Microsoft Defender for Office 365 Part 10: Attack Simulation Training
Security controls protect your technology - but what protects your users? Attack Simulation Training turns your workforce from a vulnerability into a line of defense.
This post focuses on Attack Simulation Training in Microsoft Defender for Office 365. If you missed the previous post, catch up with Part 9: Automated Investigation & Response. But if you’re already running MDO and want to understand how to test and train your users against real-world phishing techniques - read on.
📌 TLDR
Attack Simulation Training lets you run realistic phishing simulations against your own users- measuring who clicks, who submits credentials, and who reports the simulation
Simulation results feed directly into targeted training campaigns - users who fail get assigned relevant training automatically
User risk scoring gives security teams a measurable, data-driven view of human risk across the organization over time
Introduction: Your Users Are Both the Target and the Defense
In Part 9, we covered Automated Investigation & Response - how MDO automates the investigative work that no security team has capacity to do manually. Every layer of the MDO protection stack we have covered so far - Anti-Spam, Anti-Malware, Anti-Phishing, Safe Attachments, Safe Links, ZAP, AIR - protects the technical environment.
But there is one attack surface that no technical control fully protects.
Your users.
A perfectly configured MDO environment still has a gap - a user who is socially engineered into voluntarily handing over credentials, approving a fraudulent payment, or bypassing security controls. The most sophisticated phishing attacks are specifically designed to reach users and manipulate them directly.
Attack Simulation Training closes this gap by letting you simulate real-world phishing attacks against your own users - safely, in a controlled environment - so you can measure risk, identify vulnerable individuals, and deliver targeted training before a real attacker does.
In today’s blog, we will cover what Attack Simulation Training is, the simulation techniques available, how to run a simulation, how to measure results, and how to build an effective training program.
What Is Attack Simulation Training
Attack Simulation Training is an MDO Plan 2 feature that allows security teams to launch realistic phishing simulations against their own organization - using the same techniques real attackers use - and automatically assign training to users who fall for the simulation.
It serves three purposes:
Measure - Identify which users are susceptible to phishing and social engineering attacks
Train - Deliver targeted, relevant security awareness training to users based on their simulation behavior
Track - Monitor human risk across the organization over time and measure the impact of training
Access Attack Simulation Training at security.microsoft.com → Email & Collaboration → Attack Simulation Training.
Simulation Techniques
MDO’s Attack Simulation Training supports five attack techniques - each mirroring a real-world phishing method used by threat actors today.
Credential Harvest
The most common phishing technique. The simulation sends a phishing email containing a link to a fake login page - mimicking Microsoft 365, a bank, or another trusted service. The page captures any credentials the user enters.
Real-world equivalent: Account takeover phishing campaigns impersonating Microsoft, Office 365, or corporate VPN portals.
Best used for: Baseline phishing susceptibility testing across the general user population.
Malware Attachment
The simulation sends an email with an attachment that - when opened - simulates the behavior of a malware dropper without causing any actual harm. The attachment may prompt the user to enable macros or execute a script.
Real-world equivalent: Weaponized Office document campaigns delivering ransomware or remote access trojans.
Best used for: Testing user behavior around unexpected email attachments - particularly for finance and operations teams.
Link in Attachment
A hybrid technique. The simulation sends an email with an attachment containing a malicious link. The user must first open the attachment and then click the link inside it - a two-step interaction that bypasses users who have been trained to avoid clicking links directly in emails.
Real-world equivalent: PDF or Word documents containing embedded phishing URLs - used to evade URL scanning in email gateways.
Best used for: Testing users who have received basic phishing awareness training but may not recognize multi-step lure techniques.
Drive-By URL
The simulation sends an email with a link to a webpage that simulates a drive-by download - content that attempts to execute without any user interaction beyond visiting the page.
Real-world equivalent: Malversating campaigns and compromised legitimate websites that silently drop malware on visitors.
Best used for: Testing users in high-risk roles who regularly browse external websites as part of their work.
OAuth Consent Grant
The simulation sends an email prompting the user to grant permissions to a third-party application - simulating an OAuth phishing attack where the attacker requests access to the user’s Microsoft 365 data through a malicious app.
Real-world equivalent: OAuth consent phishing campaigns targeting Microsoft 365 and Google Workspace environments - increasingly common in BEC and data exfiltration attacks.
Best used for: Testing technically sophisticated users and IT staff who may be more resistant to traditional credential harvest techniques.
Running a Simulation
Step-by-Step Setup
Go to security.microsoft.com → Email & Collaboration → Attack Simulation Training
Select the Simulations tab
Click Launch a simulation
Choose your attack technique
Name the simulation and select a payload (phishing lure template)
Configure target users
Set training assignment rules
Configure landing page - the page users see after clicking
Set end user notifications - whether users are notified after falling for the simulation
Schedule and launch.
Choosing a Payload
MDO includes a large library of pre-built phishing payload templates - realistic simulations mimicking common attack lures including Microsoft credential harvest pages, shipping notification phishing, HR policy update lures, and IT helpdesk impersonations.
Each payload in the library includes:
Complexity rating - How sophisticated the lure is
Predicted compromise rate - Based on global simulation data, the percentage of users typically caught by this payload
Language - Payload language for multinational organizations
For more targeted simulations, you can create custom payloads - building a phishing lure that mimics your organization’s own branding, internal communication style, or a specific vendor your users interact with regularly.
Targeting Users
All users - Broadest reach. Use for baseline assessments.
Specific groups - Target a department, role, or security group. Use for role-specific simulations - finance team targeted with invoice fraud lures, IT team targeted with OAuth consent lures.
High-risk users - Target users identified by previous simulation results or user risk scoring as most susceptible. Use for repeat simulation and intensive training campaigns.
Exclude recent simulation targets - Avoid targeting the same users too frequently - more on this in the Best Practices section.
Landing Page and Notifications
Landing page - The page users see immediately after clicking a simulation link or submitting credentials. This is a teachable moment - configure it to explain what just happened, what the real-world consequences would have been, and what to look for next time.
End user notifications - Configure whether users receive a notification after the simulation ends explaining that it was a test and directing them to assigned training.
Measuring Results
Simulation Reports
After a simulation runs, MDO generates a detailed report showing:
Total targeted users - How many users received the simulation email
Compromised users - How many users clicked the link, opened the attachment, or submitted credentials
Reported users - How many users reported the simulation as suspicious using the Report Message add-in
Resilience rate - The percentage of users who neither fell for the simulation nor reported it - a passive but not actively vulnerable response
User Risk Scoring
MDO assigns each user a risk score based on their simulation history — how many simulations they have received, how many they failed, what techniques they fell for, and whether their behavior is improving or worsening over time.
Risk scores are categorized as:
High risk - Users who consistently fall for simulations and represent the greatest human attack surface
Medium risk - Users who occasionally fall for simulations or have limited simulation history
Low risk - Users who consistently resist simulations or actively report them
User risk scores are available at Attack Simulation Training → Users tab.
Comparing Results Over Time
The Training efficacy report tracks simulation results and training completion rates over time - showing whether your security awareness program is actually reducing susceptibility across the organization.
Key metrics to track:
Repeat click rate - Are the same users failing multiple simulations?
Post-training improvement - Are users who completed training less likely to fall for subsequent simulations?
Reporting rate trend - Is the percentage of users actively reporting simulations increasing over time?
Training Campaigns
Assigning Training to Users Who Failed
The most powerful aspect of Attack Simulation Training is the ability to automatically assign targeted training to users based on their simulation behavior - immediately after they fall for a simulation.
Training assignment can be configured during simulation setup:
Assign training automatically - Users who fail the simulation are immediately enrolled in relevant training modules
Training due date - Set a deadline for training completion
Training selection - Choose specific modules or let MDO recommend relevant training based on the attack technique used
Built-In Training Content
MDO includes a library of built-in training modules covering:
Phishing awareness and recognition
Credential security and password hygiene
Safe browsing practices
Reporting suspicious activity
Social engineering awareness
BEC and executive impersonation awareness
Each module includes completion tracking and assessment scoring.
Custom Training Content
For organizations with existing security awareness training content, MDO supports custom training modules - allowing you to upload your own content and assign it through the same Attack Simulation Training workflow.
Tracking Completion
Training completion is tracked per user and per simulation campaign. Administrators can view:
Which users have completed assigned training
Which users have not started training
Training completion rates by department or group
Overall program completion rate
Send reminder notifications to users who have not completed assigned training within the configured due date window.
Best Practices
Start With a Baseline Simulation
Before hardening your security awareness program, run a baseline simulation using a moderate-complexity payload against your entire user population. This establishes your starting point - the organization’s current susceptibility rate - and gives you a benchmark to measure improvement against.
Do Not Over-Simulate
User fatigue is a real risk. Users who receive too many simulations in a short period become desensitized - they start clicking everything just to get through the simulation rather than genuinely engaging with the lure. A good cadence for most organizations is one simulation per user per month -enough to maintain awareness without causing fatigue.
Target High-Risk Users and Executives Separately
Run separate simulation campaigns for high-risk users and executives:
High-risk users need more frequent simulations with progressively more sophisticated techniques to break persistent susceptibility patterns
Executives need simulations using whaling and BEC-specific techniques - the attacks most likely to target them in the real world
Increase Complexity Gradually
Start with lower-complexity payloads for baseline simulations. As the organization’s resilience rate improves, introduce more sophisticated techniques - link in attachment, OAuth consent grant, custom payloads mimicking internal communications. This progressive difficulty mirrors how real attackers evolve their techniques.
Treat Reporters as Champions
Users who actively report simulations as suspicious are demonstrating exactly the behavior you want to reinforce. Recognize and reward them -publicly in team communications or through your security awareness program. This creates positive social pressure that encourages reporting behavior across the organization.
Integrate With Your Security Awareness Program
Attack Simulation Training is most effective when it is part of a broader security awareness program - not a standalone activity. Combine simulation results with:
Regular security awareness communications
Phishing trend briefings for leadership
Department-specific training for high-risk teams
Metrics reporting to demonstrate program ROI to management
Conclusion
Technical controls protect your environment - but Attack Simulation Training protects your people. By running realistic simulations, measuring susceptibility, delivering targeted training, and tracking improvement over time, security teams can systematically reduce the human attack surface that no MDO policy can fully eliminate.
The goal is not to catch users out - it is to build a workforce that recognizes attacks, reports them, and makes life harder for threat actors targeting your organization through social engineering.
In our next post, we go deep on SecOps Guide - Incident Response with MDO - how security operations teams use MDO’s full capability stack for day-to-day alert triage, incident investigation, and escalation workflows.
Subscribe to CyberBoo to continue your MDO journey. How does your organization use attack simulations to measure and reduce human risk? Share your experiences in the comments.
