Attack simulation training – part 1

Welcome to part 1

In my introduction to this series, I stressed the importance of training and testing users.  I was planning to start the series with Zero Trust strategy and build on that, but since I wrote about training and testing last time, I decided to start with attack simulation training.  I also wanted to start with something that I think is fun. 

“Attack simulation training enables Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations to measure and manage social engineering risk by allowing the creation and management of phishing simulations that are powered by real-world, de-weaponized phishing payloads. Hyper-targeted training, delivered in partnership with Terranova security, helps improve knowledge and change employee behavior.”

We will be sending an email to a user as a test. The email is from a fictitious, malicious actor. The target is Mr. Malware Link (ML). The email will contain a link that the actor is hoping ML will click on. If ML clicks the link, it will open an attachment from a file sharing site such as Dropbox or SharePoint. The attachment contains malicious code that will be installed on ML’s machine.

You must be assigned one of the following roles:

  • Global Administrator
  • Security Administrator
  • Attack Simulation Administrators: Create and manage all aspects of attack simulation. campaigns.
  • Attack Payload Author: Create attack payloads that an admin can initiate later.

From the Microsoft 365 Defender home and launch “Attack simulation training”.

Click “Launch a simulation”.

Credential Harvest | Malware Attachment | Link in Attachment | Link to Malware | Drive-By URL

Name Simulation
Type a name and description.

Click next.

Select Payload
Search for and select “You filled out and signed a document”. Confirm that language is correct.

Click next.

Target Users
You can include all users in the organization or specific groups.

Click next.

Assign Training
Select the training content preference dropdown and choose “Microsoft training experience (Recommended)”.
Select a training due date from the dropdown. I chose 7 days.

Click next.

Landing Page
landing page preference.
Choose “Use Microsoft default landing page”.
landing page layout.
Choose “Microsoft Landing Page Template 2”. Click “Open preview panel” to see the email to be sent.
Add a logo.
(I always check “Add payload indicators” if it is available).

Click next.

Select end user notification
Select “Microsoft default notification (recommended)”.
Select your default language.
Choose “Deliver during campaign” for this but may want to deliver when your campaign is over so users don’t alert each other. Get your help desk ready to field some calls.

Click next.

Launch Details
Choose “Launch this simulation as soon as I’m done”.
Configure number of days to end simulation (2-30).
Check “Enable region aware timezone delivery”.

Click next, review and click submit.
You can check status on the Microsoft 365 Defender homepage.

Mr. Malware Link received an email! Let’s see what happens in part 2. Stay tuned.