. If the phishing message is too close to perfect, almost everyone will be fooled by it. If it's too suspicious, no will be fooled by it. And, the phishing messages that some users consider difficult to identify are considered easy to identify by other users. So how do you strike a balance?
The predicted compromise rate (PCR) indicates the potential effectiveness when the payload is used in a simulation. PCR uses intelligent historical data across Microsoft 365 to predict the percentage of people who will be compromised by the payload. For example:
- Payload content.
- Aggregated and anonymized compromise rates from other simulations.
- Payload metadata.
PCR allows you to compare the predicted vs. actual click through rates for your phishing simulations. You can also use this data to see how your organization performs compared to predicted outcomes.
PCR information for a payload is available wherever you view and select payloads, and in the following reports and insights:
Tip
Attack Simulator uses Safe Links in Defender for Office 365 to securely track click data for the URL in the payload message that's sent to targeted recipients of a phishing campaign, even if the Track user clicks setting in Safe Links policies is turned off.
Training without tricks
Traditional phishing simulations present users with suspicious messages and the following goals:
- Get users to report the message as suspicious.
- Provide training after users click on or launch the simulated malicious payload and give up their credentials.
But, sometimes you don't want to wait for users to take correct or incorrect actions before you give them training. Attack simulation training provides the following features to skip the wait and go straight to training:
Training campaigns: A Training campaign is a training-only assignment for the targeted users. You can directly assign training without putting users through the test of a simulation. Training campaigns make it easy to conduct learning sessions like monthly cybersecurity awareness training. For more information, see Training campaigns in Attack simulation training.
Tip
Training modules are used in Training campaigns, but you can also use Training modules when you assign training in regular simulations.
How-to Guides in simulations: Simulations based on the How-to Guide social engineering technique don't attempt to test users. A How-to guide is a lightweight learning experience that users can view directly in their Inbox. For example, the following built-in How-to Guide payloads are available, and you can create your own (including copying and customizing an existing payload):
- Teaching guide: How to report phishing messages
- Teaching Guide: How to recognize and report QR phishing messages
Tip
Attack simulation training provides the following built-in training options for QR code-based attacks:
- Training modules:
- Malicious digital QR codes
- Malicious printed QR codes
- How-to Guides in simulations: Teaching Guide: How to recognize and report QR phishing messages