Announcing Updates to the M365 Attack Simulator

Published Dec 13 2019 01:58 PM 26.3K Views


The Microsoft 365 Attack Simulation team is pleased to announce the release of several new features in our phish simulation tool. This includes:

  • an attachment-based phishing attack
  • the ability to filter your simulation user targets by directory metadata like title, city, and department
  • the inclusion of IP addresses and client data in the simulation detail report
  • Simulation phish message simulations are included in your user phish submission reports 

Attachment Attack

We know that phishing attacks that use attachments are very popular and an effective way for attackers to get malicious code to run on your endpoints. Teaching your users to be wary of attachments can reduce your overall risk. To help you educate your users of this risk, we've added a new type of simulation attack called Spear Phishing (Attachment) to the catalog.


To launch an attachment attack, navigate to the home page of the Attack simulator:




Then, click Launch Attack and walk through the wizard:


First, give the attachment attack campaign a relevant, distinctive name.



Second, select users from your directory that you wish to target with the attachment attack.



Third, configure the attack with the sender, the name and type of the attachment, and the subject line of the email.



Fourth, enter a custom email template, or use one from the existing library. Remember that the point of the attachment attack is to get the user to open the attachment, so don't necessarily include a credential harvesting link, but do reference the attachment in the body of the email.



Lastly, confirm that you are ready to send the simulation off.



Within minutes, your users will receive the phishing email and will be able to see the attachment. This attachment does NOT contain any malicious content or executable code. Instead, it relies on a hidden image file which makes a call back to Microsoft's servers to indicate that the user has opened the file.



Here, you see the user has opened the file, which contains similar content to what you would see on the final page of a credential harvesting simulation. The user's name is populated, along with some educational messaging about the dangers of phishing.



If you have enabled the Outlook Reporting add-in for your organization, note that the user should go ahead and report this message as phishing.



Once they select report phishing, the user will be asked to confirm the report. Note below that we're including these reported messages in your report phish message pipeline via the Outlook reporting add-in so you can now track which of your users correctly reported this message as part of the simulation.



After the users have performed their actions, the simulation administrator can then review the final output of the campaign in the Attack Simulator portal.




Directory Filtering

Another quality of life feature we have added is the ability to perform an filtered search of your directory based on metadata like Title, Department, and City. This allows the simulation administrator to refine target groups based on existing directory data instead of having to manually select those users, leverage CSVs, or create custom directory groups. We encourage organizations to target high risk segments of their user population with more frequent simulations to further reduce your risk of getting phished.



Advanced Reporting Updates

The final feature we've made available is the inclusion of detailed client information in the detail report of any given campaign, including username, action performed, datetime stamp, IP address, and client type information. This will allow you to better understand where your users are performing the risky actions.



Outlook Reporting Add-In Integration

We're also including simulation phish messages in the normal reporting pipeline so that you can now track which of your users has correctly reported phish messages as part of the simulation exercise.  This can be found by navigating to Threat Management-->Explorer-->View Submissions-->User Submissions.


Wrapping it up

So, there you have it – a whirlwind tour though the new updates to Office 365 ATP’s Attack Simulator. We’d like to encourage you to start taking advantage of the new functionality by the following the link ( and we look forward to your feedback! More information on Attack Simulator can be found in the Attack Simulator documentation on Microsoft Docs.

New Contributor

Nice, helpful, thank you for Attack simulator.
I hope to support Japanese


New Contributor

Does this update fix the issue where you can't send to more than 100-ish people per attack without experiencing size errors on the backend request? Also, can you embed images in the messages now? Previously, the images had to be external, so Outlook would properly block them. Thanks!

Respected Contributor

Can we use these simulated attacks to initiate the Automated investigation and response (AIR) in Microsoft Threat Protection?


Thanks for the comments, folks!

-Support for Japanese, as well as other languages is planned for our V2 of Attack Sim.

-The fix for the sometimes 100-user limit was deployed in late December, 2019.

-We plan to allow simulations to be triggered FROM AIR in V2 for phishing. In the future, we do intend to map authentic simulations to automated response playbooks for testing/validation/education!


The Attack Sim and Training Team

Regular Visitor

Can you confirm which 365 licences are required for this solution?


@GFord2304 Attack Simulator is part of O365 ATP Plan 2 which is available as a standalone licence or it's included in Office 365 E5, Office 365 A5, and Microsoft 365 E5. 

Frequent Visitor

Is there a way to change the pdf document that is sent out?

We would like to customize this for our end-users when we send it out and not use the canned working. 

Occasional Visitor

Any news regarding @bradgasser 's request?


We'd also be looking for a way to customize the content of the attachment .

Occasional Visitor

@Brandon KoellerWe are a third party providing these services to our corporate clients (who have 365 contracts with MS). I am wondering how can we offer these services to clients without requiring elevated privileges on the client servers.  How can we position ourselves in this kind of a setup which helps the clients in terms of convenience and us in terms of technical access ?

Version history
Last update:
‎May 11 2021 03:46 PM
Updated by: