Forum Discussion
Phishing attack simulator incorrectly emails people the message, "Because you were recently phished"
Hi folks, * I am evaluating Microsoft Phishing Attack Simulator with a 4 user pilot * None of the 4 users were phished in any of the 3 simulations that I actioned * At the end of each simulatio...
You can edit the message under
- Attack Simulation Training > End-user notifications > Tenant Notification
- Choose the notification (e.g. "Microsoft default simulation notification")
- On the Define Content section you can choose the language you want to edit
- Edit the content & Save
I like there's different level of triggering and education. If the email is opened, Microsoft considers that phished. There's also different trainings for a) if the link is clicked and b) if credentials were supplied or file was downloaded.
I hope it helps. I think the tool is still lacking a lot of features still, but for us it's better than nothing. User reporting is weak and I can't find the life of me how to remind users to take the training (if that's even possible).
Thanks Myatkyaw for your constructive reply,
"If the email is opened, Microsoft considers that phished"
* This comment is very interesting
* I remark so because I encourage our users to report phishing emails using the feature to do so in Outlook
* From what you are saying, every person who reports one of the phishing emails in the simulation will be marked by the simulation tool as having been phished?
Regards,
Steve
"If the email is opened, Microsoft considers that phished"
* This comment is very interesting
* I remark so because I encourage our users to report phishing emails using the feature to do so in Outlook
* From what you are saying, every person who reports one of the phishing emails in the simulation will be marked by the simulation tool as having been phished?
Regards,
Steve
- ""If the email is opened, Microsoft considers that phished"... sorry, allow me to elaborate.
I think it is a good feature, but wordings could be better by Microsoft. Opening and reading the email is a level of susceptibility. I think traditional definition of "phished" is credentials were stolen or a malware file was clicked. I think Microsoft considers phished at 3 levels: 1) if an email is opened - i could be wrong on this 2) if an embedded link was clicked 3) if credentials were supplied or file was executed. Depending on susceptibility, customized education would be generated and sent. I hear what you're saying though.... Phished in my vocab before is compromised.- If I recollect correctly only the drive-by URL is instant death; the other payload types only count as full compromise if the recipient completes the chain of actions required by the payload. Note that the credential harvester does not verify that the password given is correct (a service Microsoft are in a unique position to offer).
- Definitely not, Steve. The simulator records if the e-mail was delivered (and it's not a conventional delivery; the simulator stuffs the phish directly into the recipient mailbox), whether the recipient clicked on the phishing link and whether a credential was supplied. It also records whether the phish was reported and whether training was done. It might do more for some of the other payload types, but at the moment I mostly work with drive-bys and harvesters.
Use the View Users link in the simulation report to download a worksheet of the tasty details.- Hi ExMSW4319,
Thanks for your reply 🙂
1) Please pardon me all for focusing very closely on a point of jargon semantics, as this point underpins so much of what I understand and what I am confused about.
If a user opens the phishing email, does Microsoft report this as the user being phished?
2) From the above question, I've looked at how I direct users to respond to phishing emails.
* We are a small humanitarian NGO, so we get free licenses for web M365 (thanks Microsoft 🙂 )
* We have though approx 40 users who need the additional functionality in locally installed M365
* Hence we in IT Support, support M365 delivered to the users via browser and via local install
* I put together an intranet page with instructions for users on how to respond to phishing emails
* There are separate instructions for reporting phishing emails, based on whether using web M365 or locally installed M365
* I now see my instructions on the web are sub-optimal (I am keen to rectify this quickly)
* In both cases, the instructions direct the user to use the Report Phishing feature available after the phishing email is opened
* However, I now see that in web M365, right clicking the unopened message produces a menu that leads to an option to report the phishing email
* Is there a way to report an unopened phishing email using locally installed M365?
3) Point 2. feeds back into point 1. If MS Attack Simulator interprets an opened email as phished, all our users who have locally installed M365 will be interpreted by Attack Simulator as phished if they open a phishing email as a mandatory step as part of the process to report a phishing email. It would be great if there's a way to report a phsihing email without needing to open the phishing email 1st in locally installed M365.
Any help is always appreciated 🙂- Steve, to clarify my earlier answers, the simulator records if a simulated phishing mail is delivered but it does not record if it is opened. It does record an initial click-through of the phishing link in the mail but as far as I know it only records this as being "phished" (full compromise) for payloads of the the drive-by URL type.
As I said in an earlier reply, the simulator is being developed at a pace and is therefore subject to change. If you still have doubts, send a series of test simulations to yourself and see what happens in each case when you just open a simulation, open and click the initial link and in the final case complete the whole sequence of recipient actions.
That will also give you a chance to test landing pages, indicators and all the new groovy reinforcement mails that are being added to the simulator. In my last test, these didn't arrive. 😞
