Mar 01 2022 08:28 PM
Mar 01 2022 08:28 PM
* I am evaluating Microsoft Phishing Attack Simulator with a 4 user pilot
* None of the 4 users were phished in any of the 3 simulations that I actioned
* At the end of each simulation, users are correctly being emailed a message with a link to phishing traning
* However, the email with the link to the phishing training contains this wording:
"Because you were recently phished, we require you to take training(s) to recognize phishing attacks in future."
* The wording I quote is troublesome since it:
a) Is inaccurate; none of the users were phished
b) Presents me (and potentially my colleagues in IT Support), negatively, since it makes us look like we aren't in control of the simulation technology (ie it looks like we don't understand the reality of how each user responded in the simulations)
c) Risks alienating us from our users
My questions thus are:
1) Is anyone else impacted with this issue?
2) Is there a way for the wording I refer to, to be constructively edited?
Any help is always appreciated.
Mar 02 2022 01:27 PM
You can edit the message under
I like there's different level of triggering and education. If the email is opened, Microsoft considers that phished. There's also different trainings for a) if the link is clicked and b) if credentials were supplied or file was downloaded.
I hope it helps. I think the tool is still lacking a lot of features still, but for us it's better than nothing. User reporting is weak and I can't find the life of me how to remind users to take the training (if that's even possible).
Mar 02 2022 11:48 PM - edited Mar 02 2022 11:52 PM
To take your points in order:
(a) in your pilot test, did you specify training for all recipients, those who clicked the payload or those who were fully compromised? What notification option did you choose? One problem with the simulator (as I last used it in December) is that a lot of the minor settings are not recorded in the simulation list. If for example you want a record of what training you have assigned, you are going to have to keep a manual record.
(b) is a danger. You have to recognise that the MS phishing simulator is a product being continuously improved, and if all of the changes are being announced in the O365 message center then I'm missing some of them. I use the simulator quarterly, and every time last year there were some new changes to take into account. I have even seen changes arrive in mid-simulation. Your only option is to test in advance, and once more just before you launch. Unless your security stack is MS from top to bottom, you need to do that anyway in case another security vendor has suddenly decided your chosen phishing URL is malicious.
(c) is a danger with any attack simulator. Weeks before you launch, you might consider sending out a general mail reminding recipients of the dangers of phishing and that regretfully the organisation has no choice but to conduct simulated tests for all staff. Explain that this is something all proactive organisations are adopting, and that the object is to train rather than catch people out. They will face the same dangers with their personal addresses. Be constructive and helpful; I use payloads of varying "difficulty" so no-one feels bad about falling for the trickier ones.
Mar 02 2022 11:50 PM - edited Mar 02 2022 11:53 PM
Check the Settings tab on the Attack Simulator page of the Security portal. The default setting for reminders is Off.
Mar 03 2022 12:00 AM
Mar 03 2022 03:49 AM
Mar 03 2022 04:37 AM
Mar 03 2022 07:22 AM
Mar 03 2022 07:27 AM
Mar 04 2022 08:29 AM
Mar 04 2022 07:26 PM
Mar 05 2022 03:10 AM
Mar 06 2022 11:06 PM
Mar 07 2022 08:16 AM
Mar 12 2022 03:13 AM
* I have endeavoured to follow you proposed steps to edit the wording in the email that gets sent to users re training
* After I go to 'Attack Simulation Training', there doesn't appear to be an 'End-user notifications' option
* Text search on 'end-' and 'notifications' doesn't find anything
* Any further suggestions please?
* Any help finding a way forward from anyone is appreciated :)
Mar 13 2022 01:52 AM
@SteveCRF - you might want to check your roles in that case. Here's what I see, and I am not a global admin either:
Mar 14 2022 02:45 AM
Mar 15 2022 08:04 AM
May 05 2022 01:21 AM