Create targeted attack simulation training campaigns with dynamic groups

When it comes to email security, even the most reliable employees can sometimes be unpredictable. Our days are filled with clicks, taps, likes, swipes, pings, texts, and more, leaving us open to acting fast without always being thorough and cautious. That’s why simulation training should be a key component in every organization’s email security strategy. It plays a critical role in educating and empowering employees to recognize common phishing and social engineering tactics, adopt a security first culture, and protect their organizations from associated security risks.

Attack simulation training is an intelligent phish risk reduction tool that measures behavior change and automates deployment of an integrated security awareness training program across an organization. 

We’re excited to announce dynamic targeting for Attack simulation training in Defender for Office 365. You can now use the Microsoft 365 group – dynamic membership type created in Microsoft Entra admin center to define the recipients of your simulations and training campaigns. It provides a more efficient and effective way to manage target users for simulations and trainings, allowing you to assign foundational security training to new hires, send simulation campaigns to users in departments or locations with high turnover, and more such use cases—without having to manually manage groups.

With this, the list of supported group types in Attack simulation training are as follows:

• Microsoft 365 group (both static and dynamic)
• Distribution group (static only)
• Mail-enabled security group (static only)

   

End-user experience of a simulated phishing email

What are dynamic groups?

Dynamic group membership is defined by one or more rules that check for certain attributes in user accounts. These groups are automatically updated as user attributes change, ensuring that the group membership is always up to date. This is particularly useful for large organizations where manually managing group memberships can be time-consuming and error prone.

Use the Microsoft 365 group dynamic membership type in Microsoft Entra ID to tailor your simulation and training campaigns to specific user groups, making the training more relevant and effective.

Some use cases of dynamic groups in Attack simulation training:

Target users more effectively based on specific criteria such as department, role, or location. Example: For sending a simulation email to users in Sales or Marketing departments, the dynamic membership rule can be written as: (user.department -eq "Sales") -or (user.department -eq "Marketing")

Writing dynamic group rule in Microsoft Entra ID

Target users based on different hiring timeframes using the attribute "employee hire date". A few examples are shared below:

• • To send a simulation email or a training campaign to those hired after a particular date, such as June 30, 2024, the dynamic membership rule can be written as: (user.employeeHireDate -ge 2024-06-30)
  • To automate simulation emails for users who will be hired within the next 30 days, the dynamic membership rule can be written as:
    (user.employeeHireDate -le system.now -plus P30D) -and (user.employeeHireDate -ge system.now)

How to create and use dynamic groups in simulations:

To create and use dynamic groups, follow these steps:

1. Sign in to Azure Portal as at least a Groups Administrator and select Microsoft Entra ID, followed by Groups.
2. Create a new group and choose Microsoft 365 as the group type. Enter a name, email address, and description for the group. Select Dynamic user as the membership type and select Add dynamic query.
   Create a dynamic group in Microsoft Entra ID
3. Define the rules for the dynamic query based on the user properties that you want to use. You can add multiple rules and combine them with AND/OR operators.
4. Validate the rule. Select Save and then select Create.
5. Go to the Defender portal and select Attack simulation training.
6. Select the Simulations tab and create a new simulation or edit/copy an existing one.
7. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s).
   
8. Complete rest of the simulation settings and Create or Save the simulation.

How to use dynamic groups in training campaigns:

Repeat steps 1-5 shared above.

6. Select the Training campaign tab and create a new campaign.
7. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s).
8. Complete the rest of the campaign settings and Create or Save the campaign.

How to use dynamic groups in simulation automations:

Repeat steps 1-5 shared above.

6. Select the Simulation Automations tab and create a new automation.
7. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s).
8. Complete the rest of the automation settings and Create or Save the automation.

Note for automated simulations:

• If a user is removed from a dynamic group after taking part in a simulation, this user will still appear in simulation reports and continue with assigned trainings.
• If a user is added to a dynamic group after the last simulation in an automation has run, the user won’t be simulated because this automation is considered complete.
• At the start of an automation, users are divided across different simulations. If new users are added after some simulations have run, these users will be distributed across the remaining simulations.

More information:

• Learn more about the different types of Microsoft 365 groups
• Create or edit a dynamic group
• Manage rules for dynamic groups
• Learn about nested group properties in dynamic groups
• Modify groups based on your requirements.