Attack simulation training - unique email to each user

Occasional Contributor

G'day, I'm currently trialling the attack simulation system provided by Microsoft 365 Defender. I have used other, similar services in the past that had pretty much the same features -

However, one essential feature I need is the option to send a different phishing email to each individual user. Have I just missed this somewhere or is this feature not available?


Once I have achieved a unique payload to each user, it'd be great if I could also randomise the time each user receives their email. My previous system could do this and it made the simulations a lot more realistic.


There is an option to randomise the payload, but this doesn't randomise the email to each user. Instead it just lets the simulator randomise the payload it chooses to send to all users.


Without doing this, users will tell each other about the dodgy email they received which tips off people who haven't yet seen the email. I want them to pass the test at an individual level.

2 Replies
best response confirmed by jhumphries (Occasional Contributor)
Hey Jhumphries! Thanks for reaching out. The payload randomization chooses different payloads for each 'batch' of targeted users. It's not necessarily unique per user, but if you create a simulation automation with 100 users, spread out over a month, and the automation ends up targeting 25 users per batch, you'll get four different payloads for each batch. We think this more or less matches attacker behavior. That being said, we are working on a series of improvements to the simulation automation capability, and we'll look at unique payloads per user as part of that work!
Thanks, AST Team.
Thanks Brandon, you might be right with regards to matching real phishing behaviour. Attackers definitely would send in batches just to save time for themselves. However, in my experience that isn't how real phishing attacks usually reach us. In the scenarios I've personally dealt with, it's been an individual user receiving a unique email that they've clicked on without speaking to anyone else. This is the main reason I am keen to get this functionality!

It's especially important when you consider that most people have multiple different email accounts - all users will need to ascertain the legitimacy of a real phishing email (whether it's work related or personal) on their own at some point in their lives (probably lots of times.)

Thanks a lot for your response, I'm glad you guys are keeping an eye on the forums :)