Forum Discussion

jhumphries's avatar
jhumphries
Copper Contributor
Nov 10, 2022

Attack simulation training - unique email to each user

G'day, I'm currently trialling the attack simulation system provided by Microsoft 365 Defender. I have used other, similar services in the past that had pretty much the same features - However, on...
automation
Microsoft Defender for Office 365
  • Brandon Koeller's avatar
    Brandon Koeller
    Nov 15, 2022
    Hey Jhumphries! Thanks for reaching out. The payload randomization chooses different payloads for each 'batch' of targeted users. It's not necessarily unique per user, but if you create a simulation automation with 100 users, spread out over a month, and the automation ends up targeting 25 users per batch, you'll get four different payloads for each batch. We think this more or less matches attacker behavior. That being said, we are working on a series of improvements to the simulation automation capability, and we'll look at unique payloads per user as part of that work!
    Thanks, AST Team.
Brandon Koeller's avatar
Brandon Koeller
Icon for Microsoft rankMicrosoft
Nov 15, 2022
Hey Jhumphries! Thanks for reaching out. The payload randomization chooses different payloads for each 'batch' of targeted users. It's not necessarily unique per user, but if you create a simulation automation with 100 users, spread out over a month, and the automation ends up targeting 25 users per batch, you'll get four different payloads for each batch. We think this more or less matches attacker behavior. That being said, we are working on a series of improvements to the simulation automation capability, and we'll look at unique payloads per user as part of that work!
Thanks, AST Team.
  • jhumphries's avatar
    jhumphries
    Copper Contributor
    Nov 15, 2022
    Thanks Brandon, you might be right with regards to matching real phishing behaviour. Attackers definitely would send in batches just to save time for themselves. However, in my experience that isn't how real phishing attacks usually reach us. In the scenarios I've personally dealt with, it's been an individual user receiving a unique email that they've clicked on without speaking to anyone else. This is the main reason I am keen to get this functionality!

    It's especially important when you consider that most people have multiple different email accounts - all users will need to ascertain the legitimacy of a real phishing email (whether it's work related or personal) on their own at some point in their lives (probably lots of times.)

    Thanks a lot for your response, I'm glad you guys are keeping an eye on the forums 🙂

Resources