Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Announcing the Public Preview of Attack Simulator for Office 365 Threat Intelligence
Published Feb 21 2018 09:32 AM 67.9K Views
Microsoft

Attack Simulator Helps Enable Threat Prevention

 

Security solutions focus on protection, detection, and remediation.  These capabilities are what customers require and value for best in class security.  In this context, one of the most effective forms of protection is achieved through threat prevention.  With this in mind, we are excited to announce the pre-release preview of Attack Simulator for Office 365 Threat Intelligence as part of the Office 365 Universal Preview Program beginning February 21, 2018!

 

The ability to prevent the adverse impact from threats before any security is required is ideal.  Prevention is only possible through training and preparation of end users against the variety of threat scenarios that impact organizations.  Last year we launched Office 365 Threat Intelligence as a tool to help organizations become more proactive with their cybersecurity.  Attack Simulator is the perfect feature to support the goal of greater proactivity for security.  With Attack Simulator, admins can launch simulated attacks on their end users, determine how end users behave in the event of an attack, and update policies and ensure that appropriate security tools are in place to protect the organization from threats.  This preview of Attack Simulator includes three attack scenarios:

 

  • Display Name Spear Phishing Attack: Phishing is the generic term for socially engineered attacks designed to harvest credentials or personally identifiable information (PII). Spear phishing is a subset of this attack type which is targeted, often aimed at a specific group, individual, or organization.  These attacks are customized and tend to leverage a sender name that generates trust with the recipient.

 

  • Password Spray Attack: To prevent bad actors from constantly guessing the passwords of user accounts, often there are account lockout policies.  For example, an account will lockout after a certain number of bad passwords are guessed for a user.  However, if you were to take a single password and try it against every single account in an organization, it would not trigger any lockouts.  The password spray attack leverages commonly used passwords and targets many accounts in an organization with the hope that one of the account holder uses a common password that allows a hacker to enter the account and take control of it.  From this compromised account, a hacker can launch more attacks by assuming the identity of account holder.
  • Brute Force Password Attack: This type of attack consists of a hacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.

 

The Office 365 team is looking for customers interested in providing feedback on new service offerings before they are released to General Availability. To preview Attack Simulator for Office 365 Threat Intelligence begin an Office 365 E5 trial starting the week of Mar 19th.  Also, current users of Office 365 E5 or Office 365 Threat Intelligence will also see the preview of Attack Simulator beginning the week of Mar 19th.   Both current subscribers and those beginning a trial will see the ‘Attack Simulator’ node appear under ‘Threat Explorer’ in the Office 365 Security and Compliance Center (figure 1).  The Universal Preview Program (UPP) was very popular and unfortunately has reached capacity and many of you have noted that the promo code is no longer active.  Due to the strong demand, we are now enabling the preview of Attack Simulator through the standard Office E5 trial. We apologize to our customers who tried to sign up for the UPP this week an were unable to.  

 

Figure 1.  Attack Simulator DashboardFigure 1. Attack Simulator Dashboard

Leverage Microsoft’s Threat Signal to Help Prevent Threats From Impacting Your Organization

 

While there are security testing solutions available, none are offered as part of a broader threat intelligence service such as Attack Simulator.  Using Office 365 Threat Intelligence, an admin can determine which users are being most targeted by cyber threats.  Since Attack Simulator is a feature of Office 365 Threat Intelligence, it is simple to gather information from the Threat Intelligence service and then create customized threats and launch simulated campaigns at your end users to understand how they behave and respond during a cyber attack.  Like the broader Office Threat Intelligence service, Attack Simulator leverages the Microsoft Intelligent Security Graph.  The powerful depth and breadth of Microsoft's threat signal enables Attack Simulator’s simulated threats to have unparalleled authenticity since threats are designed using threat telemetry from the Microsoft Intelligent Security Graph. 

 

Figure 2.  Example Spear Phishing Email created with Attack SimulatorFigure 2. Example Spear Phishing Email created with Attack Simulator

For example, Office 365 scans 400 billion emails every month, of which, some are malicious spear phishing emails.  Attack Simulator crafts simulated spear phishing emails based on this real data, ensuring end users have the most realistic experience of an attack.  The user response and behavior when under attack is captured and reported to the admin.  This provides invaluable data on how to better secure the organization through updated security policies or services. With Attack Simulator, admins can help train all their end users, and especially those who are most targeted.  

 

Figure 3.  Example Spear Phishing Simulation ReportFigure 3. Example Spear Phishing Simulation Report

It is likely that the greatest risk of a breach to an organization is through users who are most targeted. With Office 365 Threat Intelligence admins gain visibility into the most targeted and potentially most vulnerable users.  Using Attack Simulator, admins can launch simulated threats targeting those very same users. This will provide the most targeted users with additional training and provide admins feedback on how those users behave during an attack, enabling admins to optimally update policies and security protocols.  By potentially reducing the risk from threats to the most targeted users, admins can help reduce the risk to the overall organization.

 

Begin Your Journey Towards Threat Prevention

As we mentioned, for customers who were unable to join the UPP, the public preview for Attack Simulator will be made available the week of Mar 19th through a standard Office 365 E5 trial.  Learn about the details on how to run simulations with Attack Simulator here.  Your feedback is one of the most important drivers of our innovation, so please let us know what you think of Attack Simulator by starting an Office 365 E5 trial.

 

 

 

 

27 Comments
Copper Contributor

I'm getting a 500 error on the CXP Preview Portal when trying to sign up.

 

Iron Contributor

Thanks for sharing @Debraj Ghosh! This looks promising. 

 

Do you know if there will be any API's available for working with the simulator?

Copper Contributor

Great!.

 

I've been looking for a way to test users, this seems like a solid start

Copper Contributor

When will this be available in GCC? Any road map link?

Thanks,

im not able to see this in our security compliance center., please let me know how we can find the option

Deleted
Not applicable

Hi,

 

The code UPP053 is not working. Any help please?

 

Regards

Copper Contributor

Hello!

 

I am having the same issue with the code not being accepted.  Any advice?

 

Thank you!

all

 

let us know how we can view this option in security compliance. we don't have E5 license. Please let us know whether we need E5 license to view this options

promo code not working

Microsoft

Hi all,

 

I hope most of you have seen the update to the blog post.  We had a high volume of demand for preview through the UPP and reach capacity this week.  We will be enabled the Attack Simulator for all current subscribers of Office 365 E5 or TI beginning next week.  Also, customers who begin an Office 365 E5 trial, will also see Attack Simulator as part of the trial experience beginning next week.  We apologize for the inconvenience on this issue and that we no longer have the UPP promo code available.  Thank you.

Copper Contributor

Hi, still no sign of Attack Simulator in the portal. Will this be a phased rollout? If so, over what time?

Brass Contributor

The Attack Simulator is still not available under Threat Management for all E5 subscription? Mine is missing.

 

@Tobias Zimmergren API is as follows:

For Request Body I think the documentation is going to be prepared.

Microsoft

Hi all,

 

I wanted to provide an update to everyone.  We experienced a code bug last week as we tried to update the Office 365 Security & Compliance Center with  Attack Simulator.   All the fixes are in and we expect the preview of Attack Simulator to be available through an E5 trial beginning next Monday.  We apologize for this delay and appreciate your frustration (I am as frustrated as all of you with the delays).  Hopefully, you will find that the wait was worth it.  Thank you again for your patience.  

I still get an error when I try to perform an attack:
Request: api/SimulateAttacks/CreatePhishingCampaign Status code: 500 Exception: System.Net.Http.HttpRequestException
Exception message: SecureScore API failed. ResultCode: InternalServerError

Bronze Contributor

Hi @Debraj Ghosh,

 

The Attack Simulator is available for us since this week.

I've tried to use our own HTML Code (copy n paste) and placed the two needed variables (${username} and ${loginserverurl}) somewhere in between but get the same error as @Peter Klapwijk

 

Request: api/SimulateAttacks/CreatePhishingCampaign
Status code: 500
Exception: System.Net.Http.HttpRequestException
Exception message: SecureScore API failed. ResultCode: InternalServerError
Diagnostic information: {Version:16.00.2250.002,Environment:WEUPROD,DeploymentId:7deb614ab723416aa8242d781f6fc114,InstanceId:WebRole_IN_1,SID:234e525c-e268-41fa-873c-e1d7a0a0db82,CID:a8ef8718-635d-4739-8be8-ee490e8e7e4f}
Time: 2018-04-03T13:39:46.4083693Z
Brass Contributor

@Ivan Unger and @Peter Klapwijk

 

Last week I wrote a quick overview including some sample tests here http://thuansoldier.net/?p=7556

 

Note that Attack Simulator does not arrive in all Office 365 E5 subscriptions. If you are lucky enough, you can test it now. The subscription I was using in my article was a trial one I registered last week. Also make sure you run Setup first.

Deleted
Not applicable

Hi 

 

We've been testing the Attack Simulator in our partnership. I'm able to construct and run a Spear Phishing campaign but get the same 500 error as Peter and Ivan if I click on 'Attack Details.' So, we can't schedule an attack or look at an attack history. We need to create a new campaign each time and can only see the report of the current campaign.

 

I'm sure that will get ironed out but the odd thing was during my testing I received every message I sent. I created a campaign for me and my Director but only I received the message he didn't. I did another and we both received it. Finally, doing a campaign to 25 staff I for the first time I didn't receive the message but I know many of the others did. Based on the report I can guess I'm not the only one who didn't receive the email but I have no way to know. The Attack Simulator console doesn't list who was sent the message and Message Tracking in Exchange Online doesn't show the messages.

 

Have you experienced or had reports of missing messages from anyone else?

 

The tool looks great by the way and will no doubt be very useful.

 

Thanks,

 

Tom

Copper Contributor

I'm looking for clarification on the MFA requirement. We have MFA enabled and the account I was using to try to simulate an attack is MFA-enabled. However, we bypass MFA from our corporate IP range. Is that why I'm getting the error? Error details below.

 

Request: api/Reports/GetPagedReports Status code: 500 Exception: System.Exception Exception message: invalid type AdminCenter#/attackdetails?id=SpearPhishing Diagnostic information: {Version:16.00.2265.005,Environment:NCUPROD,DeploymentId:xxxxxxxxxxxxxxxxxxx,InstanceId:WebRole_IN_3,SID:xxxxxxxxxxxxxxxxxxxxxxx} Time: 2018-04-13T15:53:45.7159761Z

Deleted
Not applicable

 Hi Joan

My account is MFA enabled and I'm able to create a campaign but I do get the 500 error you and others have seen if I click on Attack Details.

Are you able to click on Launch Attack and follow the wizard or do you get the error there too?

Tom

Copper Contributor

Trevor,

 

Outside the network with MFA, I can create a campaign but get a 500 error for Attack Details. Inside the network with the bypass, I can't create a campaign and also get the 500 error.

 

Joan

Deleted
Not applicable

Hi @Joan Bennett

 

I am using a cloud only account so Azure Active Directory MFA and don't have an issue with location for creating campaigns. You mention bypass for your corporate IP range so Azure MFA in your case.  

 

Sounds like you could be on to something with MFA being the issue or more specifically the type of MFA. You could see if you use a cloud only account if your experience is like mine. It might not be what you want but would prove your suspicion.

Brass Contributor

Hi @Debraj Ghosh we got several 500 errors trying to launch attack. Realized it really doesnt like groups. It also really doesnt like a large amount of emails. We tried ~200 first then cut it back to 125 and it worked. So we split the batches up.

However now we can only see the most recent attack and the attack details page like others said is completely broken.

Really wish we could see the results for the first "Batch" we pushed through..

Brass Contributor

I did a Spear Phishing Attack on 21 May 2018 and had a the results shown when opening the Report - it worked for at least 4 days. Now it's telling me that there were 0 successful attempts (I know that there was at least 1 because that's what it previously showed me) and also no more details on who has clicked on the link but then didn't enter details or was blocked.

 

I'm not sure what the date range was when it still worked but now it's saying the simulation took place or the results are based on (not very clear on what the date range means): 2018‎/‎05‎/‎21‎ ‎2‎:‎35‎:‎21‎ ‎PM to ‎2018‎/‎05‎/‎21‎ ‎2‎:‎36‎:‎14‎ ‎PM. If the results are based on that then I'm sure it would be 0 info as it would only be 1 minute. 

 

Is this a known issue? How can I get back my results? I've reached out to MS Support but they are clueless and can't help.

 

Note: I've since not run another simulated phishing attack.  

Copper Contributor

Same error here:

 

Request: api/SimulateAttacks/CreatePhishingCampaign
Status code: 500
Exception: System.Net.Http.HttpRequestException
Exception message: SecureScore API failed. ResultCode: InternalServerError

 

I kind of assume by all the comments that it's a general issue, I created a new tenant and configured it with following all the steps regarding the attack simulation page, but no result. I'm going to keep on trying for any new developments.

 

Note (13/06/2018): I tried again the functionality and IT WORKS!! I've tried both default templates successfully.

Microsoft

What are the password dictionary limits?

Copper Contributor

I'm getting the following: Request: api/SimulateAttacks/CreateEwsPasswordAttack Status code: 500

Copper Contributor

Hi all,

 

I have applied the attack for almost 1000 users but it says only 116?

rahul_d_0-1589313245264.png

 

Version history
Last update:
‎Mar 12 2018 12:30 PM
Updated by: