Create targeted attack simulation training campaigns with dynamic groups
When it comes to email security, even the most reliable employees can sometimes be unpredictable. Our days are filled with clicks, taps, likes, swipes, pings, texts, and more, leaving us open to acting fast without always being thorough and cautious. That’s why simulation training should be a key component in every organization’s email security strategy. It plays a critical role in educating and empowering employees to recognize common phishing and social engineering tactics, adopt a security first culture, and protect their organizations from associated security risks. Attack simulation training is an intelligent phish risk reduction tool that measures behavior change and automates deployment of an integrated security awareness training program across an organization. We’re excited to announce dynamic targeting for Attack simulation training in Defender for Office 365. You can now use theMicrosoft 365 group – dynamic membership typecreated in Microsoft Entra admin center to define the recipients of your simulations and training campaigns. It provides a more efficient and effective way to manage target users for simulations and trainings, allowing you to assign foundational security training to new hires, send simulation campaigns to users in departments or locations with high turnover, and more such use cases—without having to manually manage groups. With this, the list of supported group types in Attack simulation training are as follows: Microsoft 365 group (both static and dynamic) Distribution group (static only) Mail-enabled security group (static only) What are dynamic groups? Dynamic group membership is defined by one or more rules that check for certain attributes in user accounts. These groups are automatically updated as user attributes change, ensuring that the group membership is always up to date. This is particularly useful for large organizations where manually managing group memberships can be time-consuming and error prone. Use the Microsoft 365 group dynamic membership type in Microsoft Entra ID to tailor your simulation and training campaigns to specific user groups, making the training more relevant and effective. Some use cases of dynamic groups in Attack simulation training: Target users more effectively based on specific criteria such as department, role, or location. Example: For sending a simulation email to users in Sales or Marketing departments, the dynamic membership rule can be written as: (user.department -eq "Sales") -or (user.department -eq "Marketing") Target users based on different hiring timeframes using the attribute "employee hire date". A few examples are shared below: To send a simulation email or a training campaign to those hired after a particular date, such as June 30, 2024, the dynamic membership rule can be written as: (user.employeeHireDate -ge 2024-06-30) To automate simulation emails for users who will be hired within the next 30 days, the dynamic membership rule can be written as: (user.employeeHireDate -le system.now -plus P30D) -and (user.employeeHireDate -ge system.now) How to create and use dynamic groups in simulations: To create and use dynamic groups, follow these steps: Sign in to Azure Portal as at least a Groups Administrator and select Microsoft Entra ID, followed by Groups. Create a new group and choose Microsoft 365 as the group type. Enter a name, email address, and description for the group. Select Dynamic user as the membership type and select Add dynamic query. Define the rules for the dynamic query based on the user properties that you want to use. You can add multiple rules and combine them with AND/OR operators. Validate the rule. Select Save and then select Create. Go to the Defender portal and select Attack simulation training. Select the Simulations tab and create a new simulation or edit/copy an existing one. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s). Complete rest of the simulation settings and Create or Save the simulation. How to use dynamic groups in training campaigns: Repeat steps 1-5 shared above. Select the Training campaign tab and create a new campaign. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s). Complete the rest of the campaign settings and Create or Save the campaign. How to use dynamic groups in simulation automations: Repeat steps 1-5 shared above. Select the Simulation Automations tab and create a new automation. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s). Complete the rest of the automation settings and Create or Save the automation. Note for automated simulations: If a user is removed from a dynamic group after taking part in a simulation, this user will still appear in simulation reports and continue with assigned trainings. If a user is added to a dynamic group after the last simulation in an automation has run, the user won’t be simulated because this automation is considered complete. At the start of an automation, users are divided across different simulations. If new users are added after some simulations have run, these users will be distributed across the remaining simulations. More information: Learn more about the differenttypes of Microsoft 365 groups Create or edit a dynamic group Manage rules for dynamic groups Learn about nested group properties in dynamic groups Modify groups based on your requirements.
Security Admin Center Tenant Allow/Block List Not Able to Block IPv4?
While using the Security Admin Center Tenant Allow/Block List we have been able to block specific email addresses and IPv6 IP addresses but are unable to block IPv4 IP addresses. We have tried both using the console and the CLI but have turned up unsuccessful both times when it comes to IPv4. A large majority of the phishing attempts that we encounter come from IPv4 addresses but we have been unable to block any of these. Will there ever be functionality for IPv4 within the Tenant Allow/Block list or is the only option to use conditional access policies? Also why is this enterprise tool only functional with IPv6 and without documentation stating that it does not work for IPv4?
Anti-malware policy doesn't block files
Hello Microsoft Community, We have recently found that Anti-malware policy doesn't block files that are set to be blocked by the policy. For example, when we send an *.ics file with a cmd/exe/jse/rdp and other files inside of the ics, the email is not blocked and is delivered to users. We did several tests with external security vendor by sending real malwares, ransomwares and exploits attached to the ics and all of them passed the filtering system. Is anyone aware of the issue? Doesn't MDO scans nested files?! This has happened with a few tenants. Those tenants have Microsoft E5 licenses.
MDE Platform stuck in Version 4.18.24080.9
We currently have Microsoft Defender for Endpoint for our Windows 11 Devices. Upon checking the devices in security portal most of them have "NOT UP TO DATE" PLATFORM. We tried the following to update the MDE on the clients: Get-WindowsUpdate -Install -KBArticleID KB4052623 -> Restart Update-MpSignature -> Restart Manual update by going to Virus & Threat Protection Settings -> Restart But we only see update on Security Intelligence.For MDE Platform it is stuck on Version 4.18.24080.9. What are we missing?
Microsoft Defender multi Tenant managment
I work for an MSP that is going to switch out our current our current Antivirus Platform (Carbon Black) for another product. We are thinking about using MS defender as a reseller...either as an independent product or also going full O365 and migrating our clients from on Premise Exchange to 365 Exchange. However, I can't find anyone who manages MS defender (or Exchange for that matter) as a multi-tenant client. Each of our customers I understand would have their own instance and tenant ID, but I don't see any MSP managing these clients through a single interface. I have heard of Lighthouse and read about the API integration for MS defender, but I have yet to come across any companies using it in this fashion. Has anyone heard of managing a large client base for MS defender (or any MS cloud product) through successfully through Lighthouse or any other means?
Automating User Tags
When we create a custom user tag we can select a group and have all the users in the group tagged. However if a user is removed or added to that group at a later stage the tag is not removed/added. Is there a way to automate this? Only thing I found is that this was before on the roadmap but seems to have been removed? https://m365admin.handsontek.net/microsoft-defender-for-office-365-tagging-support-for-groups/ https://learn.microsoft.com/en-us/defender-office-365/user-tags-about If you assign a group to a user tag, members of the group at the time of tag creation are assigned tag. Users later added to the group aren't automatically assigned the user tag.Emails being accepted by large organisation
Hi I have to interact regularly with alarge UK public sector organisation. Unfortunatley, a number of my emails (and those of my colleagues that have the same domain name) end up in spam folders or spam quarantines and it is very frustrating. I have requested that our email addresses are "whitelisted" but this has been refused on the grounds of security even though there is no history of the domain being used insecurely. I am told it is because of the "hopping" of my emails . My emails have the spf on them. I have also never received a blocked senders notice from Microsoft. Is there anything that can be done?Learn more about Microsoft Security Communities.
In the last five years, Microsoft has increased the emphasis on community programs – specifically within the security, compliance, and management space. These communities fall into two categories: Public and Private (or NDA only). In this blog, we will share a breakdown of each community and how to join.
