Simulating attacks with Microsoft 365

Phishing attacks are one of the most common ways an organization is attacked. According to the FBI, there were 241,342 complaints, with adjusted losses of over $54 million in 2020 alone. So the question is, is your organization ready?

What’s a phishing attack?

Phishing attacks are a type of social engineering attack used to steal data, typically credit card or login credentials. In short, the malicious person would send an email pretending to be from someone else and ask the victim to either go to a website enter their credentials or send them a credit card or a money transfer. For the victim, either your organization or the user the attack can be devastating. You can lose financially, or the attacker may use the credentials to send malicious emails to your partners, as well as the world discrediting you and your business.

Phishing attack techniques

There are several techniques used in a phishing attack and the number continues to grow but for now, we’ll focus on 5 different phishing attack techniques.

Credential harvest

In credential harvesting attacks the malicious person is attempting to get your user’s credentials. The malicious user will typically send an email with a URL to a bogus site to trick your users into entering their credentials.

Malware attachment

In malware attachment attacks a malicious person will send an email to your users with a malicious attachment. A lot of times the attachment will look like a simple Word or Excel document but the attachment will have malicious code baked into it.

Link in attachment

With Link in attachment attacks, the malicious user will be attacking your users using the credential harvest technique. The only difference being the malicious user will put the link inside an attachment.

Link to malware

Link to malware attacks will send an email to your users with a link where the user needs to go to a website and download the malicious file. Like the malware attachment attack technique, the file will contain code that is run on your user's computer. Often the malicious person will host the malicious code on common sites like Dropbox, SharePoint, or Google Drive.

Drive-by URL

Drive-by URL is also known as the watering hole technique is an attack sequence where the malicious user sends an email with a URL inside. The URL will point to a website with malicious code running it to get information from your users. Typically the website will be a good site that has been hacked or a clone of a good site so the user doesn’t even realize it’s happening.

How to stop phishing attacks?

One of the best ways to prevent phishing attacks is user training. Training your users to detect malicious emails can prevent your organization from losing financially or credibility. In short, we’ll set up a simulated phishing email and send it to your users. Then we’ll track who opened the links and you can work with those specific users to help them learn to avoid getting tricked again.

What’s an attack simulation?

An attack simulation is a way for you to send an email to your users that is a fake phishing attack. In short, Microsoft has created several sample emails that you can use to send to your users. The sample emails will direct the user to go to a fake malicious site or download a fake malicious attachment. When the user opens the site or attachment they are informed that this was a simulation. Microsoft’s attack simulation will also report on who opened the malicious URLs or attachments so you can provide them with more training.

What licenses are required?

To use the attack simulation training built into Microsoft 365 you’ll need Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 licenses.

What roles are required?

You need to be a member of one of the following roles to set up the attack simulation training:

  • Organization Management
  • Security Administrator
  • Attack Simulation Administrators can create and manage all aspects of attack simulation campaigns.
  • Attack Payload Author can create attack payloads that an admin can initiate later.

How to configure an attack simulation

1. Go to the Microsoft Defender portal > Attack simulation training > Simulations. Click Launch a simulation.

Launch a phishing attack simulation

2. Select the technique you want to use. In this scenario, we’ll leave Credential Harvest checked and click Next.

Select a Technique

3. Enter the simulation name of Test Simulation in the space provided. Click Next.

Name your simulation then click Next

4. Select the 2 Failed Messages payload. Click Next.

Select the 2 failed messages payload. Then click Next

5. On the Target Users page you can either select the users you want to test the deployment with or click Include all users in my organization. Set up the users you want to send the attack simulation training to and click Next.

Select the users to target. Then click Next

6. On the Assign Training page leave the defaults and click Next.

7. On the landing page window leave the defaults and click Next.

8. On the select end-user notification page click Microsoft default notification (recommended). Then click Delivery preferences > Deliver during campaign. Click Next.

Select end user notifications

9. On the Launch details page click Next.

10. Click Submit. Click Done.

What will users experience?

Fake phishing email

Each user you selected to receive the phishing simulation will receive the same email. The email will contain a link to a website that appears to be from Microsoft. When the user enters their credentials they’ll receive a page informing them that they were duped. Once on the page, Microsoft will explain a couple of things that they review to know if the email is a phishing scam or not. Under the quick guide will be a link to training that the user can attend to learn more.

Fake phishing landing page

How to view the report on who clicked the link?

So now, we have some data. We’ve sent the email to some users in our organization but how do we check on who clicked the link / completed the training? It’s easy!

1. Go to the Microsoft Defender portal > Attack simulation training > Simulations. Click Test Simulation.

View phishing simulation

From this page, you have a quick overview of the simulation. You can see how many users reported the email as phishing, clicked the link, and who entered their credentials.

2. Click View users to see where your users landed in the simulation.

Simulation overview view users circled

From this page, you can see which users were compromised and which users completed the training.

How do we automatically schedule simulations?

So now you’ve evaluated the simulation and maybe even sent the simulation to some of your end-users. The next question is, how do we make the simulations reoccur? Let’s take a look.

1. Go to Microsoft 365 Defender Portal > Attack simulation training > Simulation automations. Click Create automation.

Create phishing simulation automation

2. Set the name to Simulation Automation. Click Next.

Name your automation. Click next

3. Click Credential Harvest. Click Next.

Select social engineering technique

4. Click Randomize. Click Next.

Set payloads to randomize. Click Next

5. Select the users you want to be tested. As a start, you may want to select a couple of users. Then later you may want to come back and click Include all users in my organization. Click Next.

Select the target users.

6. On the assign training page, click Next.

7. On the Landing page window, click Next.

8. On the Select end user notification page click Microsoft default notification (recommended). Set Delivery preferences to Deliver during campaign. Click Next.

Select end user notifications

9. On the Simulation schedule page click Next.

10. Set the simulation recurrence. Then click Next.

Schedule details

11. On the launch details page click Next.

12. Click Submit. Click Done.