Examine Attack simulation in Microsoft Defender XDR

  • 8 minutes

Organizations that have Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 (which includes Threat Investigation and Response capabilities) can use Attack simulation training in the Microsoft Defender portal to run realistic attack scenarios. These simulated attacks can help identify vulnerable users and change their behaviors before a real attack impacts an organization's bottom line.

Attack simulation training in Microsoft Defender for Office 365 lets an organization run benign cyberattack simulations to test its security policies and practices. It's also used to train employees to increase their awareness and reduce their susceptibility to attacks.

To access Attack simulation traIning, navigate to the Microsoft Defender portal and select Email and collaboration > Attack simulation training.

An organization must meet the following prerequisites to run Attack simulation training:

  • The organization that has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
  • The person running the Attack simulation training must be a Microsoft 365 Global administrator or Security administrator or be assigned to one of the following roles.
    • Attack Simulator Administrators. Create and manage all aspects of attack simulation campaigns.
    • Attack Simulator Payload Authors. Create attack payloads that an admin can start later.
  • The organization's email is hosted in Exchange Online. Attack simulation training isn't available for on-premises email servers.
  • Attack simulation data and training-related data are stored with other customer data for Microsoft 365 services. For more information, see: Where your Microsoft 365 customer data is stored.

Running Attack simulation training

Attack simulation training consists of the following steps, each of which is described in detail in the following sections:

  1. Select a social engineering (simulation) technique.
  2. Select a payload and login page.
  3. Target users.
  4. Assign training.
  5. Select end user notification
  6. Launch details and review.

Step 1 - Select a social engineering (simulation) technique

Phishing is a generic term for email attacks that try to steal sensitive information in messages that appear to be from legitimate or trusted senders. Phishing is part of a subset of techniques Microsoft classifies as social engineering.

In Attack simulation training, you can select from the following social engineering (simulation) techniques:

  • Credential harvest. An attacker sends the recipient a message that contains a URL. When the recipient selects the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. The destination page is themed to represent a well-known website. By displaying what appears to be a well-known website, the goal of the phishing attack is to have the user actually believe they've accessed a real site.
  • Malware attachment. An attacker sends the recipient a message that contains an attachment. When the recipient opens the attachment, arbitrary code (for example, a macro) is run on the user's device. This code helps the attacker install more code or further entrench themselves.
  • Link in attachment. This simulation is a hybrid of a credential harvest. An attacker sends the recipient a message that contains a URL within an attachment. When the recipient opens the attachment and selects the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. By displaying what appears to be a well-known website, the goal of the phishing attack is to have the user actually believe they've accessed a real site.
  • Link to malware. An attacker sends the recipient a message that contains a link to an attachment on a well-known file sharing site (for example, SharePoint Online or Dropbox). When the recipient selects the URL, the attachment opens, and then arbitrary code, such as a macro, is run on the user's device. This code helps the attacker install more code or further entrench themselves.
  • Drive-by-url. An attacker sends the recipient a message that contains a URL. When the recipient selects the URL, they're taken to a website that tries to run background code. This background code attempts to gather information about the recipient or deploy arbitrary code on their device. Typically, the destination website is a well-known website that has been compromised or is a clone of a well-known website. Familiarity with the website helps convince the user that the link is safe to select. This technique is also known as a watering hole attack.
  • OAuth Consent Grant: An attacker sends the recipient a message with a malicious URL that asks the user to grant permissions to data for a malicious Azure Application.

Step 2 - Select a payload and login page

Once you've selected the type of simulation (social engineering technique) that you want to run, select a payload from the pre-existing payload catalog.

Payloads have many data points to help you choose:

  • Click rate. Counts how many people selected this payload.
  • Predicted compromise rate. Predicts the percentage of people that will get compromised by this payload. This calculation is based on historical data for the payload across Microsoft Defender for Office 365 customers.
  • Simulations launched. Counts the number of times this payload was used in other simulations.
  • Complexity. Available through filters, complexity is calculated based on the number of indicators within the payload that clue targets in on it being an attack. More indicators lead to lower complexity.
  • Source. Available through filters, source indicates whether the payload was created on your tenant or is a part of Microsoft's pre-existing payload catalog (global).

Step 3 - Target users

Now it's time to select this simulation's audience. You can choose to include all your users or only specific users and groups. If you choose to include only specific users and groups, you can either:

  • Add users. You can search through your tenant for specific users. You can also use advanced search and filtering capabilities. For example, targeting users who haven't been targeted by a simulation in the last three months.
  • Import from CSV. Enables you to import a predefined set of users for this simulation.

Step 4 - Assign training

It's recommended that you assign training for each simulation. Why? Because employees who go through training are less susceptible to similar attacks. You can either choose to have training assigned for your organization, or you can select training courses and modules yourself.

Select the training due date to ensure employees finish their training to meet the organization's goals.

Step 5 - Select end user notification

Once training has been assigned to the simulation, you must configure an end-user notification delivery method.

  • Do not deliver notifications: no notifications will be delivered to users.
  • Microsoft default notification (recommended): Select from a list of delivery notifications curated by Microsoft.
  • Customized end user notifications: Customize your own delivery notification to users.

Step 6 - Launch details and review

Now that everything is configured, you can launch the simulation immediately or schedule it for a later date. When launching a simulation, you must choose when to end it. Interactions will stop being captured with this simulation past the selected time.

If you set the region aware timezone delivery option when launching a simulation, simulated attack messages will be delivered to your employees during their working hours based on their region.

Once you're done, select Next and review the details of your simulation. Select the Edit option on any of the parts to go back and change any details that need changing. Once you're done, select Submit.