Get started using Attack simulation training in Defender for Office 365

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what's new.

Applies to Microsoft Defender for Office 365 plan 2

If your organization has Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities, you can use Attack simulation training in the Microsoft 365 Defender portal to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more.

Note

Attack simulation training replaces the old Attack Simulator v1 experience that was available in the Security & Compliance Center at Threat management > Attack simulator or https://protection.office.com/attacksimulator.

What do you need to know before you begin?

  • To open the Microsoft 365 Defender portal, go to https://security.microsoft.com. Attack simulation training is available at Email and collaboration > Attack simulation training. To go directly to Attack simulation training, open https://security.microsoft.com/attacksimulator.

  • For more information about the availability of Attack simulation training across different Microsoft 365 subscriptions, see Microsoft Defender for Office 365 service description.

  • You need to be assigned permissions in Azure Active Directory before you can do the procedures in this article. Specifically, you need to be a member of one of the following roles:

    • Organization Management
    • Security Administrator
    • Attack Simulation Administrators*: Create and manage all aspects of attack simulation campaigns.
    • Attack Payload Author*: Create attack payloads that an admin can initiate later.

    * Adding users to this role in the Microsoft 365 Defender portal is currently unsupported.

    For more information, see Permissions in the Microsoft 365 Defender portal or About admin roles.

  • There are no corresponding PowerShell cmdlets for Attack simulation training.

  • Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information see Microsoft 365 data locations. Attack simulation is available in the following regions: NAM, APC, EUR, IND, CAN, AUS, FRA, GBR, JPN, KOR, BRA, LAM, CHE, NOR, ZAF, ARE and DEU.

    Note

    NOR, ZAF, ARE and DEU are the latest additions. All features except reported email telemetry will be available in these regions. We are working to enable this and will notify our customers as soon as reported email telemetry becomes available.

  • As of June 15 2021, Attack simulation training is available in GCC. If your organization has Office 365 G5 GCC or Microsoft Defender for Office 365 (Plan 2) for Government, you can use Attack simulation training in the Microsoft 365 Defender portal to run realistic attack scenarios in your organization as described in this article. Attack simulation training is not yet available in GCC High or DoD environments.

Note

Attack simulation training offers a subset of capabilities to E3 customers as a trial. The trial offering contains the ability to use a Credential Harvest payload and the ability to select 'ISA Phishing' or 'Mass Market Phishing' training experiences. No other capabilities are part of the E3 trial offering.

Simulations

Phishing is a generic term for email attacks that try to steal sensitive information in messages that appear to be from legitimate or trusted senders. Phishing is a part of a subset of techniques we classify as social engineering.

In Attack simulation training, multiple types of social engineering techniques are available:

  • Credential harvest: An attacker sends the recipient a message that contains a URL. When the recipient clicks on the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.

  • Malware attachment: An attacker sends the recipient a message that contains an attachment. When the recipient opens the attachment, arbitrary code (for example, a macro) is run on the user's device to help the attacker install additional code or further entrench themselves.

  • Link in attachment: This is a hybrid of a credential harvest. An attacker sends the recipient a message that contains a URL inside of an attachment. When the recipient opens the attachment and clicks on the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.

  • Link to malware: An attacker sends the recipient a message that contains a link to an attachment on a well-known file sharing site (for example, SharePoint Online or Dropbox). When the recipient clicks on the URL, the attachment opens and arbitrary code (for example, a macro) is run on the user's device to help the attacker install additional code or further entrench themselves.

  • Drive-by-url: An attacker sends the recipient a messages that contains a URL. When the recipient clicks on the URL, they're taken to a website that tries to run background code. This background code attempts to gather information about the recipient or deploy arbitrary code on their device. Typically, the destination website is a well-known website that has been compromised or a clone of a well-known website. Familiarity with the website helps convince the user that the link is safe to click. This technique is also known as a watering hole attack.

Note

Check the availability of the simulated phishing URL in your supported web browsers before you use the URL in a phishing campaign. While we work with many URL reputation vendors to always allow these simulation URLs, we don't always have full coverage (for example, Google Safe Browsing). Most vendors provide guidance that allows you to always allow specific URLs (for example, https://support.google.com/chrome/a/answer/7532419).

The URLs that are used by Attack simulation training are described in the following list:

Create a simulation

For step by step instructions on how to create and send a new simulation, see Simulate a phishing attack.

Create a payload

For step by step instructions on how to create a payload for use within a simulation, see Create a custom payload for Attack simulation training.

Gaining insights

For step by step instructions on how to gain insights with reporting, see Gain insights through Attack simulation training.

Note

Attack Simulator uses Safe Links in Defender for Office 365 to securely track click data for the URL in the payload message that's sent to targeted recipients of a phishing campaign, even if the Do not track user clicks setting in Safe Links policies is turned on.