Phishing simulations with Microsoft Defender for Office 365: How to strengthen your security strategy through effective “Attack Simulation Training

Phishing emails are still the easiest way to cause damage in companies. A single click can be enough to reveal sensitive data or install malware. The consequences range from data loss to financial damage and loss of reputation. With Microsoft Defender for Office 365, exactly such scenarios can be realistically simulated in order to train employees specifically and strengthen the security culture.
In this article, we show step by step how companies can create, execute and analyze phishing simulations – supplemented by examples and practical tips.

Prerequisites and role requirements

To perform a phishing simulation with Microsoft Defender for Office 365, certain requirements must be met:
• Licenses: A Microsoft Defender for Office 365 Plan 2 or equivalent Microsoft 365 E5 subscription is required.
• Required Roles: Only users with the Global Admin, Security Admin, or Attack Simulation Administrator roles can create and manage simulations. The Attack Payload Author role can create attack payloads that an administrator can later use for simulations.

Step-by-step instructions for setting up a phishing simulation

1. Access and configuration via the Microsoft 365 Defender portal
   Start by accessing the Microsoft Defender Portal . Under the "E-mail & Collaboration" section, you will find "Attack Simulation Training". Here you can centrally manage your simulations, training, reports, and attack payloads.
2. Create simulation
   Go to the “Simulations” area and start a new simulation. An intuitive user interface will guide you through the configuration of the simulation.
3. Choice of attack technique
   Microsoft Defender offers numerous attack types to choose from to create realistic scenarios:

• Credential Harvesting: Deceptively real login pages that test user behavior.
• Malware attachments: Distribution of fake attachments to test click behavior and security awareness.
• Drive-by URLs: Links that trigger malicious actions and challenge users' responsiveness.
• Link in Attachment: Links embedded in attachments redirect users to malicious sites.
• Link to Malware: Links that execute malware when clicked test users' ability to recognize potential threats.
• OAuth Consent Grant: This technique simulates attacks in which users grant malicious applications access to their data by accepting supposedly legitimate OAuth authorization requests.
• How-to-Guide: Simulations that guide users through supposedly helpful instructions and lure them into dangerous scenarios.

4. Creation and customization of payloads
   Payloads are messages or content designed to trick users into taking certain actions, such as clicking on a link or opening an attachment. For a realistic simulation, you can either use Microsoft templates or create your own payloads using custom HTML code. You can also have them created by AI tools like ChatGPT or Copilot. It is important that your phishing emails appear authentic. A thorough test run of the payloads before the actual simulation is crucial.
   Example: A deceptively real message pretending to be from IT support:
   "Your password expires in 2 days. Please click here to update it."
5. Definition of the target group
   The added value of a phishing simulation depends largely on the targeted selection of participants. Specific user groups or departments can be selected for individualized simulations. Service accounts should be excluded to ensure meaningful results.
6. Allocation of training measures
   Employees who fall for phishing emails benefit from tailored training that specifically addresses the weaknesses identified. This increases awareness, promotes learning and improves the security culture in the long term.

Automation and continuous improvement

One-off simulations can be helpful, but only regular and automated simulations ensure a permanently heightened security awareness. Automation enables companies to control the training rhythm and ensure that users are continuously confronted with new threat scenarios. By running the simulations randomly, users are prevented from recognizing patterns, which significantly increases the success of the training.

Best practices and further recommendations

• Complement simulations with continuous review and adaptation of security policies.
• Ensure that all simulations comply with applicable data protection and compliance requirements.
• Educate your employees about the goals and benefits of phishing simulations.