Chris Stegh / / Categories: Security

Security’s Softer Side: Best Practices for Simulating Phishing Attacks

Email is the number one vector for account compromise.  Users are the key to defending against this vector.  But human firewalls aren’t set to ‘deny all’ by default.  They’re click happy and will fall victim to zero-day attacks, causing IT pros to scramble.


Knowing this, organizations have been using phishing simulations to help catch and then coach employees that fall for the bait.  Phishing simulator testing tools from KnowBe4, SecurityIQ, and even SANS, are popular.


Microsoft will soon release their own capability to launch simulated phishing attacks from within an organization’s Exchange Online service.  It’s going to be called “Attack simulator” and its ETA is January, 2018.  They’re preparing to launch with 3 different attacks, one being spear phishing.  They'll plan to have 15 attacks over time.  End-users that are licensed with the Office 365 E5 or Microsoft 365 M5 license will be able to receive and have results tracked of simulated phishing attacks.


As you consider tools and techniques, some best practices are outlined below. 


Some best practices to consider, no matter which tool is used, include:


  • Send messages from believable senders, internal colleagues from whom emails are often received
  • Send messages at realistic times of the day/week
  • Make it relevant
    • Some examples are sign-ups for employee purchase programs or for after work functions, email inbox size limit warnings, direct message from an executive.
  • Track and immediately follow up with the user. If your anti-phishing program is sophisticated enough, collate the video/follow up training with the type of message that was just sent/clicked.


And finally, a few notable screen shots about MSFT’s upcoming capability.


The administrator experience is shown first, accessible via the Security and Compliance Center in the O365 admin portal.


A user experience (example phish) is shown below, with a few callouts to show how SMTP and URLs can be changed using the tool, just like an attacker would do.


Stay tuned to this blog for updates as this service is released and tested by our security engineers.


Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Tags: Security