Your people are your perimeter. It is crucial to empower your employees to protect themselves from phishing attacks with intelligent simulations and targeted training. As part of Microsoft 365 Defender, an attack simulation training is available. In this blog, I’d like to introduce you to this “hidden” and more often “forgotten” gem.Tim Struik – Consultant
Phishing remains the most common form of cybercrime with an estimated 3.4 billion spam messages per day. The number of phishing attacks also increased sharply last year by as much as 61%, increasing the likelihood that one of us could be the next target or worse – victim.
Preventing phishing attacks by mere technical means is impossible. Therefore, it is important to build awareness and help your employees recognise and report suspected phishing attempts. This protects both themselves and your company.
You can use Microsoft’s Attack Simulation Training within your organisation to automatically check and increase your employees’ digital resilience, and create awareness. As the name suggests, you do this by launching a fictitious ‘attack’ on your organisation. This blog will explain how to get started and add value when conducting an Attack Simulation Training in the Microsoft 365 Defender Portal.
Preparation – The Key To Success
The Attack Simulation Training is part of the Microsoft 365 E5 and Defender for Office 365 Plan 2 licenses. If you have the Attack Simulation Training available to you through one of these licenses, it is a wasted opportunity to leave this tool unused. Noteworthy is that the simulation will be most effective if you manage to involve as few colleagues as possible in the preparation.
To prepare an Attack Simulation Training programme, you start by creating a campaign in which you run down and prepare various components. These are the components listed to the left – some of which are optional but most being necessary.
Within Attack Simulation Training, you create campaigns in which you accurately prepare a simulated attack targeting your own organisation. In the setup of this simulated attack, you can use predefined attack techniques, including the following:
- Credential Harvest
- Malware Attachment
- Link to Malware
For this blog we will focus on the “Credential Harvest” technique to fully illustrate the Attack Simulation Training.
The Core Of The Attack
The first content component to create configurations in, is a so-called “payload“. This is the core of the attack which involves the composition of the mail (or Teams message) presented to end users. The image above highlights the dozens of predefined Microsoft payloads ready for you.
As an example, the following image to right is an showing what a predefined payload “Account disconnection” email looks like to an end user.
In addition to predefined payloads, it is also possible to create your own. This gives you the chance to send more realistic attack emails. Before composing your own payload, the entire Attack Simulation Training must be designed and thought through.
Therefore, when you create your own payload you need to add the following components:
- From name – Sender
- From email – Sending address
- Email subject – Subject line
- Phishing link – Phishing link
- Email message
Payload Email Example
Part of creating a payload is indicating so-called “indicators” which are signals that you specify for an end user to pick up as phishing cues. Examples of this includes, spelling errors, an incorrect or unusual salutations, a different signature, etc. To the left, is a payload preview example of an indicator; “Volgende” translates to Next & “Vorige” translates to Previous.
The hyperlink in the email above points to a Microsoft-like login page. Noteworthy here is that each end user receives a unique URL in their phishing email. This means that on a detection basis it does not technically matter what the end user enters on this login page. Everything the end user enters here is seen by the Attack Simulation Training as “credentials supplied“. After creating a payload, you can send it to yourself (shown in the image below) for testing to gage what the end user will ultimately receive.
Important Elements To Consider
Importantly, prior to putting together the entire Attack Simulation Training and when configuring a payload, it is strongly recommended to have the following in mind:
- To whom the Attack Simulation Training is sent
- From whose name it will be sent
- When it will be sent (weekend or weekday)
- What time the Attack will be sent out
- What devices will the email be expected to be read on
When composing the payload you can also take into consideration the following. If the attack email is sent during the day and an entire department is in a meeting, you run the risk that the attack email will be recognised as malicious. In principle, it is fine to send out the attack email but there may be one colleague who recognises the phishing attempt and shares it with colleagues. In addition, an attack email may be slightly less easy to recognise on mobile devices as fewer details are shown on smaller screens. Finally, when using MTD solutions, such as Lookout, you should test that this MTD solution does not intercept the attack email. More tips and aspects to consider are highlighted by Microsoft here.
When assigning the users to be involved in this attack, you can choose to include all users or to include specific users or groups. Basically it is good to include all users. Our logic is why make any exceptions? If you still want to assign specific users then you can do so per:
- Distribution list
- Mail-enabled security group
- All users (guest users excluded)
Back To School
The next component the the Attack Simulation Training is to assign a training when a user clicks the link and fails their phishing test. However, this step is optional and you are presented the choice between: a) Microsoft automatically assigning a training. This is based on how the attack simulation went for the user and will score based on pervious trainings; b) allowing users to choose their own training option.
Finally, define a deadline for when the training must be completed by the user with the options being 7, 15, or 30 days after the Attack Simulation Training ends.
Oops, Clicked It. Now What?
After an end user clicks on the phishing link, they come to a Microsoft-like login page. At this stage, if someone assumes the email and login page are legitimate and also provides a username and password, this user will be taken to a landing page.
This landing page can be branded with your company logo for recognition. Predefined landing pages from Microsoft are provided and can be used or it is possible to create one yourself with a reference URL to your own landing page. An example of a predefined landing page is highlight below. Underneath this notification, is the option to display the phishing email with the previously flagged indicators. This gives the end user a chance to see what they should have recognised as a phishing email. Hereafter, the end use can immediately start taking awareness training.
You’ve Got Mail!
Furthermore, you can define notifications that an end user receives in the following circumstances:
- User recognises and reports the phishing mail (positive reinforcement)
- There is training ready for the user
- Reminder for a training that is ready and not yet completed
With these notifications there is some flexibility to specify what times or intervals the end user receives them. An example of the positive reinforcement notification is shown below and there is also the option to create your own notifications here in addition to predefined ones.
Ready For Takeoff
To define the launch details is one of the last parts of actually firing an Attack Simulation Workout at your end users. There are two ways to move forward here:
- Immediately start the Attack Simulation Training and put end users to the test
- Schedule the Attack Simulation Workout.
E.g. you can schedule it on a Sunday night without having to be at the controls yourself at the time.
Regardless of the situation, you should always indicate how long the Attack Simulation Training will last. In other words, how long can end users can click on the phishing link in the email. This is illustrated through the image on the right. It is important to keep in mind that you can only plan this a few weeks in advance.
It’s All In The Details
Finally, when putting together an Attack Simulation Training, you get a summary of your campaign. Here you can possibly send another test email to see (almost completely) what the end user will see.
Gut Feeling Is Good, Data Is Better
Given each end user receives a unique URL in the phishing email, it is also possible to accurately see how the Attack Simulation Training is going. For example, the dashboard shows the following:
At a glance, the above shows how the end users acted and scored in the Attack Simulation Training. It is even possible to see on an individual level who reacted and how they acted towards the phishing mail. However, the data may become somewhat polluted after a few days. Therefore, experience shows that when the first group of end users fail the test, colleagues are quickly notified that the email is a deliberate test phishing email. Users may then deliberately start clicking on the link to see what happens next, when without notifications from colleagues they might have acted differently.
With the above, I hope to have illustrated the possibilities of an Attack Simulation Training and its value for your organisation. If you are interested in this topic or would like support with setting up an Attack Simulation Training, let us know.
Author: Tim Struik
Reach out to us to see if you would like anymore detail regarding this blog.