Skip to content

Attack simulation training

Attack simulation training, sometimes referred to as phishing simulations or phishing campaigns, allows you to send a tracked phishing message to your end users.

This is crucial in helping your users better understand how phishing looks and behaves since there is no tool that is going to prevent 100% of phishing attacks from making it to the inbox. Attacks get more sophisticated, configurations can accidentally change, and most users have a personal email as well. You are not responsible for a user's personal email but if a user gets phished in their personal inbox that could be a threat to your environment.

That's why regular attack simulations using different techniques and payloads is increasingly more important, train your users!

Setup

There really aren't any prerequisites to get started with attack simulation training. If you are using a third-party tool for simulations, be sure to follow your vendor's guide on how to allow the simulations in Exchange Online. You will likely need to add some entries to the advanced delivery settings.

While there aren't any prerequisites to use attack simulation training I do generally recommend checking a few settings and discussing some things internally:

  • Ensure the Microsoft reporting button is available and enabled
  • Discuss:
    • Communicate and plan these simulations with leadership, this is not to say we are warning people a simulation is coming on Thursday but to ensure there is understanding for why these are needed as well as support for the initiative. I have seen end user push back and frustration when starting campaigns, especially when using custom payloads and assigning training.
    • Communicate with end users on how to properly report a phishing or spam email. It is very common for users to still be forwarding emails to a special inbox or even a ticketing email. While there can be good reasons for this it has some drawbacks:
      • If going to the help desk, help desk staff need to be aware of potentially malicious content in these emails.
      • If advanced delivery is not configured on the receiving mailbox the chance of the email being filtered and missed is high. Under no circumstance should a help desk email be skipping all mail filtering! This would only be for a special mailbox your SecOps team uses.
      • Finally, by not using the report button you are missing out on alerts generated by the submission, Microsoft evaluating the emails, and possibly Microsoft suggesting remediation or ZAPing the emails.

Note

There are some possible hindrances to attack simulations working flawlessly, most organizations do not run into this, you can find the possible issues in the Microsoft FAQ here. Generally I would recommend trying the simulation before worrying about these unless you see a scenario that may apply within your environment.

Techniques

Possible techniques you can use include:

  • Credential harvest
    • Payload links to a login page to steal the user's credentials. (Note that the credentials entered are not stored or check by Microsoft so an incorrect password still flags as a fail)
  • Malware attachment
    • Payload contains a malicious attachment
  • Link in attachment
    • Payload contains an attachment, within that attachment is a link to attempt a credential harvest
  • Link to malware
    • Payload contains a link for an attachment on a site like Google Drive, Box, etc.
  • Drive-by-url
    • Payload contains a link to a website to attempt running malicious code
  • OAuth consent grant
    • Payload contains an Azure applications requesting consent to permissions
  • How to guide
    • Payload to train users on phishing and how to report it

In 2024 Microsoft added support for Quishing attacks as well (QR Code Phishing).

Tips

At this time I am not adding any guidance for setting simulations up, it is very straightforward and Microsoft has a detailed guide here. I will likely come back and add some more detailed notes after I have built out the "base" of my documentation.

For now here are some general tips:

  • Be sure to not reuse the same payload too soon, you can see if a payload was previously run when making a payload selection.
  • When targeting a group of users you can use the office location or department, this can be great for sending a financial payload to the accounting department for example.
  • You can assign training without using a simulation if desired.
  • Automation is also very straightforward to set up recurring simulations, note these can't be configured to run quarterly unfortunately.