Microsoft 365 Defender
      Back to home
      1. Sittadel Knowledge Base
      2. Microsoft Knowledge Hub
      3. Microsoft 365 Defender

      Attack Simulation Procedure

      This admin procedure will provide background information on how to construct a Simulation Campaign for end users, this will provide end users with education on the specified attack technique.

      This article is intended for employees of organizations that use Sittadel's security. Additionally, there are some actions that can only be accomplished by those with administrative privileges.

      Attack Simulations

      Phishing is a generic term for email attacks that try to steal sensitive information in messages that appear to be from legitimate or trusted senders. Phishing is a part of a subset of techniques we classify as social engineering.

      These simulations test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks.

       

      Procedure Scope: Administrators

      Required Group Membership: Admin.EmailSecurity

       

      Creating an Attack Simulation Campaign

      1. Navigate to Attack Simulation Training – O365 Defender, select Launch a Campaign.
      2. Provide the technique you wish to test end users on; the techniques listed will be based off popular social engineering techniques, each choice will have an option to view details regarding the goal of the simulated attack, a description of how it will be conducted, and the steps that will be carried out by the simulation for attacking users. Select Next to proceed to campaign description.
      3. Provide the campaign with a name and description that fits the technique that is being leveraged for the attack simulation campaign. Select Next to proceed to payload configuration.
      4. A list off all available email payloads will be generated; you will be able to click in and view what will be displayed on end users’ machines upon delivery of the email. You can also go through the process of creating your own custom payload that will be delivered to end users upon successful campaign registration. Select Next to proceed to target assignment.
      5. For user assignment, you will be able to choose a specific set of users that the campaign will be leveraged against or all the users within the organization. A list of all users within the organization will be listed if a discrepancy in accounts is detected make sure to remediate the issue before proceeding. Select Next to proceed to user exclusions.
      6. User exclusion should be thought about very carefully and review by other members in management, if it is applicable select the users or groups you wish to exempt from the campaign. Select Next to procced to training selection.
      7. When a user interacts with the email regardless of them falling victim to the attack or not, you will be able to configure a possible training selection; you could either select a Microsoft recommended training set, a third-party training operation, or no training option. Additionally for Microsoft recommendations, you can have Microsoft assign training related to the attack simulation itself or you can browse the catalogue to find material yourself. The last configurable setting in this section is determining a due date for the training material assigned, this will vary depending on your organizational preference. Select Next to proceed to configuring the user facing landing page.
      8. The landing page is what will be visible for users that fall victim to the attack simulation; this will indicate to them that they have fallen victim to the phishing technique used, suggest a way to identify this attack method in the future, as well as notifying them that they have training assigned to them by the organization. You will be able to use one of the custom templated provided by Microsoft or provide the URL to a custom page that you have configured or outsourced from a third-party. Select Next to proceed to user delivery.
      9. End users can be notified of their simulation feedback through Microsoft Default Notifications which will send an Outlook message to all users detailing that they have been assigned training by the security team and can access the training through the message. They will be notified of completing the training on either a weekly or bi-weekly basis. Additionally, those who successfully sniff out the attack and report it will receive as customized message as opposed to the landing page for those who fell for the attack. You could create a custom notification set if it fits within your scope. Once notifications are configured, select Next to proceed to scheduling of simulation release.
      10. Scheduling can either be configured to be released right away or set for another time; you will also be able to configure an end date that will need to be abided by end users. This will all be decided by administration to come up with a timeline of completion of the training by users. Select Next to proceed to revisions.
      11. Revisions will have a list of all the configured simulation settings that were established; if you detect a discrepancy, select the Edit button located below the section to make the proper remediations. Additionally, if the settings look good you can select Submit to publish the campaign and make it available for the end users. You could try the Send a Test feature to mimic what the end users will be displayed and have access to.

      You're Finished!

      You should have successfully deployed a simulation attack campaign that will educate users on the specified threat technique you outlined. For any other problems or questions, reach out to us!