A few weeks ago, we released a public preview for Attack Simulator for Office 365 Threat Intelligence. Today, we’re excited to announce that Attack Simulator is now generally available. Attack Simulator for Office 365 Threat Intelligence is available to all Office 365 E5 or Office 365 Threat Intelligence customers.


With Attack Simulator, customers can launch simulated attacks on their end users, determine how end users behave in the event of an attack, and update policies and ensure that appropriate security tools are in place to protect the organization from threats.  The GA of Attack Simulator adds a new HTML editor so realistic looking HTML emails can be sent in simulations of spear-phishing.  Also, two spear-phishing templates are available for immediate use in the spear phishing simulation.



Attack_Simulator_html_editor.pngFigure 1. Email template for spear phish simulation using a fake email from an organization’s payroll department.


Attack Simulator includes the three attack scenarios from our public preview.


  • Display Name Spear Phishing Attack: Phishing is the generic term for socially engineered attacks designed to harvest credentials or personally identifiable information (PII). Spear phishing is a subset of this phishing and is more targeted, often aimed at a specific group, individual, or organization.  These attacks are customized and tend to leverage a sender name that generates trust with the recipient.


  • Password Spray Attack: To prevent bad actors from constantly guessing the passwords of user accounts, often there are account lockout policies.  For example, an account will lockout after a certain number of bad passwords are guessed for a user.  However, if you were to take a single password and try it against every single account in an organization, it would not trigger any lockouts.  The password spray attack leverages commonly used passwords and targets many accounts in an organization with the hope that one of the account holder uses a common password that allows a hacker to enter the account and take control of it.  From this compromised account, a hacker can launch more attacks by assuming the identity of account holder.


  • Brute Force Password Attack: This type of attack consists of a hacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.


This video demonstrates how Attack Simulator can help organizations educate users to become more secure from cyber threats.  With Attack Simulator, admins can train all their end users, and especially those who are attacked most often.  This proactive training is a powerful way to ensure that your organization can prevent the impact from advanced threats.  Over the coming months, more threat simulations will be added to Attack Simulator so organizations can simulate the most prevalent threat types from the modern threat landscape.



Begin Educating your End Users Today

            Experience the benefits of Attack Simulator for Office 365 Threat Intelligence by beginning an Office 365 E5 trial or Office 365 Threat Intelligence Trial today.   Also, learn more about how Microsoft leverages threat intelligence and the value of threat intelligence. Your feedback is one of the most important drivers of our innovation, so please let us know what you think. 


**bleep**, my article on Attack Simulator is scheduled for tomorrow, now I have to change it :) Congrats on GA! One of the coolest tools we've gotten in the last few months.

Occasional Contributor

We use ADFS and don't syncronise AD passwords to Azure AD, so passwords shouldn't be stored in the cloud, not even hashes.


Yet this tool reports that an account password is cracked when I input the known password to the list used for the brute force.


So my question is where is Microsoft obtaining the account password from to undertake a brute force attack? We were told ADFS means the password never leaves our on-premise environment.


Also, IMHO the most useful addition to Attack simulator would be for MSFT to run hashed passwords against the hashes of known passwords and report where a user has a password that is already known to be broken


Even though it's GA, I still can't use a password file to perform a brute force attack.   I'm using a txt file with one password per line and there are no blancs in the file.  Is there a limit in how many passwords can be tested?  I first tested with 1.1 million passwords, now with 300K passwords, etc...


Despite the efforts I keep getting the following error for the past days.


Request: api/SimulateAttacks/CreateEwsPasswordAttack Status code: 500 Exception: System.Net.Http.HttpRequestException Exception message: SecureScore API failed. ResultCode: BadRequest Diagnostic information: {Version:16.00.2312.004,Environment:EUSPROD,DeploymentId:b9d1eaec988246bd97ea05edb88f7c8e,InstanceId:WebRole_IN_1,SID:c10c32c0-adb1-48ef-9727-d7945e227a96,CID:7023c8f2-cf75-449a-a218-af702b05e8db} Time: 2018-05-01T08:45:54.1042981Z

What a cool feature. Good to train users!

Occasional Contributor

Love this feature. It scared me a bit to see how many people use a default password or even keep the password we gave as a temporary one. We changed some policies based on the information we got from the Attack simulator. The Phishing mail functionality is also something I really like, even the IT engineers fell for it. Amazing!

Frequent Visitor

Looks interesting but for a small business, the price to add the threat licensing is almost as much as a business premium license. If the price was reasonable we could sell this to many customers by doing a trial to show the benefits and using the test results to get them to commit to buying it. But I'd value this at more like $2-4

Frequent Visitor

It doesn't work for me, i've got a call open and now closed.  I get error 500's when running "SecureScore API failed. etc"  Is this the same for everyone or just isolated?  We are on Western Europe (London/Cardiff/Amsterdam I guess?)



Hey John


We're in the European region when testing this feature.  I have the same error, so far .. no solution ..   It looked promising, but if it doesn't work …



Occasional Visitor

I got the same error repeatedly. First I thought it was because I was entering email addresses directly and not allowing them to resolve. After entering all my 100 test users individually by name and letting O365 resolve with Active Directory, it still failed. So I deleted about 1/2 the names in my group and the test went through with a total of 65 names on it. If I had to guess, the size of testable population is related to the level of Office 365 associated with your account. I know there are some features that have restrictions based on this and I have a mid-level license because I haven't needed a higher one.


Hi John


We tested the features with M365 E5 present for all users ..  so it's not a license restriction.  


Anyway …  very little feedback from Microsoft …  Threat Intelligence is not cheap …   sounds like a hard bargain to engage your customers …

Dear Team,


We have customer was trying to ran some phishing attach simulator. However, on the result the User targeted does not tally the number of mailbox entered during the test. Customer was sending it to the several group with more than 500 Total members but on the report it only says 300+. Was this a glitch?