Our Voice

CWSI announced as one of Ireland’s Best Managed Companies 2023.

CWSI, has been named as one of Ireland’s Best Managed Companies. The awards programme is led by Deloitte Ireland, in association with Bank of Ireland.

Learn More

Microsoft Attack Simulation Training.

Your people are your perimeter. It is crucial to empower your employees to protect themselves from phishing attacks with intelligent simulations and targeted training. As part of Microsoft 365 Defender, an attack simulation training is available. In this blog, I’d like to introduce you to this “hidden” and more often “forgotten” gem.

Tim Struik – Consultant

Phishing remains the most common form of cybercrime with an estimated 3.4 billion spam messages per day. The number of phishing attacks also increased sharply last year by as much as 61%, increasing the likelihood that one of us could be the next target or worse – victim.

Preventing phishing attacks by mere technical means is impossible. Therefore, it is important to build awareness and help your employees recognise and report suspected phishing attempts. This protects both themselves and your company.

You can use Microsoft’s Attack Simulation Training within your organisation to automatically check and increase your employees’ digital resilience, and create awareness. As the name suggests, you do this by launching a fictitious ‘attack’ on your organisation. This blog will explain how to get started and add value when conducting an Attack Simulation Training in the Microsoft 365 Defender Portal.

Preparation – The Key To Success

Campaign components to prepare in the Microsoft Attack Simulation Training.

The Attack Simulation Training is part of the Microsoft 365 E5 and Defender for Office 365 Plan 2 licenses. If you have the Attack Simulation Training available to you through one of these licenses, it is a wasted opportunity to leave this tool unused. Noteworthy is that the simulation will be most effective if you manage to involve as few colleagues as possible in the preparation.

To prepare an Attack Simulation Training programme, you start by creating a campaign in which you run down and prepare various components. These are the components listed to the left – some of which are optional but most being necessary.

Attack Techniques

Within Attack Simulation Training, you create campaigns in which you accurately prepare a simulated attack targeting your own organisation. In the setup of this simulated attack, you can use predefined attack techniques, including the following:

  • Credential Harvest
  • Malware Attachment
  • Link to Malware

For this blog we will focus on the “Credential Harvest” technique to fully illustrate the Attack Simulation Training.

The Core Of The Attack

Page preview on payload and login page for the Attack Simulation Training

The first content component to create configurations in, is a so-called “payload“. This is the core of the attack which involves the composition of the mail (or Teams message) presented to end users. The image above highlights the dozens of predefined Microsoft payloads ready for you.

As an example, the following image to right is an showing what a predefined payload “Account disconnection” email looks like to an end user.

In addition to predefined payloads, it is also possible to create your own. This gives you the chance to send more realistic attack emails. Before composing your own payload, the entire Attack Simulation Training must be designed and thought through.

Predefined Microsoft Simulation Training payload email.

Therefore, when you create your own payload you need to add the following components:

  • From name – Sender
  • From email – Sending address
  • Email subject – Subject line
  • Phishing link – Phishing link
  • Email message

Payload Email Example

Payload preview indicator example in Microsoft Attack Simulation Training.

Part of creating a payload is indicating so-called “indicators” which are signals that you specify for an end user to pick up as phishing cues. Examples of this includes, spelling errors, an incorrect or unusual salutations, a different signature, etc. To the left, is a payload preview example of an indicator; “Volgende” translates to Next & “Vorige” translates to Previous.

The hyperlink in the email above points to a Microsoft-like login page. Noteworthy here is that each end user receives a unique URL in their phishing email. This means that on a detection basis it does not technically matter what the end user enters on this login page. Everything the end user enters here is seen by the Attack Simulation Training as “credentials supplied“. After creating a payload, you can send it to yourself (shown in the image below) for testing to gage what the end user will ultimately receive.

"Send a Test" payload email option in Microsoft Attack Simulation Training portal.

Important Elements To Consider

Importantly, prior to putting together the entire Attack Simulation Training and when configuring a payload, it is strongly recommended to have the following in mind:

  • To whom the Attack Simulation Training is sent
  • From whose name it will be sent
  • When it will be sent (weekend or weekday)
  • What time the Attack will be sent out
  • What devices will the email be expected to be read on

When composing the payload you can also take into consideration the following. If the attack email is sent during the day and an entire department is in a meeting, you run the risk that the attack email will be recognised as malicious. In principle, it is fine to send out the attack email but there may be one colleague who recognises the phishing attempt and shares it with colleagues. In addition, an attack email may be slightly less easy to recognise on mobile devices as fewer details are shown on smaller screens. Finally, when using MTD solutions, such as Lookout, you should test that this MTD solution does not intercept the attack email. More tips and aspects to consider are highlighted by Microsoft here.

Assign Users

When assigning the users to be involved in this attack, you can choose to include all users or to include specific users or groups. Basically it is good to include all users. Our logic is why make any exceptions? If you still want to assign specific users then you can do so per:

  • User
  • Distribution list
  • Mail-enabled security group
  • All users (guest users excluded)

Back To School

The next component the the Attack Simulation Training is to assign a training when a user clicks the link and fails their phishing test. However, this step is optional and you are presented the choice between: a) Microsoft automatically assigning a training. This is based on how the attack simulation went for the user and will score based on pervious trainings; b) allowing users to choose their own training option.

Finally, define a deadline for when the training must be completed by the user with the options being 7, 15, or 30 days after the Attack Simulation Training ends.

Oops, Clicked It. Now What?

After an end user clicks on the phishing link, they come to a Microsoft-like login page. At this stage, if someone assumes the email and login page are legitimate and also provides a username and password, this user will be taken to a landing page.

This landing page can be branded with your company logo for recognition. Predefined landing pages from Microsoft are provided and can be used or it is possible to create one yourself with a reference URL to your own landing page. An example of a predefined landing page is highlight below. Underneath this notification, is the option to display the phishing email with the previously flagged indicators. This gives the end user a chance to see what they should have recognised as a phishing email. Hereafter, the end use can immediately start taking awareness training.

Example of landing page the end user can be referred to after clicking the Attack Simulation Training link.

You’ve Got Mail!

Furthermore, you can define notifications that an end user receives in the following circumstances:

  • User recognises and reports the phishing mail (positive reinforcement)
  • There is training ready for the user
  • Reminder for a training that is ready and not yet completed

With these notifications there is some flexibility to specify what times or intervals the end user receives them. An example of the positive reinforcement notification is shown below and there is also the option to create your own notifications here in addition to predefined ones.

Positive reinforcement notification of end user reporting the attack email.

Ready For Takeoff

To define the launch details is one of the last parts of actually firing an Attack Simulation Workout at your end users. There are two ways to move forward here:

  • Immediately start the Attack Simulation Training and put end users to the test
  • Schedule the Attack Simulation Workout.
    E.g. you can schedule it on a Sunday night without having to be at the controls yourself at the time.

Regardless of the situation, you should always indicate how long the Attack Simulation Training will last. In other words, how long can end users can click on the phishing link in the email. This is illustrated through the image on the right. It is important to keep in mind that you can only plan this a few weeks in advance.

It’s All In The Details

Finally, when putting together an Attack Simulation Training, you get a summary of your campaign. Here you can possibly send another test email to see (almost completely) what the end user will see.

Gut Feeling Is Good, Data Is Better

Given each end user receives a unique URL in the phishing email, it is also possible to accurately see how the Attack Simulation Training is going. For example, the dashboard shows the following:

At a glance, the above shows how the end users acted and scored in the Attack Simulation Training. It is even possible to see on an individual level who reacted and how they acted towards the phishing mail. However, the data may become somewhat polluted after a few days. Therefore, experience shows that when the first group of end users fail the test, colleagues are quickly notified that the email is a deliberate test phishing email. Users may then deliberately start clicking on the link to see what happens next, when without notifications from colleagues they might have acted differently.


With the above, I hope to have illustrated the possibilities of an Attack Simulation Training and its value for your organisation. If you are interested in this topic or would like support with setting up an Attack Simulation Training, let us know.

Author: Tim Struik

Reach out to us to see if you would like anymore detail regarding this blog.

Relevant Resources

Our Voice

CWSI announced as one of Ireland’s Best Managed Companies 2023.

CWSI, has been named as one of Ireland’s Best Managed Companies. The awards programme is led by Deloitte Ireland, in association with Bank of Ireland.

Learn More

Technology Talks

Cyber Awareness- Navigating the Threat Landscape

Listen to our Chief Operations Officer, Des Ryan as he explains how the recent increase in cybercrime requires IT teams to stay vigilant to protect their organisations from threat actors. Hear Des’ recommendations on best practices to decrease your organisation’s chances of falling victim to the next cyber-attack.

Technology Talks

Discover Connect & Go.

IT departments are suffering from a lack of time and resource to manage the demands of regular roll-outs of devices. Hear from CWSI’s Jesper Schmidt and Thierry Lammers as they discuss our innovative service, Connect & Go, diving into their technical experience from firsthand use cases.