IT Blog

Identity & Access Management

Attack Simulator for Office 365

Attack Simulator for Office 365

Microsoft has released Attack Simulator (currently in Preview) to allow Office 365 Global Administrators to simulate phishing campaigns and other attack simulations.


·       Your organization’s email is hosted in Exchange Online (Attack simulator is not available for on-premises email servers)

·       You have an E5 license or have signed up for an E5 trial license (here)

·       You have the security administrator role or Global Administrator role assigned to you

·       You have multi-factor authentication enabled (make sure to first read the MFA prerequisites here, such as enabling oAuth via Powershell)

Getting Started

To access Attack Simulator, in the Security & Compliance Center, choose Threat management > Attack simulator. If you don’t see it yet, you can browse to it directly here:

There are currently three attackers offered by Attack Simulator:

1.     Display name spear-phishing attack

2.     Brute Force password attack

3.     Password spray attack

Display name spear-phishing attack

One of the more common and successful phishing methods is to spoof the Display Name field in Outlook. This is very effective because the Sender Policy Framework (SPF)only protects the RFC 5321. Mail From field, and does not protect against spoofing of the Display Name. Only Domain-based Message Authentication, Reporting & Conformance (“DMARC” – RFC 7489) protects against the Display Name field (RFC 5322.From Field). However, since very few organizations have implemented DMARC, then this simulated phishing attack is very effective.

Carrying out the phishing simulation is a straight-forward wizard in the documentation found (here). Basically you enter the email address that you want to spoof and the targeted users that you want to send the fake email to. You can pick from a few pre-built templates, then you can do some customization of the email that would be sent out. After running the campaign, you can monitor to see which users clicked on the link, and which users went a step further and gave away their credentials.

Leave a Reply

Your email address will not be published. Required fields are marked *