Phishing, malware, and social engineering remain among the most common entry points for cyberattacks. While technical safeguards play a crucial role in strengthening overall security, the human factor often remains a critical vulnerability. Attack simulation training, a feature of Microsoft Defender for Office 365, offers a practical way to enhance user security awareness and build a more resilient organizational security posture.
Microsoft Defender Attack Simulation Training provides a secure way to simulate realistic attack scenarios without compromising actual security. By mimicking phishing attacks, it allows organizations to evaluate user behavior and deliver targeted security awareness training.
This article demonstrates how Microsoft Defender for Office 365 Attack Simulation Training can be used, from prerequisites and licensing to simulation setup and result analysis. The goal is to strengthen organizational security and raise user awareness of cybersecurity threats.
Prerequisites and Licensing
Licensing
To use Microsoft Defender for Office 365 Attack Simulation Training, one of the following license plans is required:
- Microsoft Defender for Office 365 Plan 2
- Microsoft 365 E5 Security
- Microsoft 365 E5
An overview of Microsoft licensing plans and their features is available at https://m365maps.com/.
Roles
Microsoft Defender for Office 365 Attack Simulation Training requires the following roles assigned according to the principle of least privilege:
| Role | Description |
| Security Administrator or Attack Simulation Administrator | Setup and configuration of attack simulation training, management of attack simulations |
| Attack Payload Author | Create attack scenarios that can later be launched by an administrator |
Microsoft Exchange Online Mailboxes
Microsoft Exchange Online provides the necessary email infrastructure for attack simulation training. No additional configuration is required for Microsoft Exchange Online.
Microsoft Defender Attack Simulation Training: Configuration
A simulation is a controlled exercise that replicates realistic attack scenarios to test how users respond to potential security threats. The objective is to identify weaknesses in the organization’s security posture and to strengthen overall security awareness.
Simulations are created in the Microsoft Defender portal.
Sign in to the Microsoft Defeder portal (https://security.microsoft.com/) > Email & collaboration > Attack simulation training > Simulations > Launch a simulation
Next, the method to be used for the simulation is selected. In this example, Credential Harvest is chosen.
The available options are based on the MITRE ATT&CK-Framework, a globally accessible knowledge base of tactics and techniques derived from real-world observations.
Credential Harvest
An email contains a link to a spoofed website. The goal is to trick the target into entering their login credentials, which are then captured by the attacker.
Malware Attachment
The message contains a file that, when opened, can execute malicious code, such as a macro or an embedded script.
Link in Attachment
A hybrid scenario in which the link is not directly included in the email body but embedded in an attached file. When the attachment is opened, the link becomes visible and can be clicked.
Link to Malware
The actual malware is not attached to the email but hosted on an external filesharing platform (e.g., SharePoint or Dropbox). The email only contains a link to that file.
Drive-by URL
A link directs the user to a compromised website that attempts to automatically execute malicious code on the target system in the background upon visit.
OAuth Consent Grant
An attacker uses a legitimate OAuth request to grant excessive permissions to an application. The target is tricked into authorizing the app to access sensitive data.
How-to Guide
This method is not intended to compromise an account but serves an educational purpose within a phishing simulation. The simulated message contains specific instructions designed to prompt the recipient to take a defined security action, such as correctly reporting a suspicious email.
Assign a name to the simulation, for example M365_Link_Phishing_CredSteal
Select the phishing content, that is, which simulated email will be sent and with what message. Examples include a fake voicemail or a delivery notification. In the example shown, a message claiming the recipient’s mailbox is full was selected.
In the section Tenant payloads > Create a payload, custom content can be defined within Microsoft Attack Simulation Training.
The creation of custom payloads is not covered in this guide.
Select the recipients, this can include all users, or specific users or user groups.
If needed, specific users can be excluded from the simulation.
Select user awareness training to be assigned when users interact with simulated malicious content during the simulation, such as clicking a link or opening an attachment.
- Microsoft training experience (Recommended)
Assign training for me (Recommended)
Microsoft selects appropriate training content from the built-in catalog based on the simulation results.
Select training courses and modules myself
Manually choose specific training modules from the Microsoft catalog.
Redirect to a custom URL
Include external learning resources via a custom URL.
No training
Disable training entirely. - Specify the number of days users have to complete the training after the simulation ends
Options are 7 days, 15 days, or 30 days.
Select the landing page that will be displayed to users when they interact with the simulated email during the simulation. This page serves as a learning opportunity and can be customized as needed.
- Select landing page
Choose to use a standard page from the Microsoft library or specify a custom URL, for example, from an external training platform. - Show payload indicators to Users
Display indicators that help users identify phishing emails. - Select landing page template
Choose from various layouts for the notification page. - Edit layout
Optionally, a custom logo can be uploaded. In addition, the default language for displaying the page can be specified.
Tip: Clicking on the name opens a preview of the notification page.
In the section Tenant landing pages > Create new, a custom notification page can be defined. The creation of such a page is not covered in this guide.
Actively notify users about their simulation results and any pending awareness training (1). Customize the delivery time (2) of the notification. View a preview of the message (3).
The simulation can be launched either immediately or scheduled (1). A simulation runs for a duration between 2 and 30 days (2).
To finalize the setup, the attack simulation settings can be reviewed one last time. Optionally, a test message can be sent to the currently signed-in user. Click Submit to start the simulation.
The attack simulation training has been successfully scheduled. Exit the wizard by selecting Done.
The Microsoft Defender for Office 365 Attack Simulation Training appears in the overview and is now in progress.
Microsoft Defender Attack Simulation Training: Results and Reporting
Microsoft Defender for Office 365 Attack Simulation Training provides comprehensive reporting capabilities. Reports are available not only after the simulation ends but immediately after it begins. Throughout the simulation period, the data is continuously updated, offering real-time insights into user behavior and threat response.
Reports can be accessed directly in the Microsoft Defeder portal (https://security.microsoft.com/). To do so, navigate to Email & collaboration > Attack simulation training > Simulations and select the desired simulation.
Under Report (1), the results of the ongoing attack simulation are displayed. The view includes details such as the delivery status of the phishing email (2), overall user behavior, for example, link clicks or credential submissions (3), and the current status of assigned awareness training (4).
In the simulation impact section (5), it becomes clear how many users were compromised and whether any suspicious activity was reported.
Under Users (1), all participants of the attack simulation training are listed along with their current status. The overview shows whether a user was compromised (2), reported the message (3), and the status of their awareness training (4).
Additional details provide insights into delivery issues (5) related to the email.
In the other actions section (6), all interactions with the message are recorded, for example, whether the user clicked a link, deleted the message, or reported it.
This allows for a quick and clear understanding of which users engaged with the simulation and whether awareness training is required.
Phishing Simulation from the User’s Perspective
Example of a Phishing Email in the Inbox
As part of Microsoft Defender for Office 365 Attack Simulation Training, users receive a highly convincing phishing email directly in their inbox.
The message is designed to closely mimic real-world phishing attempts in terms of structure, language, and sender details.
The goal is to provide realistic, hands-on training for recognizing threats in everyday work scenarios, without prior warning and under authentic conditions.
In this example, the message is a notification about a supposedly full mailbox.
If the user clicks the Storage Limits link and signs in with their username and password, a notification page appears, informing them about the ongoing attack simulation.
The user receives an email assigning the corresponding awareness training.
Report Email as Phishing
If the suspicious message is recognized by the user, it can be reported as phishing directly via the built-in button in the email client. This feature is available by default in Microsoft Outlook.
Reporting phishing emails is not only part of the training, but also a critical step in strengthening the organization’s overall security culture.
Report > Report phishing
In the reporting section of Microsoft Defender for Office 365 Attack Simulation Training, a user’s action to report a phishing email is recorded. No further steps are required from the user, and no additional email with awareness training will be sent.
Accessing Awareness Training
As soon as a user clicks the awareness training link, the training center opens automatically.
Here, users are presented with interactive content that clearly explains how to identify and avoid real-world threats. The training is intentionally brief yet effectively covers all essential security fundamentals in a practical and engaging way.
The awareness training begins with a click on Start.
Follow me on LinkedIn and Bluesky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!
