Simulate a phishing attack with Attack simulation training in Defender for Office 365

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to Microsoft Defender for Office 365 plan 2

Attack simulation training in Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 lets you run benign cyberattack simulations in your organization. These simulations test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks. This article walks you through creating a simulated phishing attack using Attack simulation training.

For getting started information about Attack simulation training, see Get started using Attack simulation training.

To launch a simulated phishing attack, do the following steps:

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & collaboration > Attack simulation training > Simulations tab.

    To go directly to the Simulations tab, use https://security.microsoft.com/attacksimulator?viewid=simulations.

  2. On the Simulations tab, select Launch a simulation icon. Launch a simulation.

    The Launch a simulation button on the Simulations tab in Attack simulation training in the Microsoft 365 Defender portal

  3. The simulation creation wizard opens. The rest of this article describes the pages and the settings they contain.

Note

At any point during the simulation creation wizard, you can click Save and close to save your progress and continue configuring the simulation later. The incomplete simulation has the Status value Draft on the Simulations tab. You can pick up where you left off by selecting the simulation and clicking Edit simulation icon. Edit simulation.

Select a social engineering technique

On the Select technique page, select an available social engineering technique, which was curated from the MITRE ATT&CK® framework. Different payloads are available for different techniques. The following social engineering techniques are available:

  • Credential harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
  • Malware attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that will help the attacker compromise the target's device.
  • Link in attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
  • Link to malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user will contain a link to this malicious file. Opening the file will help the attacker compromise the target's device.
  • Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.

If you click the View details link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique.

The Details flyout for the credential harvest technique on the Select technique page

When you're finished, click Next.

Name and describe the simulation

On the Name simulation page, configure the following settings:

  • Name: Enter a unique, descriptive name for the simulation.
  • Description: Enter an optional detailed description for the simulation.

When you're finished, click Next.

Select a payload

On the Select payload page, you need to select an existing payload from the list, or create a new payload.

The following details are displayed in the list of payloads to help you choose:

  • Payload name
  • Language: The language of the payload content. Microsoft's payload catalog (global) provides payloads in 10+ languages which can also be filtered.
  • Click rate: How many people have clicked on this payload.
  • Predicted compromise rate: Historical data for the payload across Microsoft 365 that predicts the percentage of people who will get compromised by this payload.
  • Simulations launched counts the number of times this payload was used in other simulations.

In the Search icon. Search box, you can type part of the payload name and press Enter to filter the results.

If you click Filter, the following filters are available:

  • Source: Indicates whether the payload was created in your organization or is a part of Microsoft's pre-existing payload catalog. Valid values are:

    • Global (built-in)
    • Tenant (custom)
    • All
  • Complexity: Calculated based on the number of indicators in the payload that indicate a possible attack (spelling errors, urgency, etc.). More indicators are easier to identify as an attack and indicate lower complexity. The available values are:

    • Low
    • Medium
    • High
  • Language: The available values are: Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish, and Dutch.

  • Add tag(s)

  • Filter by theme: The available values are: Account activation, Account verification, Billing, Clean up mail, Document received, Expense, Fax, Finance report, Incoming messages, Invoice, Items received, Login alert, Mail received, Password, Payment, Payroll, Personalized offer, Quarantine, Remote work, Review message, Security update, Service suspended, Signature required, Upgrade mailbox storage Verify mailbox, Voicemail, and Other.

  • Filter by brand: The available values are: American Express, Capital One, DHL, DocuSign, Dropbox, Facebook, First American, Microsoft, Netflix, Scotiabank, SendGrid, Stewart Title, Tesco, Wells Fargo, Syrinx Cloud, and Other.

  • Filter by industry: The available values are: Banking, Business services, Consumer services, Education, Energy, Construction, Consulting, Financial services, Government, Hospitality, Insurance, Legal, Courier services, IT, Healthcare, Manufacturing, Retail, Telecom, Real estate, and Other.

  • Current event: The available values are Yes or No.

  • Controversial: The available values are Yes or No.

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

The Select payload page in Attack simulation training in the Microsoft 365 Defender portal

If you select a payload from the list, details about the payload are shown in a flyout:

  • The Overview tab contains an example and other details about the payload.
  • The Simulations launched tab contains the Simulation name, Click rate, Compromised rate, and Action.

The Payload details flyout in Attack simulation training in the Microsoft 365 Defender portal

If you select a payload from the list by clicking on the name, a Send a test payload icon. Send a test button appears on the main page where you can send a copy of the payload email to yourself (the currently logged in user) for inspection.

To create your own payload, click Create a payload icon. Create a payload. For more information, see Create custom payloads for Attack simulation training.

When you're finished, click Next.

Target users

On the Target users page, select who will receive the simulation. Configure one of the following settings:

  • Include all users in your organization: The affected users are show in lists of 10. You can use the Next and Previous buttons directly below the list of users to scroll through the list. You can also use the Search icon. Search icon on the page to find affected users.

  • Include only specific users and groups: Choose one of the following options:

    • Add users icon. Add users: In the Add users flyout that appears, you can find users and groups based on the following criteria:

      • Search for users or groups: In box, you can type part of the Name or Email address of the user or group and then press Enter. You can select some or all of the results. When you're finished, click Add x users.

        Note

        Clicking the Add filters button to return to the Filter users by categories options will clear any users or groups that you selected in the search results.

      • Filter users by categories: Select from none, some, or all of the following options:

        • Suggested user groups: Select from the following values:

          • All suggested user groups
          • Users not targeted by a simulation in the last three months
          • Repeat offenders
        • User tags: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see User tags in Microsoft Defender for Office 365.

          Use the following options:

          • Search: In Search by user tags icon. Search by user tags, you can type part of the user tag and then press Enter. You can select some or all of the results.
          • Select All user tags
          • Select existing user tags.
        • Department: Use the following options:

          • Search: In Search by Department icon. Search by Department, you can type part the Department value and then press Enter. You can select some or all of the results.
          • Select All Department
          • Select existing Department values.
        • Title: Use the following options:

          • Search: In Search by Title icon. Search by Title, you can type part of the Title value and then press Enter. You can select some or all of the results.
          • Select All Title
          • Select existing Title values.

        The User filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal

        After you identify your criteria, the affected users are shown in the User list section that appears, where you can select some or all of the discovered recipients.

        When you're finished, click Apply(x), and then click Add x users.

    Back on the main Target users page, you can use the Search icon. Search box to find affected users. You can also click Delete users icon. Delete to remove specific users.

  • Import icon. Import: In the dialog that opens, specify a CSV file that contains one email address per line.

    After you find a select the CSV file, the list of users are imported and shown on the Targeted users page. You can use the Search icon. Search box to find affected users. You can also click Delete targeted users icon. Delete to remove specific users.

When you're finished, click Next.

Assign training

On the Assign training page, you can assign trainings for the simulation. We recommend that you assign training for each simulation, as employees who go through training are less susceptible to similar attacks. The following settings are available:

  • Select training content preference: Choose one of the following options:
    • Microsoft training experience: This is the default value that has the following associated options to configure:
      • Select one of the following options:
        • Assign training for me: This is the default and recommended value. We assign training based on a user's previous simulation and training results, and you can review the selections in the next steps of the wizard.
        • Select training courses and modules myself: If you select this value, you'll still be able to see the recommended content as well as all available courses and modules in the next step of the wizard.
      • Due date: Choose one of the following values:
        • 30 days after simulation ends: This is the default value.
        • 15 days after simulation ends
        • 7 days after simulation ends
    • Redirect to a custom URL: This value has the following associated options to configure:
      • Custom training URL (required)
      • Custom training name (required)
      • Custom training description
      • Custom training duration (in minutes): The default value is 0, which means there is no specified duration for the training.
      • Due date: Choose one of the following values:
        • 30 days after simulation ends: This is the default value.
        • 15 days after simulation ends
        • 7 days after simulation ends
    • No training: If you select this value, the only option on the page is the Next button that takes you to the Landing page page.

The option to add the recommended training on the Training assignment page in Attack simulation training in the Microsoft 365 Defender portal

Training assignment

Note

The Training assignment page is available only if you selected Microsoft training experience > Select training courses and modules myself on the previous page.

On the Training assignment page, select the trainings that you want to add to the simulation by clicking Add trainings icon. Add trainings.

On the Add training flyout that appears, you can select the trainings to use on the following tabs that are available:

  • Recommended tab: Shows the recommended built-in trainings based on the simulation configuration. These are the same trainings that would have been assigned if you selected Assign training for me on the previous page.

  • All trainings tab: Shows all built-in trainings that are available.

    The following information is shown for each training:

    • Training name
    • Source: The value is Global.
    • Duration (mins)
    • Preview: Click the Preview button to see the training.

    In the Search icon. Search box, you can type part of the training name and press Enter to filter the results on the current tab.

    Select all trainings that you want to include from the current tab, and then click Add.

Back on the main Training assignment page, the trainings that you selected are shown. The following information is shown for each training:

  • Training name
  • Source
  • Duration (mins)

For each training in the list, you need to select who gets the training by selecting values in the Assign to column:

  • All users

    or one or both of the following values:

  • Clicked payload

  • Compromised

If you don't want to use a training that's shown, click Delete training icon. Delete.

The Training assignment page in Attack simulation training in the Microsoft 365 Defender portal

When you're finished, click Next.

Landing page

On the Landing page page, you configure the web page that user are taken to if they open the payload in the simulation.

Microsoft-curated landing pages are available in 12 languages: Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish, and Dutch.

  • Select landing page preference: The available values are:
    • Use Microsoft default landing page: This is the default value that has the following associated options to configure:

      • Select landing page layout: Select one of the available templates.
      • Add logo: Click Browse to find and select a .png, .jpeg, or .gif file. The logo size should be a maximum of 210 x 70 to avoid distortion. To remove the logo, click Remove.
      • Add payload indicators to email: This setting is not available if you previously selected Malware attachment or Link to malware on the Select technique page.

      You can preview the results by clicking the Open preview panel button at the bottom of the page.

    • Use a custom URL: This setting is not available if you previously selected Malware attachment or Link to malware on the Select technique page.

      If you select Use a custom URL, you need to add the URL in the Enter the custom landing page URL box that appears. No other options are available on the page.

    • Create your own landing page: This value has the following associated options to configure:

      • Add payload indicators to email: This setting is available to select only if both of the following conditions are true:

        • You previously selected Credential harvest, Link in attachment, or Drive-by URL on the Select technique page.
        • After you add the Dynamic tag named Insert email content into the page content.
      • Page content: Two tabs are available:

        • Text: A rich text editor is available to create your landing page. In addition to the typical font and formatting settings, the following settings are available:
          • Dynamic tag: Select from the following tags:
            • Insert name
            • Insert sender name
            • Insert sender email
            • Insert email subject
            • Insert email content
            • Insert date
          • Use from default: Select an available template to start with. You can modify the text and layout in the editing area. To reset the landing page back to the default text and layout of the template, click Reset to default.
      • Code: You can view and modify the HTML code directly.

      You can preview the results by clicking the Open preview panel button in the middle of the page.

When you're finished, click Next.

Note

Certain trademarks, logos, symbols, insignias and other source identifiers receive heightened protection under local, state and federal statutes and laws. Unauthorized use of such indicators can subject the users to penalties, including criminal fines. Though not an extensive list, this includes the Presidential, Vice Presidential, and Congressional seals, the CIA, the FBI, Social Security, Medicare and Medicaid, the United States Internal Revenue Service, and the Olympics. Beyond these categories of trademarks, use and modification of any third-party trademark carries an inherent amount of risk. Using your own trademarks and logos in a payload would be less risky, particularly where your organization permits the use. If you have any further questions about what is or is not appropriate to use when creating or configuring a payload, you should consult with your legal advisors.

Select end user notification

On the Select end user notification page, select from the following notification options:

  • Do not deliver notifications: Click Proceed in the alert dialog that appears. If you select this option, you're taken to the Launch details page when you click Next.

  • Microsoft default notification (recommended): The following additional settings are available on the page:

    • Select default language: The available values are: Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish, and Dutch.

    • By default, the following notifications are included:

      • Microsoft positive reinforcement notification
      • Microsoft default training assignment notification
      • Microsoft default training reminder notification

      For each notification, the following information is available:

      • Notifications: The name of the notification.
      • Language: If the notification contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, +10).
      • Type: One of the following values:
        • Positive reinforcement notification
        • Training assignment notification
        • Training reminder notification
      • Delivery preferences: For Positive reinforcement notification and Training reminder notification types, the following values are available
        • Do not deliver
        • Deliver after campaign ends
        • Deliver during campaign
      • Actions: If you click on the View icon. View icon, the Review notification page appears with the following information:
        • Preview tab: View the notification message as users will see it.

          • To view the message in different languages, use the Select language box.
          • Use the Select payload to preview box to select the notification message for simulations that contain multiple payloads.
        • Details tab: View details about the notification:

          • Notification description
          • Source: For built-in notifications, the value is Global. For custom notifications, the value is Tenant.
          • Notification type: One of the following types base on the notification you originally selected:
            • Positive reinforcement notification
            • Training assignment notification
            • Training reminder notification
          • Modified by
          • Last modified

          When you're finished, click Close.

    You're taken to the Launch details page when you click Next.

  • Customized end user notifications: When you click Next, you're taken to the Training assignment notification page as described in the next sections.

Training assignment notification

The Training assignment notification page is available only if you selected Customized end user notifications on the Select end user notification page.

This page shows the following notifications and their configured languages:

You can select an existing training assignment notification or create a new notification to use:

  • To select an existing notification, click in the blank area next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification.

  • To search for an existing notification, use the Search icon. Search box to search for the name.

    Select the notification that you want to use, and then click Next.

  • To create and use a new notification, click Create new icon. Create new.

Create new training assignment notification wizard

If you clicked Create new icon. Create new on the Training assignment notification page, a notification creation wizard opens.

The creation steps are identical as described in Create end-user notifications.

Note

On the Define details page, be sure to select the value Training assignment notification for Select notification type.

When you're finished, you're taken back to the Training assignment notification page where the notification that you just created now appears in the list.

Select the notification that you want to use, and then click Next.

Training reminder notification

The Training reminder notification page is available only if you selected Customized end user notifications on the Select end user notification page.

  • Set frequency for reminder notification: Select Weekly (default) or Twice a week.

  • Select a reminder notification: This section shows the following notifications and their configured languages:

    You can select an existing training reminder notification or create a new notification to use:

    • To select an existing notification, click in the blank area next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification.

    • To search for an existing notification, use the Search icon. Search box to search for the name.

      Select the notification that you want to use, and then click Next.

    • To create and use a new notification, click Create new icon. Create new.

Create new training reminder notification wizard

If you clicked Create new icon. Create new on the Training reminder notification page, a notification creation wizard opens.

The creation steps are identical as described in Create end-user notifications.

Note

On the Define details page, be sure to select the value Training reminder notification for Select notification type.

When you're finished, you're taken back to the Training reminder notification page where the notification that you just created now appears in the list.

Select the notification that you want to use, and then click Next.

Positive reinforcement notification

The Positive reinforcement notification page is available only if you selected Customized end user notifications on the Select end user notification page.

  • Delivery preferences: Select one of the following values:

    • Do not deliver: If you select this option, you're taken to the Launch details page when you click Next.

    • Deliver after the user reports a phish and campaign ends or Deliver immediately after the user reports a phish: These sections show the following notifications and their configured languages in the Select a positive reinforcement notification section that appears:

    • Microsoft default positive reinforcement notification

    • Any custom positive reinforcement notifications that you previously created.

      These notifications are also available in End user notifications on the Simulation content library tab in Attack simulation training at https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary. Microsoft default positive reinforcement notification is available on the Global notifications tab. Custom positive reinforcement notifications are available on the Tenant notifications tab. For more information, see End-user notifications for Attack simulation training.

    You can select an existing positive reinforcement notification or create a new notification to use:

    • To select an existing notification, click in the blank area next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification.

    • To search for an existing notification, use the Search icon. Search box to search for the name.

      Select the notification that you want to use, and then click Next.

    • To create and use a new notification, click Create new icon. Create new.

Create new positive reinforcement notification wizard

If you clicked Create new icon. Create new on the Positive reinforcement notification page, a notification creation wizard opens.

The creation steps are identical as described in Create end-user notifications.

Note

On the Define details page, be sure to select the value Positive reinforcement notification for Select notification type.

When you're finished, you're taken back to the Positive reinforcement notification page where the notification that you just created now appears in the list.

Select the notification that you want to use, and then click Next.

Launch details

On the Launch details page, you choose when to launch the simulation and when to end the simulation. We'll stop capturing interaction with this simulation after the end date you specify.

The following settings are available:

  • Choose one of the following values:
    • Launch this simulation as soon as I'm done
    • Schedule this simulation to be launched later: This value has the following associated options to configure:
      • Select launch date
      • Select launch time
  • Configure number of days to end simulation after: The default value is 2.
  • Enable region aware time zone delivery: Deliver simulated attack messages to your employees during their working hours based on their region.
  • Display the drive-by technique interstitial data gathered page: You can show the overlay that comes up for the drive-bu URL technique attacks. To hide the overlay and go directly to the landing page, de-select this option.

When you're finished, click Next.

Review simulation

On the Review simulation page, you can review the details of your simulation.

Click the Send a test icon. Send a test button to send a copy of the payload email to yourself (the currently logged in user) for inspection.

You can select Edit in each section to modify the settings within the section. Or you can click Back or select the specific page in the wizard.

When you're finished, click Submit.

The Review simulation page in Attack simulation training in the Microsoft 365 Defender portal