Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Announcing Updates to the M365 Attack Simulator
Published Dec 13 2019 01:58 PM 42.2K Views
Microsoft

Overview

The Microsoft 365 Attack Simulation team is pleased to announce the release of several new features in our phish simulation tool. This includes:

  • an attachment-based phishing attack
  • the ability to filter your simulation user targets by directory metadata like title, city, and department
  • the inclusion of IP addresses and client data in the simulation detail report
  • Simulation phish message simulations are included in your user phish submission reports 

Attachment Attack

We know that phishing attacks that use attachments are very popular and an effective way for attackers to get malicious code to run on your endpoints. Teaching your users to be wary of attachments can reduce your overall risk. To help you educate your users of this risk, we've added a new type of simulation attack called Spear Phishing (Attachment) to the catalog.

 

To launch an attachment attack, navigate to the home page of the Attack simulator:

 

clipboard_image_0.png

 

Then, click Launch Attack and walk through the wizard:

 

First, give the attachment attack campaign a relevant, distinctive name.

clipboard_image_1.png

 

Second, select users from your directory that you wish to target with the attachment attack.

clipboard_image_2.png

 

Third, configure the attack with the sender, the name and type of the attachment, and the subject line of the email.

clipboard_image_3.png

 

Fourth, enter a custom email template, or use one from the existing library. Remember that the point of the attachment attack is to get the user to open the attachment, so don't necessarily include a credential harvesting link, but do reference the attachment in the body of the email.

clipboard_image_4.png

 

Lastly, confirm that you are ready to send the simulation off.

clipboard_image_5.png

 

Within minutes, your users will receive the phishing email and will be able to see the attachment. This attachment does NOT contain any malicious content or executable code. Instead, it relies on a hidden image file which makes a call back to Microsoft's servers to indicate that the user has opened the file.

clipboard_image_6.png

 

Here, you see the user has opened the file, which contains similar content to what you would see on the final page of a credential harvesting simulation. The user's name is populated, along with some educational messaging about the dangers of phishing.

clipboard_image_7.png

 

If you have enabled the Outlook Reporting add-in for your organization, note that the user should go ahead and report this message as phishing.

clipboard_image_8.png

 

Once they select report phishing, the user will be asked to confirm the report. Note below that we're including these reported messages in your report phish message pipeline via the Outlook reporting add-in so you can now track which of your users correctly reported this message as part of the simulation.

clipboard_image_9.png

 

After the users have performed their actions, the simulation administrator can then review the final output of the campaign in the Attack Simulator portal.

 

clipboard_image_10.png

 

Directory Filtering

Another quality of life feature we have added is the ability to perform an filtered search of your directory based on metadata like Title, Department, and City. This allows the simulation administrator to refine target groups based on existing directory data instead of having to manually select those users, leverage CSVs, or create custom directory groups. We encourage organizations to target high risk segments of their user population with more frequent simulations to further reduce your risk of getting phished.

clipboard_image_11.png

 

Advanced Reporting Updates

The final feature we've made available is the inclusion of detailed client information in the detail report of any given campaign, including username, action performed, datetime stamp, IP address, and client type information. This will allow you to better understand where your users are performing the risky actions.

clipboard_image_12.png

 

Outlook Reporting Add-In Integration

We're also including simulation phish messages in the normal reporting pipeline so that you can now track which of your users has correctly reported phish messages as part of the simulation exercise.  This can be found by navigating to Threat Management-->Explorer-->View Submissions-->User Submissions.

clipboard_image_13.png

Wrapping it up

So, there you have it – a whirlwind tour though the new updates to Office 365 ATP’s Attack Simulator. We’d like to encourage you to start taking advantage of the new functionality by the following the link (https://protection.office.com/attacksimulator) and we look forward to your feedback! More information on Attack Simulator can be found in the Attack Simulator documentation on Microsoft Docs.

10 Comments
Brass Contributor

Nice, helpful, thank you for Attack simulator.
I hope to support Japanese

 

Copper Contributor

Does this update fix the issue where you can't send to more than 100-ish people per attack without experiencing size errors on the backend request? Also, can you embed images in the messages now? Previously, the images had to be external, so Outlook would properly block them. Thanks!

Silver Contributor

Can we use these simulated attacks to initiate the Automated investigation and response (AIR) in Microsoft Threat Protection?

Microsoft

Thanks for the comments, folks!

-Support for Japanese, as well as other languages is planned for our V2 of Attack Sim.

-The fix for the sometimes 100-user limit was deployed in late December, 2019.

-We plan to allow simulations to be triggered FROM AIR in V2 for phishing. In the future, we do intend to map authentic simulations to automated response playbooks for testing/validation/education!

Thanks,

The Attack Sim and Training Team

Copper Contributor

Can you confirm which 365 licences are required for this solution?

Iron Contributor

@GFord2304 Attack Simulator is part of O365 ATP Plan 2 which is available as a standalone licence or it's included in Office 365 E5, Office 365 A5, and Microsoft 365 E5.

 

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-atp 

Copper Contributor

Is there a way to change the pdf document that is sent out?

We would like to customize this for our end-users when we send it out and not use the canned working. 

Copper Contributor

Any news regarding @bradgasser 's request?

 

We'd also be looking for a way to customize the content of the attachment .

Copper Contributor

@Brandon KoellerWe are a third party providing these services to our corporate clients (who have 365 contracts with MS). I am wondering how can we offer these services to clients without requiring elevated privileges on the client servers.  How can we position ourselves in this kind of a setup which helps the clients in terms of convenience and us in terms of technical access ?

Copper Contributor

Do we have a mapping with NIST Phish Scale User Guide and M365 Attack Simulation Templates ?

Co-Authors
Version history
Last update:
‎May 11 2021 03:46 PM
Updated by: