Forum Discussion
Solved
MDO Attack Simulation and false "positives."
In our last 3 attack simulations (MDO) we've sent out to employees, we've had increasingly more and more employees who are saying they didn't open the attachment and/or didn't click on the link. (They received the training email and asked "why" they received it.......)
Is there a way to prove/disprove they did or did not?
I've checked the settings on our simulations and they have been configured correctly. I don't want to point "blame" on any of our "compromised" users as now I'm uncertain as to whether or not they were truly compromised. Is there something I'm missing here? Thanks everyone
- Return to your simulation in security.microsoft.com, pick your simulation, click the Users tab and Export the result. This will give you a CSV with the when, the IP and even the device details of each clicking user. You may find that you have third party client agents effectively clicking on links even though your users have not intentionally clicked them. The CSV also tells you if they are performing any remedial training you are assigning. You do not have to wait for the end of the campaign, though there may be some latency in the data in the export.
3 Replies
Hi @ItsUnknown
To verify why some users are receiving the training, follow these steps:
- Go to the campaign report.
- In the Users tab, filter by Training status.
- Check the Other actions column.
- Return to your simulation in security.microsoft.com, pick your simulation, click the Users tab and Export the result. This will give you a CSV with the when, the IP and even the device details of each clicking user. You may find that you have third party client agents effectively clicking on links even though your users have not intentionally clicked them. The CSV also tells you if they are performing any remedial training you are assigning. You do not have to wait for the end of the campaign, though there may be some latency in the data in the export.
- cammurray
Microsoft
This here is the best answer. When there is an event like a click, we will record the IP address and the user agent string. You can then relatively easily figure out what this was.
