Deep dive into MDO: Attack Simulation Training (AST)

As the world becomes more digital, cyber-attacks are becoming increasingly common. Phishing attacks are a major concern for organizations. Based on studies, Phishing is the most common attack in many continents and stolen credentials are the most common cause of data breaches. To make matters even worse, phishing attempts are the most expensive breach cause and can cost an organization $47 million. In fact, there were 323,972 users that fell victim to phishing attacks globally in 2021 and there are 3.4 billion spam emails sent every day.

So, how can organizations protect their employees from phishing attacks? One strategy is to implement the classic security features and another one is to test the awareness and educate employees about the dangers of phishing emails. Organizations can lower their vulnerability to this form of attack by up to 70% due to researchers. By doing so, you can also prevent related expenses that come with phishing attacks.

Phishing training customized for your needs using “Microsoft Defender for Office 365: Attack Simulation Training” is a useful tool for training and educating employees on how to identify and report phishing emails. This training can be customized to suit the individual requirements of each company and by using intelligent simulations that can be based on real-world phishing attacks. It has several features that are intended to make the training process as efficient as possible.

About Attack Simulation Trainings features

The scheduling and automation features enable businesses to plan when to execute the phishing simulation and training. This is a useful tool for arranging regular activities, as simulations and awareness training are constantly required to train the company against phishing.
​
Another important aspect is the ability to track results. Organizations can see how effective training is by tracking simulation and training results and customizing future training properly. It can also recognize repeated offenders and individuals who are more susceptible to phishing. 

With this solution your organization can train the awareness of these risky users with integrated nano or microlearning and interactive training courses. But you can also add your organizations own training content.

​Microsoft provides analysis and reporting based on the results of simulations and training courses. This information keeps you aware of the evolution progress of your users risk awareness as well as getting a hint of the next actions to better make them ready for real attacks.

​Another crucial feature is the ability to import or customize genuine phishing emails and Microsoft Teams phishing chats for the payloads. This allows employees to obtain training with an authentic look of phishing emails or chats used in the real world or discovered in their organization.

How to use Attack Simulation Training?

​First and foremost, it is crucial to inform all necessary departments within the organization that a phishing simulation will be taking place. This includes the Security Operations Center (SOC), support department, and any other relevant teams. This allows these departments to prepare themselves and avoid unnecessary panic or confusion during the simulation.

Payload

There is some widely used terms in AST that we will cover here. We start with the term "payload" refers to the link or attachment in a simulated phishing email that is presented to users. While the feature provides pre-built payloads that use various social engineering techniques, it is possible to create customized payloads that are better suited to your organization's unique requirements. 

This is how to create a payload in the MDO Attack Simulation Training:
Click on the Create a payload icon to start the new payload wizard, select payload type and choose the appropriate technique for your payload.

​On the Configure payload page, customize the settings based on the technique you choose. This includes the sender details, attachment details (if applicable), phishing link, and common settings for all techniques such as suitable customized theme and type that fits your organization. You build the payload theme and type with html and css code. You can see a default payload example brought by AST itself on the next image. Because the default payloads tend to be of poor quality, creating your own customized payload is highly recommended.

Landing page

Landing pages are the web pages users see when they click the payload in a simulation. Landing pages are available in the Content Library, the Global tab has built-in landing page templates, while the Tenant tab has custom landing pages created by users.
​
When creating a landing page you can build it with html and css using a code editor and there is implemented dynamic tags that allow you to insert user and payload details in the landing page but also provide information about the simulation and end-user training. See the green mark in the image below for a dynamic tag example. This dynamic tag will show the payload that is used in the simulation.

End-user notifications

​The different end-user notifications that can be used is Simulation notifications that are a type of notification that informs the user that they were participating in a phishing simulation. Positive reinforcement notifications are intended to inform and reward users for successfully reporting a phishing email. These notifications, which can take the form of badges or congratulatory messages and are aimed at motivating users to keep engaging in the simulations. There is also Training assignment and Training reminder notifications that are two types of end-user notifications used to encourage and remind users to participate in the training courses.

​Start the Create new end-user notification wizard. On the Define details page, you can configure the Select notification type, Name, and Description settings. When creating the notification, it’s the same way as with payload and landing page, you use html and css. 

In conclusion, Attack simulation training is a crucial component of any organization's security solutions. It enables organizations to identify risky users and potential flaws in their processes, while also educating employees on how to recognize and respond to real-life attacks. Ultimately, investing in Attack simulation training can save organizations both time and money in the long run, while also ensuring the safety and security of their valuable data and assets.