Announcing the Public Preview of Attack Simulator for Office 365 Threat Intelligence
Published Feb 21 2018 09:32 AM 68.3K Views

Attack Simulator Helps Enable Threat Prevention


Security solutions focus on protection, detection, and remediation.  These capabilities are what customers require and value for best in class security.  In this context, one of the most effective forms of protection is achieved through threat prevention.  With this in mind, we are excited to announce the pre-release preview of Attack Simulator for Office 365 Threat Intelligence as part of the Office 365 Universal Preview Program beginning February 21, 2018!


The ability to prevent the adverse impact from threats before any security is required is ideal.  Prevention is only possible through training and preparation of end users against the variety of threat scenarios that impact organizations.  Last year we launched Office 365 Threat Intelligence as a tool to help organizations become more proactive with their cybersecurity.  Attack Simulator is the perfect feature to support the goal of greater proactivity for security.  With Attack Simulator, admins can launch simulated attacks on their end users, determine how end users behave in the event of an attack, and update policies and ensure that appropriate security tools are in place to protect the organization from threats.  This preview of Attack Simulator includes three attack scenarios:


  • Display Name Spear Phishing Attack: Phishing is the generic term for socially engineered attacks designed to harvest credentials or personally identifiable information (PII). Spear phishing is a subset of this attack type which is targeted, often aimed at a specific group, individual, or organization.  These attacks are customized and tend to leverage a sender name that generates trust with the recipient.


  • Password Spray Attack: To prevent bad actors from constantly guessing the passwords of user accounts, often there are account lockout policies.  For example, an account will lockout after a certain number of bad passwords are guessed for a user.  However, if you were to take a single password and try it against every single account in an organization, it would not trigger any lockouts.  The password spray attack leverages commonly used passwords and targets many accounts in an organization with the hope that one of the account holder uses a common password that allows a hacker to enter the account and take control of it.  From this compromised account, a hacker can launch more attacks by assuming the identity of account holder.
  • Brute Force Password Attack: This type of attack consists of a hacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.


The Office 365 team is looking for customers interested in providing feedback on new service offerings before they are released to General Availability. To preview Attack Simulator for Office 365 Threat Intelligence begin an Office 365 E5 trial starting the week of Mar 19th.  Also, current users of Office 365 E5 or Office 365 Threat Intelligence will also see the preview of Attack Simulator beginning the week of Mar 19th.   Both current subscribers and those beginning a trial will see the ‘Attack Simulator’ node appear under ‘Threat Explorer’ in the Office 365 Security and Compliance Center (figure 1).  The Universal Preview Program (UPP) was very popular and unfortunately has reached capacity and many of you have noted that the promo code is no longer active.  Due to the strong demand, we are now enabling the preview of Attack Simulator through the standard Office E5 trial. We apologize to our customers who tried to sign up for the UPP this week an were unable to.  


Figure 1.  Attack Simulator DashboardFigure 1. Attack Simulator Dashboard

Leverage Microsoft’s Threat Signal to Help Prevent Threats From Impacting Your Organization


While there are security testing solutions available, none are offered as part of a broader threat intelligence service such as Attack Simulator.  Using Office 365 Threat Intelligence, an admin can determine which users are being most targeted by cyber threats.  Since Attack Simulator is a feature of Office 365 Threat Intelligence, it is simple to gather information from the Threat Intelligence service and then create customized threats and launch simulated campaigns at your end users to understand how they behave and respond during a cyber attack.  Like the broader Office Threat Intelligence service, Attack Simulator leverages the Microsoft Intelligent Security Graph.  The powerful depth and breadth of Microsoft's threat signal enables Attack Simulator’s simulated threats to have unparalleled authenticity since threats are designed using threat telemetry from the Microsoft Intelligent Security Graph. 


Figure 2.  Example Spear Phishing Email created with Attack SimulatorFigure 2. Example Spear Phishing Email created with Attack Simulator

For example, Office 365 scans 400 billion emails every month, of which, some are malicious spear phishing emails.  Attack Simulator crafts simulated spear phishing emails based on this real data, ensuring end users have the most realistic experience of an attack.  The user response and behavior when under attack is captured and reported to the admin.  This provides invaluable data on how to better secure the organization through updated security policies or services. With Attack Simulator, admins can help train all their end users, and especially those who are most targeted.  


Figure 3.  Example Spear Phishing Simulation ReportFigure 3. Example Spear Phishing Simulation Report

It is likely that the greatest risk of a breach to an organization is through users who are most targeted. With Office 365 Threat Intelligence admins gain visibility into the most targeted and potentially most vulnerable users.  Using Attack Simulator, admins can launch simulated threats targeting those very same users. This will provide the most targeted users with additional training and provide admins feedback on how those users behave during an attack, enabling admins to optimally update policies and security protocols.  By potentially reducing the risk from threats to the most targeted users, admins can help reduce the risk to the overall organization.


Begin Your Journey Towards Threat Prevention

As we mentioned, for customers who were unable to join the UPP, the public preview for Attack Simulator will be made available the week of Mar 19th through a standard Office 365 E5 trial.  Learn about the details on how to run simulations with Attack Simulator here.  Your feedback is one of the most important drivers of our innovation, so please let us know what you think of Attack Simulator by starting an Office 365 E5 trial.





Version history
Last update:
‎Mar 12 2018 12:30 PM
Updated by: