Announcing the Public Preview of Attack Simulator for Office 365 Threat Intelligence

Attack Simulator Helps Enable Threat Prevention


Security solutions focus on protection, detection, and remediation.  These capabilities are what customers require and value for best in class security.  In this context, one of the most effective forms of protection is achieved through threat prevention.  With this in mind, we are excited to announce the pre-release preview of Attack Simulator for Office 365 Threat Intelligence as part of the Office 365 Universal Preview Program beginning February 21, 2018!


The ability to prevent the adverse impact from threats before any security is required is ideal.  Prevention is only possible through training and preparation of end users against the variety of threat scenarios that impact organizations.  Last year we launched Office 365 Threat Intelligence as a tool to help organizations become more proactive with their cybersecurity.  Attack Simulator is the perfect feature to support the goal of greater proactivity for security.  With Attack Simulator, admins can launch simulated attacks on their end users, determine how end users behave in the event of an attack, and update policies and ensure that appropriate security tools are in place to protect the organization from threats.  This preview of Attack Simulator includes three attack scenarios:


  • Display Name Spear Phishing Attack: Phishing is the generic term for socially engineered attacks designed to harvest credentials or personally identifiable information (PII). Spear phishing is a subset of this attack type which is targeted, often aimed at a specific group, individual, or organization.  These attacks are customized and tend to leverage a sender name that generates trust with the recipient.


  • Password Spray Attack: To prevent bad actors from constantly guessing the passwords of user accounts, often there are account lockout policies.  For example, an account will lockout after a certain number of bad passwords are guessed for a user.  However, if you were to take a single password and try it against every single account in an organization, it would not trigger any lockouts.  The password spray attack leverages commonly used passwords and targets many accounts in an organization with the hope that one of the account holder uses a common password that allows a hacker to enter the account and take control of it.  From this compromised account, a hacker can launch more attacks by assuming the identity of account holder.
  • Brute Force Password Attack: This type of attack consists of a hacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.


The Office 365 team is looking for customers interested in providing feedback on new service offerings before they are released to General Availability. To preview Attack Simulator for Office 365 Threat Intelligence begin an Office 365 E5 trial starting the week of Mar 19th.  Also, current users of Office 365 E5 or Office 365 Threat Intelligence will also see the preview of Attack Simulator beginning the week of Mar 19th.   Both current subscribers and those beginning a trial will see the ‘Attack Simulator’ node appear under ‘Threat Explorer’ in the Office 365 Security and Compliance Center (figure 1).  The Universal Preview Program (UPP) was very popular and unfortunately has reached capacity and many of you have noted that the promo code is no longer active.  Due to the strong demand, we are now enabling the preview of Attack Simulator through the standard Office E5 trial. We apologize to our customers who tried to sign up for the UPP this week an were unable to.  


Figure 1.  Attack Simulator DashboardFigure 1. Attack Simulator Dashboard

Leverage Microsoft’s Threat Signal to Help Prevent Threats From Impacting Your Organization


While there are security testing solutions available, none are offered as part of a broader threat intelligence service such as Attack Simulator.  Using Office 365 Threat Intelligence, an admin can determine which users are being most targeted by cyber threats.  Since Attack Simulator is a feature of Office 365 Threat Intelligence, it is simple to gather information from the Threat Intelligence service and then create customized threats and launch simulated campaigns at your end users to understand how they behave and respond during a cyber attack.  Like the broader Office Threat Intelligence service, Attack Simulator leverages the Microsoft Intelligent Security Graph.  The powerful depth and breadth of Microsoft's threat signal enables Attack Simulator’s simulated threats to have unparalleled authenticity since threats are designed using threat telemetry from the Microsoft Intelligent Security Graph. 


Figure 2.  Example Spear Phishing Email created with Attack SimulatorFigure 2. Example Spear Phishing Email created with Attack Simulator

For example, Office 365 scans 400 billion emails every month, of which, some are malicious spear phishing emails.  Attack Simulator crafts simulated spear phishing emails based on this real data, ensuring end users have the most realistic experience of an attack.  The user response and behavior when under attack is captured and reported to the admin.  This provides invaluable data on how to better secure the organization through updated security policies or services. With Attack Simulator, admins can help train all their end users, and especially those who are most targeted.  


Figure 3.  Example Spear Phishing Simulation ReportFigure 3. Example Spear Phishing Simulation Report

It is likely that the greatest risk of a breach to an organization is through users who are most targeted. With Office 365 Threat Intelligence admins gain visibility into the most targeted and potentially most vulnerable users.  Using Attack Simulator, admins can launch simulated threats targeting those very same users. This will provide the most targeted users with additional training and provide admins feedback on how those users behave during an attack, enabling admins to optimally update policies and security protocols.  By potentially reducing the risk from threats to the most targeted users, admins can help reduce the risk to the overall organization.


Begin Your Journey Towards Threat Prevention

As we mentioned, for customers who were unable to join the UPP, the public preview for Attack Simulator will be made available the week of Mar 19th through a standard Office 365 E5 trial.  Learn about the details on how to run simulations with Attack Simulator here.  Your feedback is one of the most important drivers of our innovation, so please let us know what you think of Attack Simulator by starting an Office 365 E5 trial.





Senior Member

I'm getting a 500 error on the CXP Preview Portal when trying to sign up.


Thanks for sharing @Debraj Ghosh! This looks promising. 


Do you know if there will be any API's available for working with the simulator?

Occasional Contributor



I've been looking for a way to test users, this seems like a solid start

Regular Visitor

When will this be available in GCC? Any road map link?


im not able to see this in our security compliance center., please let me know how we can find the option

Occasional Contributor



The code UPP053 is not working. Any help please?



Occasional Visitor



I am having the same issue with the code not being accepted.  Any advice?


Thank you!



let us know how we can view this option in security compliance. we don't have E5 license. Please let us know whether we need E5 license to view this options

promo code not working


Hi all,


I hope most of you have seen the update to the blog post.  We had a high volume of demand for preview through the UPP and reach capacity this week.  We will be enabled the Attack Simulator for all current subscribers of Office 365 E5 or TI beginning next week.  Also, customers who begin an Office 365 E5 trial, will also see Attack Simulator as part of the trial experience beginning next week.  We apologize for the inconvenience on this issue and that we no longer have the UPP promo code available.  Thank you.