M365 Attack Simulation Training

What is Attack Simulation Training?

Attack Simulation Training is a feature within Microsoft 365 that allows you to manage simulations and send them to users within the organisation to validate users awareness and behaviour when receiving what could potentially be harmful content and jeopardise the security posture of the organisation.

For example, test phishing emails can be sent that lure users into entering their credentials to non official websites where they haven’t validated the actual sender address, the accuracy of characters within the domain values, certificate values, general suspicious inaccuracies and so on.

The purpose of the simulations isn’t to identify users and punish them, more it is a means to provide a reporting tool to identify which users interact and fall victim to the attack and subsequently provide them with more training and to keep users awareness high by repeating simulations at regular (or irregular) intervals. Where repeat offenders are identified, this will then provide further justification for enhanced training to these individuals or more stringent security features and configuration targeted to them.

By scheduling attack simulations periodically will go some way in ensuring that users remain vigilant and improve their security awareness.

License Requirements

Attack Simulation Training is included with Microsoft Defender for Office 365 Plan 2, or as part of the bundled Microsoft 365 E5 plan.


Credential HarvestA message is sent with a URL contained. The URL resolves to a website that looks to be genuine but is not and contains credential prompt where the unsuspecting user would enter their credentials and ultimately provide these to the attacker.
Malware AttachmentA message is sent with an attachment included. When the attachment is opened, code will run for example from a macro that would provide the attacker means of infiltration.
Link in AttachmentA message is sent that contains an attachment. A malicious URL in the attachment looks to be genuine but is not and contains credential prompt where the unsuspecting user would enter their credentials and ultimately provide these to the attacker.
Link to MalwareA message is sent that contains a link to a shared file storage location that contains a malicious file. When opened, code will run for example from a macro that would provide the attacker means of infiltration.
Drive-by URLA message is sent that contains a URL. The site will attempt to obtain information about the device or run malicious code.


For the example, I will be scheduling a Credential Harvest simulation to all users within the organisation.

  • Open the M365 Security and Compliance centre and select ‘Attack Simulation Training’ from the left hand pane under ‘Email and collaboration’
  • Select ‘Simulation’ from the top ribbon and select ’Launch a simulation’
  • Select ‘Credential Harvest’ and ‘Next’
  • Provide a relevant name and description for the simulation and select ‘Next’
  • Choose 1 of the templated payloads, or create a custom payload. Customisation includes adding themes, sender addresses, industry type, email template and so on. Select the template to see a preview on the right hand side. Once chosen, select ‘Next’
  • Scope the simulation by selecting either specific users and groups or all users in the organisation. Select ‘Next’ to continue
  • In the ‘Assign Training’ section, you can choose whether to let Microsoft automatically send training material post simulation to users, explicitly decide which training users get, or provide no subsequent training. If selected, relevant training material will be distributed to scoped users post simulation to help them better understand the dangers of these types of attack and educate them for better handling future events.

Define a training due date to ensure that users complete training by either 7, 15 or 30 days post simulation. Select ‘Next’ to continue

  • If ‘Select training courses and modules myself’ was selected as per this example, add training materials from the list provided. Preview functionality lets you view a sample of the training material.
  • To ensure that only required users are assigned the training, choose from either ‘All Users’, ‘clicked payload’ or ‘Compromised’ (or a combination). This will allow those users who did not either click the URL/Open the attachment or interacted further with the content to be excluded from training that they are already familiar with. Select ‘Next’ to continue
  • At the ‘Landing Page’ section, make relevant selections for the landing page including layout and logo. Preview the page. Select ‘Next’ to continue
  • Select when to launch the simulation, either immediately or to a schedule and a value for the number of days after simulation initiated to end it (2-30 days)
  • Select ‘Next’ to continue and review the configuration. Send a test if required
  • Click ‘Submit’ to finalise.
  • Returning to the Attack Simulation Training page will detail the simulations; ‘scheduled’, ‘in progress’ and ‘completed’. Other detail and reporting can be easily viewed by drilling deeper into the simulations.
  • Once the simulation has commenced and users start to receive the emails, they will receive an email such as the below
  • If a user does interact with the email, their experience Is as follows –
  • If credentials are submitted, the users are greeted with the landing page and provided with some further information such as detail which was visible that they could have picked up on (email addresses, questionable themes/branding, content advising urgency, hyperlink values and so on). If training was also selected as part of the simulation exercise, it is detailed at the bottom of the landing page
  • An email is received containing the training materials and a due date
  • Back in the Attack Simulation Training area of the security portal further visibility of the simulation can be seen
  • Scheduled automation of simulations can be configured including configuration of randomised payloads that run either to a defined schedule or randomly within defined recurrence periods (weekly/monthly)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: