Forum Discussion
Phishing attack simulator incorrectly emails people the message, "Because you were recently phished"
Hi folks, * I am evaluating Microsoft Phishing Attack Simulator with a 4 user pilot * None of the 4 users were phished in any of the 3 simulations that I actioned * At the end of each simulatio...
Hi ExMSW4319,
Thanks for your reply 🙂
1) Please pardon me all for focusing very closely on a point of jargon semantics, as this point underpins so much of what I understand and what I am confused about.
If a user opens the phishing email, does Microsoft report this as the user being phished?
2) From the above question, I've looked at how I direct users to respond to phishing emails.
* We are a small humanitarian NGO, so we get free licenses for web M365 (thanks Microsoft 🙂 )
* We have though approx 40 users who need the additional functionality in locally installed M365
* Hence we in IT Support, support M365 delivered to the users via browser and via local install
* I put together an intranet page with instructions for users on how to respond to phishing emails
* There are separate instructions for reporting phishing emails, based on whether using web M365 or locally installed M365
* I now see my instructions on the web are sub-optimal (I am keen to rectify this quickly)
* In both cases, the instructions direct the user to use the Report Phishing feature available after the phishing email is opened
* However, I now see that in web M365, right clicking the unopened message produces a menu that leads to an option to report the phishing email
* Is there a way to report an unopened phishing email using locally installed M365?
3) Point 2. feeds back into point 1. If MS Attack Simulator interprets an opened email as phished, all our users who have locally installed M365 will be interpreted by Attack Simulator as phished if they open a phishing email as a mandatory step as part of the process to report a phishing email. It would be great if there's a way to report a phsihing email without needing to open the phishing email 1st in locally installed M365.
Any help is always appreciated 🙂
Thanks for your reply 🙂
1) Please pardon me all for focusing very closely on a point of jargon semantics, as this point underpins so much of what I understand and what I am confused about.
If a user opens the phishing email, does Microsoft report this as the user being phished?
2) From the above question, I've looked at how I direct users to respond to phishing emails.
* We are a small humanitarian NGO, so we get free licenses for web M365 (thanks Microsoft 🙂 )
* We have though approx 40 users who need the additional functionality in locally installed M365
* Hence we in IT Support, support M365 delivered to the users via browser and via local install
* I put together an intranet page with instructions for users on how to respond to phishing emails
* There are separate instructions for reporting phishing emails, based on whether using web M365 or locally installed M365
* I now see my instructions on the web are sub-optimal (I am keen to rectify this quickly)
* In both cases, the instructions direct the user to use the Report Phishing feature available after the phishing email is opened
* However, I now see that in web M365, right clicking the unopened message produces a menu that leads to an option to report the phishing email
* Is there a way to report an unopened phishing email using locally installed M365?
3) Point 2. feeds back into point 1. If MS Attack Simulator interprets an opened email as phished, all our users who have locally installed M365 will be interpreted by Attack Simulator as phished if they open a phishing email as a mandatory step as part of the process to report a phishing email. It would be great if there's a way to report a phsihing email without needing to open the phishing email 1st in locally installed M365.
Any help is always appreciated 🙂
Steve, to clarify my earlier answers, the simulator records if a simulated phishing mail is delivered but it does not record if it is opened. It does record an initial click-through of the phishing link in the mail but as far as I know it only records this as being "phished" (full compromise) for payloads of the the drive-by URL type.
As I said in an earlier reply, the simulator is being developed at a pace and is therefore subject to change. If you still have doubts, send a series of test simulations to yourself and see what happens in each case when you just open a simulation, open and click the initial link and in the final case complete the whole sequence of recipient actions.
That will also give you a chance to test landing pages, indicators and all the new groovy reinforcement mails that are being added to the simulator. In my last test, these didn't arrive. 😞
As I said in an earlier reply, the simulator is being developed at a pace and is therefore subject to change. If you still have doubts, send a series of test simulations to yourself and see what happens in each case when you just open a simulation, open and click the initial link and in the final case complete the whole sequence of recipient actions.
That will also give you a chance to test landing pages, indicators and all the new groovy reinforcement mails that are being added to the simulator. In my last test, these didn't arrive. 😞
- Hi ExMSW4319,
Thanks for your reply 🙂
* Reasons I sought clarification are:
1) "the simulator records if a simulated phishing mail is delivered but it does not record if it is opened."
This is different to the reply myatkyaw was kind enough to offer
2) I'm in a situation at the moment where I am struggling to trust the reports in the Simulator tool
* I logged a separate post for this particular issue
https://answers.microsoft.com/en-us/msoffice/forum/all/microsoft-phishing-attack-simulation-not-reporting/dd63c19b-9666-4ab6-bebc-8b7efd6832ff?messageId=3b4516c4-2ced-40a3-97a8-fd94d0144fa4
I'm hoping Microsoft will give me some help on that.
Regards,
Steve
