Attack simulation training in Microsoft Defender for Office 365 now Generally Available

Published 01-06-2021 10:04 AM 19.2K Views

Attack simulation training Generally Available 

We are pleased to announce the General Availability (GA) of Attack simulation training in Microsoft Defender for Office 365. Delivered in partnership with Terranova Security, Attack simulation training is an intelligent social engineering risk management tool that automates the creation and management of phishing simulations to help customers detect, prioritize and remediate phishing risks by using real phish and hyper-targeted training to change employee behaviors. To see a demo of the product tune into the video at Microsoft Ignite 2020.


Emulate real threats with intelligent simulations  

Intelligent simulations automate simulation and payload management, user targeting, schedule and cleanup. In the Microsoft 365 Security Center, administrators can launch a simulation and choose a technique commonly used by attackers and target users.  



Attack simulation training dashboard


Wide variety of Phishing Techniques

Following the simple steps outlined in the workflow, administrators can choose from the top five social engineering techniques and select the phish template from a list of real attacks seen in their tenant. Optionally customers can upload their own template and then select the users to whom the simulation will be sent.  



Phishing Techniques available


Phish Template Library from Real Phish Emails

To maximize accuracy, Attack simulation training pulls its phishing templates from real world phish attackers seen in the customers environment. The security administrator can automate a “payload harvester” that collects and neutralizes phish emails received by the organization.




Payloads Available


Through the real payload harvester, Attack simulation training trains employees to identify and report the kinds of emails real attackers will send them. The security administrator can set up targeted payload harvesting as well, using conditions like technique used, department targeted and frequency.



Payload Harvesting Conditions



Finally, security administrators can add ‘phishing indicators’ like an incorrect domain name, an urgency tip or a misspelled company name to train end users on commonly-seen phishing indicators.



Add indicators to phishing templates


 User targeting and training assignment

User targeting is automated, and the administrator can use any address book properties to filter for a user list and target them. The administrator can also quickly import a list of “repeat offenders” or employees who have failed a simulation in the past and target the simulation to this group.



Target users based on address book filters


The administrator can then assign training tailored to a user’s behavior in the simulation. Microsoft recommends training to assign based on learning pathways and our intelligence into which training is effective for which kinds of behavior. The administrator can also choose to assign training themselves. For example, an administrator may choose to assign 3 trainings to users who were compromised in the simulation but only 2 to those who clicked and 1 to all users. The landing page on which the end user will land to access this training are wholly customizable for the look and voice of your brand. Finally, the administrator has the option to schedule the simulation to launch right away or at a later time, which can be customized by recipient time-zone.  



Assign Training

Customized Role Based Access ensures that administrating the simulation and training is a secure and diversified workflow.


Quantify social engineering risk and prioritize remediation through training

The training effectiveness metric, which plots your organization’s actual compromise rate in a simulation against Microsoft’s predicted compromise rate, measures the effectiveness of the training program. Overlay the dates of training completion and simulations to correlate which trainings caused a drop in compromise rate and evaluate their effectiveness. 



Training Effectiveness Report


Gain visibility over your organization’s training completion and simulation status through completeness and coverage metrics and track your organization’s progress against the baseline predicted compromise rate. Every reporting dashboard can be filtered in different ways and exported for reporting.  Multiple reporting views allowing you to drill down on training efficacy, training completion, repeat offenders and coverage.


Reinforce the human firewall with industry-leading Security Awareness Training

Terranova Security’s huge library of phish training content enables personalized and highly specific training targeting based on the user’s behavior during a simulation.



Training Library

Nanolearningsmicrolearnings, and interactivity

 cater to diverse learning styles and reinforce awareness. Additionally, all trainings are available in 40+ languages and accessible to the highest standards to meet the needs of Microsoft’s global customers.  

Attack simulation training enables organizations to improve their security posture by training their employees effectively and changing risky behavior. Organizations can choose from multiple training options to best fit their needs – using Microsoft’s recommended learning pathways, choosing to assign training manually, or choosing not to add training to a simulation.



Assigning Training


E3 Trial

As we mentioned in our blog announcing the expansion of public preview to E3 license holders, we will continue to offer a subset of Attack simulation training capabilities to E3 customers as a trial. The trial offering contains the ability to use a Credential Harvest payload and the ability to select from 2 training experiences ISA Phishing and Mass Market Phishing. The trial offering will not include any other phishing techniques, automated simulation creation and management, conditional payload harvesting, and the complete catalog of Terranova Security trainings.


To get started today, go to Attack simulation training in your M365 Security and Compliance Center or use this link: 

Senior Member

Will other languages be available for the training module? If yes - what is the timeline?




Cool feature, we love that. However, Google Chrome and Mozilla Firefox keep blocking phishing links... If I choose one from the links and insert it's fine but if simulate phishing and send it out to users the link is being blocked by those two browsers. The error says: it's blocked by google safe browsing.


Could you please have a look?





Actually same issue as @gabormicskei. Exactly month ago for example was working but now it does not. is working now  but I'm afraid that will also be reported as deceptive by Chrome & Firefox in near future.
The URLs work if disabling Safe browsing feature but that can generate additional security risk + management overhead to disable it temporarily from user computers and enabling it back after simulation.
Whitelisting the URLs in SafeBrowsing feature have not been working yet as wanted.

And also same as @Ray Borkowski, now we are kind of forced to use english with customers and if end users do not work natively in english, that can be a barrier for not using this. For example the landing page where you can only edit header and body for a small amount of text. Indicator titles and other not customizable texts are in english and can cause confusion and suspicion in users if there are two languages mixed in it. 

New Contributor

does the templates are available in French or plan to be released ?

Occasional Contributor

Is there a way to not include guest accounts in the coverage reports?

Frequent Visitor

Thank you. BTW, 
"To see a demo of the product tune into our announcement video at Microsoft Ignite 2020" - link doesn't work.

Occasional Visitor




Could you provide me with more details on the "payload harvester"?

I am not quite sure what this feature can do.


Is it a feature that creates new payloads based on actual malicious mails recevied by organizations?


Also, is the "payload harvester" the "Automation" tab in attack stimulation screen?

New Contributor

@Shawn225 my understanding is as you have described, however it doesn't seem to matter how many automations i create it doesn't collect any items. Spent an hour on a call with a Tech Lead from Microsoft but no further forward on it really. Zero documentation out there on this. For me if it does as it says on the tin (e.g. Automations are automated flows you can use to collect payloads to launch simulations) then it really takes the attack sim training to the level that we want to use it across our business, the generic stuff is good, however we get a lot of company specific stuff, and it would be good to use that to target our users with. 

New Contributor

Also @Shawn225 , @RukmaSen response here details how automations "should" work...


Re: Attack simulator roadmap - Microsoft Tech Community


i will keep trying to find out if there are any further config requirements to get it to work, if i find any i will let you know.

Occasional Visitor

Is there a way to assign Training after the Simulation was launched and concluded?


I would like to assign some training to the failing users but I don't find how to do it ones the simulation is completed.

Occasional Visitor


Thank you for your addtional information!

I had the same experience,, no matter how many automations I create, it didnt collect anything.


I am looking forward to hearing more from you! 

Occasional Visitor

The landing page for end user training, what they're presented with when they access the training link, is a big deal breaker for me on this service. The experience is not user friendly with several links on the side that users don't need to see. It doesn't look like there are any available controls for customization of the end user experience

Senior Member

I am also a bit perplexed by the Automations tab functionality. It already has 2 automations there and the conditions are to simply detect emails from a sender. But that's already possible in a message trace. I was expecting a bit more like a set template to run something in the future. Not sure what purpose this Automations serves.

New Contributor

@Vig_Mud @Shawn225 


My support request is sat with product support engineers via escalation no news from them yet. When I hear something I will post on here.

Occasional Visitor

While creating a simulation, I'm unable to select the multiple payloads. Is it the expected behaviour?
If it is, then it's not worth it I guess. Any suggestions?

Version history
Last update:
‎May 11 2021 02:06 PM
Updated by: