What is Spear Phishing?
Spear phishing is similar to “traditional” phishing, with the primary difference being the attack is tailored to you or your organization using information the attacker has gathered previously. The attacker first gains access to the environment, and over a period of time gathers information about you or your organization, then formulates a spear phishing email campaign targeted at individuals or smaller groups within the organization. These legitimate-looking email campaigns are designed to appear as inconspicuous as possible, temping users to provide corporate credentials, account information, payments, etc.
How can we protect against spear phishing attacks?
- Training and knowledge can be a great first line of defense. Train the origination on what to look for in emails before clicking on links and providing private information. Common items to look for are:
- Spelling and grammar errors in emails
- Greetings that are broad or generic
- Emails that ask for personal information such as credentials, payment or account information, etc.
- Mismatched or external URLs
- Conduct “test” spear phishing campaigns within the organization to assess user behavior. Conducting test campaigns can provide insight into how well the organization handles these type of attacks as well as who may have dropped their guard (or not).
One way to accomplish “test” spear phishing campaigns is with the Office 365 Spear Phishing Attack Simulator. This article will cover several aspects of Office 365 Spear Phishing Attack Simulator. Attack Simulator is part of Office 365 Threat Intelligence, which is included with Office 365 E5 Licensing. Office 365 Threat Intelligence / Attack Simulators can provide additional awareness and information, allowing the organization to understand its potential phishing vulnerabilities and address them proactively.
Enabling Technologies can assist you in this arena with its various offerings, from technical implementation assistance for configuring and conducting campaigns to end-user communications or training for your organization. Contact Enabling Technologies for more information.
Using the Office 365 Spear Phishing Attack Simulator
In order to utilize Office 365 Spear Phishing Attack Simulator, ensure the following:
- Office 365 Threat Intelligence is enabled for your organization.
- Your organization’s email is hosted in Exchange Online (on-premises email servers are not supported with Attack Simulator).
- The person administering Attack Simulator is an Office 365 Global Administrator.
- Multi-factor authentication (MFA) is enabled for the administrator (more info here).
Spear Phishing Attack Simulator can be access via https://protection.office.com/#/attacksimulator or “Protection.office.com” > Threat Management-> Attack Simulator.
You can create an Attack by using a template or configure one-time use parameters.
Spear Phishing Attack Template
- Create a Spear Phishing attack template:
- Under Spear Phishing, Click on “Attack Details”:
- Scroll down to “Phishing Templates”, and click on “New Template”:
- Give the Template a “Name”:
- Configure Email Details” such as: From Name and Email Address, Phishing Login Server URL, and Email Subject:
- Compose Email the email and Confirm:
- Create a Spear Phishing Attack using Template:
- From the Attack Simulator main page, under Spear Phishing, click on “Attack Details”:
- Select Launch Attack:
- Complete all required sections and start the campaign.
Spear Phishing One-time Attack
- You can create a “One-time” campaign filling in all required parameters, or you can utilize a template created previously. The example below will show you how to create a one-time campaign.
- Start: Name the campaign
- Template: If desired, you can select a template from list of previously created templates.
- Target Recipients: Add email addresses/lists of employees to send phishing email to: NOTE: If you choose a large group, only the first 500 members will receive a phishing email.
- Provide email details: From Name and Email Address, Phishing Login Server URL, and Subject.
- Configure the email body. If using a template, the preconfigured email will be displayed. You can update if necessary using the email or source tabs.
- Or, create your own email…
- Confirm – Finish the attack.
View Results of Attack Simulator
- Once the attack is complete, you can view the results of the attack simulation from the Attack Simulator main page:
- Click on “View Report” under Spear Phishing:
- Or, under via “Attack Details” -> “Attack History”, you can specify a date range if you do not see your report listed. Click on the desired report to see attack sim details:. These reports can be exported by selecting “Export”.