As information security professionals, we naturally place a heavy emphasis on hardening resources in an effort to defend them against attack. It is equally important to periodically test your defenses to make sure that they are working as intended. Historically, these types of tests have required third-party penetration testing software or complex scripting. Recently, however, Microsoft has given organizations the tools necessary to launch simulated attacks against their Microsoft 365 environments. These attacks send various types of phishing messages to users in an effort to see how well your filtering software is working--and how users respond if they do receive one of the test messages.
To access the attack simulation tools, log into the Microsoft 365 portal using an account with administrative privileges. Once you are logged in, go to https://security.microsoft.com/attacksimulator. At one time, the Security Admin Center provided a menu option for accessing this page directly, but that menu option is currently missing. In all likelihood, Microsoft will recreate the menu link at some point. You can see what the Attack Simulation Training page looks like in Figure 1.
This is the Microsoft 365 Attack Simulation Training page.
To launch a attack simulations against your Microsoft 365 environment, click on the Simulations tab, shown near the top of the previous figure. This will take you to a screen that lists all of your attack simulations and their status. (Of course, if this is the first time that you have run an attack simulation, the screen will be empty.)
Click the Launch a Simulation button and you will be taken to the screen shown in Figure 2. As you can see in the figure, there are currently five different attack simulations available. These attack simulations include:
- Credential Harvest – An attacker uses an email message to try to trick users into providing their credentials.
- Malware Attachment – An attacker sends an email with a malicious attachment.
- Link in Attachment – An attacker tries to trick recipients into clicking on a malicious link within an email message.
- Link to Malware – An attacker uses an email message to try to trick the recipient into downloading malware.
- Drive-by URL –An attacker includes a fake URL in an email message. Recipients think that they are clicking on a legitimate URL, but are taken to a malicious site instead.
These are the simulated attacks that you can run.
Click Next, and you will be taken to a screen that asks you to provide a name and a description for the simulation that you are about to run. It’s a good idea to use a meaningful name and to make the description as detailed as possible.
Click Next, and you will be taken to a screen that asks you to select the payload that is to be used in the simulation. As you can see in Figure 3, this screen lists common phishing message types. You can select one of the message types that is listed on the screen, but there is also a way to create your own custom payloads.
Choose a message payload.
Click Next, and you will be prompted to choose which users to include in the simulation. You can send the message to every user in your organization, or you can target specific users.
Once you have chosen who will receive the message, the next screen gives you the opportunity to mandate training for users who receive the message. You don’t have to mandate training, but if you do decide to require it, you will have the option of setting up a due date by which the training must be completed. You can also customize the text that appears when a user clicks on the “malicious” link.
Click Next a couple of times, followed by Submit. Figure 4 shows an example of the message that will be sent to your users. As you can see, it looks strikingly similar to a phishing message that a user might receive in the wild.
This is one of the phishing messages that can be sent to users as a part of the simulation.
In this particular case, I set up a credential harvesting attack. If I click on the link in the message, I am taken to a realistic looking Microsoft sign-in page, shown in Figure 5.
The credential harvesting attack takes me to this page.
If a user goes so far as to enter their credentials (even if they enter an incorrect password), they are taken to a screen like the one shown in Figure 6. As you can see, this screen tells the employee that he or she just fell victim to a phishing attack. It also points out some things within the message that are clues to the fact that the message is fraudulent.
This is what happens if users enter their credentials.
When the simulation is complete, you can go back to the Attack Simulation Training page to monitor the simulation. It is worth noting, however, that this page is not updated in real time. It may take a while for the results to show up, and you will probably have to refresh the screen a few times.