Attack Simulator in Office 365

Summary If you are an Office 365 global administrator and your organization has Office 365 Threat Intelligence, you can use Attack Simulator to run realistic attack scenarios in your organization. This can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more.

The Attacks

Currently, three kinds of attack simulations are available:

For an attack to be successfully launched, you use multi-factor authentication on the account you are using to run simulated attacks. In addition, you must be an Office 365 global administrator.

Note

Support for Conditional Access is coming soon.

To access Attack Simulator, in the Security & Compliance Center, choose Threat management > Attack simulator.

Before you begin...

Make sure that you and your organization meet the following requirements for Attack Simulator:

  • Your organization's email is hosted in Exchange Online. (Attack Simulator is not available for on-premises email servers.)

  • You are an Office 365 global administrator

  • Your organization is using Multi-factor authentication for Office 365 users

  • Your organization has Office 365 Threat Intelligence, with Attack Simulator visible in the Security & Compliance Center (go to Threat management > Attack simulator)
    Threat management - Attack Simulator

Display name spear-phishing attack

Phishing is a generic term for a broad suite of attacks classed as a social engineering style attack. This attack is focused on spear phishing, a more targeted attack that is aimed at a specific group of individuals or an organization. Typically, a customized attack with some reconnaissance performed and using a display name that will generate trust in the recipient, such as an email message that looks like it came from an executive within your organization.

This attack focuses on letting you manipulate who the message appears to have originated from by changing the display name and source address. When spear-phishing attacks are successful, cybercriminals gain access to users' credentials.

To simulate a spear-phishing attack

Compose Email Body

You can craft the rich HTML editor directly in the Email body field itself or work with HTML source. There are two important fields for inclusion in the HTML:

  1. In the Security & Compliance Center, choose Threat management > Attack simulator.

  2. Specify a meaningful campaign name for the attack or select a template.
    Phishing Start Page

  3. Specify the target recipients. This can be individuals or groups in your organization. Each targeted recipient must have an Exchange Online Mailbox in order for the attack to be successful.
    Recipient Selection

  4. Configure the Phishing email details.
    Configure email details
    The HTML formatting can be as complex or basic as your campaign needs. As the email format is HTML, you can insert images and text to enhance believability. You have control on what the received message will look like in the receiving email client.

  5. Specify text for the From (Name) field. This is the field that shows in the Display Name in the receiving email client.

  6. Specify text or the From field. This is the field that shows as the email address of the sender in the receiving email client.
    You can enter an existing email namespace within your organization (doing this will make the email address actually resolve in the receiving client, facilitating a very high trust model), or you can enter an external email address. The email address that you specify does not have to actually exist, but it does need to following the format of a valid SMTP address, such as user@domainname.extension.

  7. Using the drop-down selector, select a Phishing Login server URL that reflects the type of content you will have within your attack. Several themed URLs are provided for you to choose from, such as document delivery, technical, payroll etc. This is effectively the URL that targeted users are asked to click.

  8. Specify a custom landing page URL. Using this will redirect users to a URL you specify at the end of a successful attack. If you have internal awareness training, for example, you can specify that here.

  9. Specify text for the Subject field. This is the field that shows as the Subject Name in the receiving email client.

  10. Compose the Email body that the target will receive.
    ${username} inserts the targets name into the Email body.
    ${loginserverurl} inserts the URL we want target users to click

  11. Choose Next, then Finish to launch the attack. The spear phishing email message is delivered to your target recipients' mailboxes.

Password-spray attack

A password spray attack against an organization is typically used after a bad actor has successfully acquired a list of valid users from the tenant. The bad actor knows about common passwords that people use. This is a widely used attack, as it is a cheap attack to run, and harder to detect than brute force approaches.

This attack focuses on letting you specify a common password against a large target base of users.

To simulate a password-spray attack

  1. In the Security & Compliance Center, choose Threat management > Attack simulator.

  2. Specify a meaningful campaign name for the attack.

  3. Specify the target recipients. This can be individuals or groups in your organization. A targeted recipient must have an Exchange Online Mailbox in order for the attack to be successful.

  4. Specify a password to use for the attack. For example, one common, relevant password you could try is Fall2017. Another might be Spring2018, or Password1.

  5. Choose Finish to launch the attack.

Brute-force password attack

A brute-force password attack against an organization is typically used after a bad actor has successfully acquired a list of key users from the tenant. This attack focuses on trying a set of passwords on a single user's account.

To simulate a brute-force password attack

  1. In the Security & Compliance Center, choose Threat management > Attack simulator.

  2. Specify a meaningful campaign name for the attack.

  3. Specify the target recipient. A targeted recipient must have an Exchange Online Mailbox in order for the attack to be successful.

  4. Specify a set of passwords to use for the attack. You can use a text (.txt) file for your list of passwords. The text file cannot exceed 10 MB in file size. Use one password per line, and make sure to include a hard return after the last password in your list.

  5. Choose Finish to launch the attack.

New features in Attack Simulator

New features are being added to Attack Simulator. These include:

  • Advanced reporting capabilities. You'll be able to see data such as the fastest (or slowest) time to open an attack simulation email message, the fastest (or slowest) time to click a link in the message, and more.
  • Email template editor. You can create a custom, reusable email template that you can use for future attack simulations.

Visit the Microsoft 365 Roadmap to see what's in development, what's rolling out, and what's already launched.