Announcing Attack Simulation Training in Microsoft Defender for Office 365

RukmaSen · ‎Sep 23 2020

We are excited to announce Attack Simulation Training in Microsoft Defender for Office 365 enters public preview today, empowering our customers to detect, quantify and reduce social engineering risk across their users. To watch the announcement and see the product in action tune into our session at Ignite 2020.

Users falling prey to phishing is still one of the most common, impactful risks facing our customers today. Good technology stops most phishing attacks before they ever reach inboxes, but no technology can stop 100% of phishing attacks. Your employees are a crucial line of defense.

Attack Simulation Training in Microsoft Defender for Office 365 is an intelligent social engineering risk management tool that empowers all your employees to be defenders. Using real phish to emulate the attacks your employees are most likely to see, it delivers security training tailored to each employee’s behavior in simulations. It automates the design and deployment of your security training program, saving the resource-strapped security teams time and resources. Innovative metrics like predicted compromise rate and training effectiveness quantify social engineering risk across the organization and enable strategic remediations. Engaging and context-aware security training, delivered through our partnership with Terranova Security reduces risky behavior.

Today we are launching three capabilities in public preview: intelligent simulations, actionable insights, and impactful security training.

Emulate real threats with intelligent simulations

Intelligent simulations automate simulation and payload management, user targeting, schedule and cleanup. The security admin can launch a simulation with a click of a button in the Attack simulation Training tab in Microsoft 365 Security Center.

Following the simple steps outlined in the workflow, the admin can pick from 4 different social engineering techniques and select the phish template from a list of real phish templates seen in their tenant. Optionally, if the admin prefers, they can upload their own template as well, and then select the users to whom the simulation will be sent.

The admin can then assign training tailored to a user’s behavior in the simulation. Microsoft recommends training to assign based on learning pathways and our intelligence into which training is effective for which kinds of behavior. The admin can also choose to assign training themselves. For example, an admin may choose to assign 3 trainings to users who were compromised in the simulation but only 2 to those who clicked and 1 to all users. The landing page on which the end user will land to access this training are wholly customizable for the look and voice of your brand. Finally, the admin has the option to schedule the simulation to launch right away or at a later time, which can be customized by recipient time-zone.

Reinforce your human firewall with impactful training

Terranova Security’s huge library of phish training content enables personalized and highly specific training targeting based on susceptibility score or simulationperformance. Nanolearnings, microlearnings, and interactivity cater to diverse learning styles and reinforce awareness. Additionally, all trainings are available in 12+ languages and accessible to the highest standards to meet the needs of Microsoft’s global customers.

When an employee clicks on the phishing link in a simulation, or give up their credentials, they will be directed to the landing page set up by the administrator. The landing page walks through the indicators of phishing that the employee missed and assigns them training, which can be completed right then within the product or scheduled for later in Outlook calendar. Regular reminders will prompt employees to complete assigned training until it is due.

Analyse social engineering risk across employees with actionable insights

The impact of training can be measured by the training effectiveness metric, which plots your organization’s actual compromise rate in a simulation against Microsoft’s predicted compromise rate. Overlay the dates of training completion and simulations to correlate which trainings caused a drop in compromise rate and evaluate their effectiveness. Gain visibility over your organization’s training completion and simulation status through completeness and coverage metrics and track your organization’s progress against the baseline predicted compromise rate. Every reporting dashboard can be filtered in different ways and exported for reporting

Attack Simulation training helps you empower your people to identify and report social engineering attacks. Enable Attack Simulation Training in Private Preview now. To learn more, watch our Microsoft Ignite 2020 session!

Fahad Shaikh · ‎Sep 24 2020

Will there be a way to export the reports via an API?

Fergus Strachan · ‎Sep 25 2020

Okay, let me get this right...

This feature is now for Microsoft Defender for Office 365, which used to be called Office 365 ATP, which is part of M365 Business Premium.

Assuming this refers to Plan 1 and not Plan 2 (who knows what the difference is), why am I being told I need an MDATP licence to access the URL in the demo above?

Has anyone ever told you your product set is way too complicated?

Michael Platt · ‎Oct 16 2020

How often are training reminders sent? Is it logged anywhere that these reminders are sent?

RukmaSen · ‎Oct 19 2020

@Fahad Shaikh Not just yet, but we know this is an important requirement and will be releasing this very soon. Stay Tuned!

KubaBorkowski · ‎Oct 29 2020

Few important questions:
- are payload available in different languages? I see them in English (and I love the amount available <3) and I see there are none available in polish.

- if other languages are there - how can we choose them? In the old attack sim the payload language was determined by admin who was launching simulation - which was terrible (i can only send simulations to users using the same language). Is there / will there be an option to choose payload language? Or maybe it would be determined based on user selected language?

- I see you can create your own payloads with sms or teams message as attack surface - however I cannot choose those. Is this unavaialbe at the moment but coming sometime in the future?

- I know the trainings are in 12+ languages - are any other coming as well?

AndreaBohn · ‎Nov 20 2020

Same question as @KubaBorkowski, we have the need to provide phishing training in multiple languages but I do not see how I can select payloads in other languages and I am having difficulty finding training to do so. And are the other languages only available for the payloads, or are the trainings also available in other languages?

rajubabu · ‎Jan 03 2021

Hi any update on language option?

Sigmund Brandstaetter · ‎Jan 13 2021

I also got the same question as others around payload languages, i can not seem to get anything other than French

AndreaBohn · ‎Jan 15 2021

@KubaBorkowski @rajubabu @Sigmund Brandstaetter

I just wanted to get in and let everyone who has been asking about languages know what I've just found out with a meeting with Microsoft.

According to them, the trainings will automatically translate into one of the 33 languages that they supported. This automatic translation is based on the user's language setting in Microsoft 365. If the user's language setting is not one of the 33 supported languages I believe it automatically defaults to English.

For the payloads, they do not currently automatically translate them. They tried machine translating, it did not accurately translate the emails, so they are working on having people translate them one at a time. There is no timeline on when this will be done.

Also for payloads, some payloads are in different languages and they didn't originally have a way to filter them by language, but they are just about to push an update that will allow you to filter a phishing payload by language. They don't have phishing payloads in all 33 languages however, because the payloads are actual phishes that have been recycled, and 80% of all phishes are in English.

Just wanted to let others in on this knowledge, hopefully it helps everyone! :)

Sigmund Brandstaetter · ‎Jan 15 2021

@AndreaBohn Thanks, however, in my case the payload email text is in French - All my systems settings are US English. I don't have a problem reading French since i learned it in school, but I am based in the Philippines, French isn't really a thing here

Still trying to see if there is anything i can modify here, i found that not all are in French so I can work around this for the time being or just probably use custom text.

KubaBorkowski · ‎Jan 17 2021

@AndreaBohn Thanks! Seems like polish isnt included in the 33 languages :(

As for the payloads - I dont think this is a big issue, you can always make a copy of an existing one and translate it yourself :)

Drew_Perry · ‎Jan 21 2021

@RukmaSen great work. When will the Teams and SMS options become available? As @KubaBorkowski mention previously, they appear but can not be selected.

Michael Platt · ‎Feb 02 2021

@RukmaSen When a user reports a message from a phishing campaign is there a way to display a message saying "You have passed" or "Congratulations" ?

I've heard others mention this but not sure if was a third part tool.

fliplink1 · ‎May 06 2021

Hi, is this available for GCC? We get an error of "Service Unavailable on you tenant"

Alexander Bunk · ‎Jul 06 2021

Is it possible to send the training reminder mail in different languages?

Michael Platt · ‎Aug 10 2021

I have raised a support case with Microsoft (Case #:26254527). The case was closed and resolved as a bug thus why I'm posting this here.

To summarize, we have users who have completed all their assigned training but still constantly get the email notification from trainingassignment@microsoft.com saying they have not completed the training.

Any help to fix this issue would be great appreciated.

Reid Culp · ‎Mar 17 2022

Does Microsoft Attack Simulator exclude the admin who is setting up the simulation? I have tried to run two simulations and both seem to exclude me from the simulation (i.e., it did not send me an email). We are a small firm, and we need to document training for compliance purposes.

Dread73 · ‎Oct 30 2022

How can I send a manual reminder to complete the training assigned? Doesn't seem to be any way to do this from the Simulation Interface. I can see who was compromised in a test, see that training was assigned and not complete - but no way to send them a reminder. If they don't do it straight away, or set themselves a reminder - how can I get them back to the Training page they need to complete?

Sigmund Brandstaetter · ‎Oct 30 2022

@Dread73 You can set this when you initially create the Simulation, you can choose between weekly or twice a week reminders. There is no manual way to send it adhoc

Dread73 · ‎Oct 30 2022

Thanks for that. I did set it - but 2 end users (so far) are claiming they haven't seen any reminders or links (as usual) and I have no way of manually sending them anything so they can get to the training page they need to complete.

Sigmund Brandstaetter · ‎Oct 30 2022

You can check via Message trace to show that they have received it :)

It is sent from

and the subject would be

it will contain the links to the assigned training

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Announcing Attack Simulation Training in Microsoft Defender for Office 365