Phishing is still the most used type of attack to compromise individuals, primarily because it is the easiest and cheapest tactic. The average user is still very susceptible to the advanced email social engineering bad actors are capable of crafting. There are many technological defensive solutions to combating phishing, but the best defense is a well-educated user. We need to provide constant training and education to users regarding the latest tactics used and the understanding that they are being targeted, even if they feel their account has no significant value that would cause a financial loss. Every user account, from receptionist to CEO, is a target.
Microsoft Attack Simulator has been around for a few years with four key tactics to simulate attacks against internal users. I wrote about Attack Simulator and its capabilities last year. However, since then Microsoft has released into General Availability a significant update to Attack Simulator, now called Attack Simulation Training, that includes several additional scenarios, full featured reporting, and, best of all, interactive training. This feature is included with Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 licenses, which was the same license requirement for Attack Simulator.
This new experience is available in the new Microsoft 365 Security Center (https://security.microsoft.com). The following are the new features available with the updated solution.
Microsoft provides five techniques to choose from when creating a simulation. These are based on the MITRE ATT&CK® framework. The first technique, Credential Harvest, is similar to Attack Simulator. The additional techniques are to provide a variety of scenarios to simulate different styles of attacks. You can anticipate additional techniques to be developed for this solution in the future. Here are the five selections:
Payloads are now the term that refers to the templates created and configured to use to launch your simulations. Microsoft provides dozens of templates using some of the most common attack scenarios. These payloads can be copied to provide any customization that meets your requirements.
You can also create a custom payload. Currently, only email payloads are available, but Microsoft plans to create Webpage, SMS, and Teams based payloads to broaden your attack scenarios.
The creation of the payload for email is similar to the former Attack Simulator. You can still enter Sender details, choose your phishing link, and configure an email using code or rich text editor. However, Microsoft has provided a new list of Phishing URLs as well as two new options. These include categorization of the attack as well as an ability to import an email, if you prefer to draft your email outside of the payload creation wizard.
Indicators are an additional configuration option for payloads that help users identify what was wrong with the email if they clicked on it. They will see this information on the compromised splash page. Specific items of the email can be identified and provide a pop up tip to users educating them why that specific item should have been an indication of a phishing attempt.
You can assign indicators to DisplayName, Subject, or anything in the Message Body of the email configured. These are configured with custom payloads. Pre-built payloads have these defined and cannot be altered.
Training is largely what is new with Attack Simulation. With this addition, Microsoft’s solution can generally compete with other phishing simulation solutions on the market.
Currently, there is no option for custom training creation. You are limited to use what Microsoft provides. However, the options available are very well done and concise. It is recommended that training be assigned to every simulation, but you have the option to not assign training.
If you do assign training, you can let Microsoft dynamically assign the training or you can manually assign training. A due date can also be assigned, however, currently it is not actually enforceable. It would be nice to see this integrated with Azure AD Conditional Access to block access to those that haven’t completed their training.
When manually assigning training, there are roughly 25 available training courses ranging from 1 to 7 minutes in length. Once selected, you can then also determine whether to assign the training to all targeted users, or just those that clicked or were compromised.
Finally, you can configure a few items on the landing page if a user was compromised. This includes a Header and Body message. You can then preview the page syntax. The landing page will include any configured indicators as well as links to the training and the ability to add it to your calendar.
Training - User Experience
If a user were to be compromised, they will first be directed to the training landing page. They can take the assigned training from there, but they will also receive an email.
Users can either click on the link in the email or go directly to https://security.microsoft.com/trainingassignments. Here they will see a list of assigned training. Each training is done directly in your web browser. They are interactive voice-enabled slides providing the user to have interaction instead of just reading some materials.
Attack Simulation training provides full reporting details of all simulations and trainings done within the environment as well as inform you of the overall coverage of whom has been targeted. There are four environmental reports for the solution:
- Training Efficacy: Displays compromised statistics for each simulation run
- User Coverage: Displays list of users that were part of a simulation as well as a count of users that have not been attacked.
- Training Completion: Report of users and there training status
- Repeat Offenders: Users that were susceptible across multiple simulations
Additional reporting metrics are provided for each simulation run. These include specifics on who and how a user was compromised, training completion, and recommended actions.
Microsoft Attack Simulation Training is now a full featured phishing education solution now that it includes training. IT Administrators should take full advantage of this solution to phish their own users before someone else does. This is not to trick or embarrass anyone. This is to provide education and awareness of the tactics used in the world. There should be no guilt or hesitation when deciding whom to phish; everyone is a valid target.
Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.