Forum Discussion
Phishing attack simulator incorrectly emails people the message, "Because you were recently phished"
Hi folks,
* I am evaluating Microsoft Phishing Attack Simulator with a 4 user pilot
* None of the 4 users were phished in any of the 3 simulations that I actioned
* At the end of each simulation, users are correctly being emailed a message with a link to phishing traning
* However, the email with the link to the phishing training contains this wording:
"Because you were recently phished, we require you to take training(s) to recognize phishing attacks in future."
* The wording I quote is troublesome since it:
a) Is inaccurate; none of the users were phished
b) Presents me (and potentially my colleagues in IT Support), negatively, since it makes us look like we aren't in control of the simulation technology (ie it looks like we don't understand the reality of how each user responded in the simulations)
c) Risks alienating us from our users
My questions thus are:
1) Is anyone else impacted with this issue?
2) Is there a way for the wording I refer to, to be constructively edited?
Any help is always appreciated.
Regards,
Steve
19 Replies
To take your points in order:
(a) in your pilot test, did you specify training for all recipients, those who clicked the payload or those who were fully compromised? What notification option did you choose? One problem with the simulator (as I last used it in December) is that a lot of the minor settings are not recorded in the simulation list. If for example you want a record of what training you have assigned, you are going to have to keep a manual record.
(b) is a danger. You have to recognise that the MS phishing simulator is a product being continuously improved, and if all of the changes are being announced in the O365 message center then I'm missing some of them. I use the simulator quarterly, and every time last year there were some new changes to take into account. I have even seen changes arrive in mid-simulation. Your only option is to test in advance, and once more just before you launch. Unless your security stack is MS from top to bottom, you need to do that anyway in case another security vendor has suddenly decided your chosen phishing URL is malicious.
(c) is a danger with any attack simulator. Weeks before you launch, you might consider sending out a general mail reminding recipients of the dangers of phishing and that regretfully the organisation has no choice but to conduct simulated tests for all staff. Explain that this is something all proactive organisations are adopting, and that the object is to train rather than catch people out. They will face the same dangers with their personal addresses. Be constructive and helpful; I use payloads of varying "difficulty" so no-one feels bad about falling for the trickier ones.- In answering myatkaw, I have just seen the End-user notifications tab on the same portal. It seems that it is now possible to edit a copy of the offending Microsoft default simulation notice, but in starting a test simulation I only saw the option to choose a variant positive reinforcement notice.
- I have discovered this exact annoyance myself. You can create a custom Simulation Notification to remove the troublesome wording of 'You have been Phished' but then there is no way of setting that as your simulation notification in the attack.
You can edit the message under
- Attack Simulation Training > End-user notifications > Tenant Notification
- Choose the notification (e.g. "Microsoft default simulation notification")
- On the Define Content section you can choose the language you want to edit
- Edit the content & Save
I like there's different level of triggering and education. If the email is opened, Microsoft considers that phished. There's also different trainings for a) if the link is clicked and b) if credentials were supplied or file was downloaded.
I hope it helps. I think the tool is still lacking a lot of features still, but for us it's better than nothing. User reporting is weak and I can't find the life of me how to remind users to take the training (if that's even possible).
Hi myatkyaw
* I have endeavoured to follow you proposed steps to edit the wording in the email that gets sent to users re training
"
- Attack Simulation Training > End-user notifications > Tenant Notification "
* After I go to 'Attack Simulation Training', there doesn't appear to be an 'End-user notifications' option
* Text search on 'end-' and 'notifications' doesn't find anything
* Any further suggestions please?
* Any help finding a way forward from anyone is appreciated 🙂
- Thanks Myatkyaw for your constructive reply,
"If the email is opened, Microsoft considers that phished"
* This comment is very interesting
* I remark so because I encourage our users to report phishing emails using the feature to do so in Outlook
* From what you are saying, every person who reports one of the phishing emails in the simulation will be marked by the simulation tool as having been phished?
Regards,
Steve- ""If the email is opened, Microsoft considers that phished"... sorry, allow me to elaborate.
I think it is a good feature, but wordings could be better by Microsoft. Opening and reading the email is a level of susceptibility. I think traditional definition of "phished" is credentials were stolen or a malware file was clicked. I think Microsoft considers phished at 3 levels: 1) if an email is opened - i could be wrong on this 2) if an embedded link was clicked 3) if credentials were supplied or file was executed. Depending on susceptibility, customized education would be generated and sent. I hear what you're saying though.... Phished in my vocab before is compromised.
Check the Settings tab on the Attack Simulator page of the Security portal. The default setting for reminders is Off.
- Will try. Thanks you!
