Test your security awareness

Posted by

Even IT people will fall for a phishing attack. But what about your Office 365 users?

Some time ago

Several years ago I was working for a company in Diemen (near Amsterdam). One of the perks of that location was the coffee machine. It’s said that IT people work on good coffee, and this machine delivered. Nice cappuccino, expresso, you name it.

photography of espresso maker filling cups

But then, the location was to relocate to another location. The coffee machine would not be relocated and was to be given away. So all employees received an e-mail for the raffle. A link to the raffle was included. Anyone who knew this machine wanted to take part. And even though our web browsers warned us about the unsafe nature of the link, none of us took this warning to heart. We wanted that machine!

Alas…..the link behind the raffle directed us to a security webpage. We’d been dubbed and lured to this webpage. Our security colleagues had tricked us. And nearly all of us fell for it. The machine (by the way) was moved. To the head-office of the firm……

Present day – Office 365 attack simulator

I can still remember that day and the disappointed faces of my colleagues. But the point was made: even hardcore IT people can be receptive to a phishing campaign. If you ever want to test this out on your Office 365 users, then now you can 🙂

But rest-assured, this is in a controlled environment.

Attack simulator

The Office 365 attack simulator is part of Office 365 Threat Intelligence. And just to be sure: this is only available in Office 365 Enterprise E5 (or as an add-on to your existing subscription).

The simulator lets to use three fake attacks and report on the results. The three options are:

  • Spear Phishing – using a URL to attempt to obtain user names and passwords;
  • Brute Force Password Attack – an automated attack against a user’s password;
  • Password Spray Attack – an attempt to try commonly used passwords.

In order to use any of these attacks, please take note of the pre-requisites. In order to use any of the attacks, you will need:

  • To use Exchange Online for e-mail;
  • To be an Office 365 global administrator in the Security & Compliance Center;
  • To use multi-factor authentication.

These are hard pre-requisites. Without them you won’t be able to launch an attack.


Let’s take a look at the attack simulator. And for this I will focus on one simulated attack: the spear phishing attack. This attack will send e-mails with a malicious link to unsuspected users. Nice 🙂

You’ll find the attack simulator in the Office 365 security & compliance center, in the Threat management section.

Attack simulator dashboard

Let’s start the attack, by selecting Launch Attack. This enables us to start the attack and also to see any history of previous attacks.

Spear phishing attack

This type of attack is the only one which allows the use of templates. These templates are used to reuse previous settings, so you can re-run the attack again. Or you can start an attack based on a template, and modify the settings.

Phishing templates

The first thing to do, is to select your “victims”. These are the users which will receive the e-mail. You can add up to 500 e-mail recipients. Next it to create the e-mail details. In this example, I’ll be using the payroll template. This template tries to lure people to a malicious website based on an e-mail from HR.  When you select the template, most of the information is filled-in. But one tip: give any attack a different name.

Attach_Sim_3All of this information can be changed. The login server url can only be selected from a range of url’s. When your user(s) have clicked on the link and logged in, you can present them with a custom landing page.

Next, you can customize the e-mail. This can be done using the GUI or you can use the html-source of the e-mail. When done, click next en confirm the settings.

E-mail body configuration

Run the attack

Let’s roll! Let’s just see what this attack does, shall we? First of all, it will send out the phishing e-mail. When the victim clicks on the link, it will redirect to the phishing website.

Phishing mail received

Nothing to worry about – this is a website hosted and run by Microsoft. But as it is a phishing website, your browser should notify the victim that this is unsafe. If he/she disregards this notification, then the login-screen is shown.

Username/password capture

This screen only asks for a username/password and there’s no multifactor authentication or other additional protection. Quick note: there’s no need to enter a genuine userid/password here. But most users/victims will enter their credentials they commonly use.

After entering the credentials, you are either redirected to the custom webpage (Unmask mole – below) or the Microsoft default webpage (the figure below that).

Custom webpage
Microsoft default webpage

After the attack

The attack will run until all users have responded or after the time has run-out. Although I haven’t found any information yet on that latter option.

The attack details page gives you information on the attacks which have run. You’ll also see if these have been successful, or not….

Attack detail page

In the end

The attack simulator is a great piece of work. It’s very simple to use and to test the awareness of your users. The other two tests are very useful as-well. For instance, to test if your organisation’s standard password (P@ssw0rd 🙂 ) is still being used.

But it’s no toy, so use it wisely.

More information?

This Microsoft article explains this function in more detail. Do note; I haven’t found much information on the duration of an attack. Another note: any e-mails sent using the simulator will bypass the Exchange Online Protection (EOP) and Advanced Threat Protection (ATP) – as e-mails are send internally.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s