Posey's Tips & Tricks
Strategies for Using Microsoft's Attack Simulation Training
Make sure your organizational phishing test doesn't fail before getting in the hands of end users.
End users represent the single biggest threat to your organization's IT resources. No matter how much you might harden your systems, a security incident is never more than a single click away when end users constantly receive phishing messages trying to trick them.
One of the best tools for preventing users from falling for email-based phishing attacks is Microsoft's Phishing Attack Simulator, which is included with Microsoft 365 E5 subscriptions. For those who might be unfamiliar with this tool, it allows you to send realistic looking, but harmless phishing messages to your end users. That way, you can train your users not to click on links or attachments that are embedded in sketchy email messages.
Although the Attack Simulation tool is relatively intuitive, its overall effectiveness largely stems from how you use it. That being the case, I wanted to share with you some of my recommended best practices for working with this tool.
Make Sure that Users Will Actually Receive the Messages
Depending on what mail filtering tools your organization are using, it is entirely possible that the fake phishing messages that you generate will never actually reach your users. As such, it's worth your time to do a bit of testing prior to launching an attack simulation campaign. The Attack Simulation Training tool's Overview tab contains an option to launch an instant simulation. By doing so, you can send fake phishing messages to yourself or to a small group of people who can help you to test the tool to make sure that it is working properly.
When testing to make sure that a simulated attack is working properly, there are three main things that you need to be on the lookout for. First, make sure that the fake phishing messages are actually being delivered to the recipient's Inbox and that none of your filtering mechanisms are blocking the messages. Second, it's important to verify that the fake phishing messages are being displayed properly when opened. It doesn't happen often, but I have heard some unconfirmed stories of certain mail clients not rendering the messages properly. Finally, make sure that when you click on a link within the fake phishing message that the link isn't being blocked by your security mechanisms.
Consider Who Should Receive the Fake Phishing Messages
Another thing that is worth considering is who you will send the fake phishing messages to. A phishing campaign can only be directed to up to 40,000 users. This means that in larger organizations, directing an attack simulation at the entire company won't be an option. Your other options are to direct an attack at specific users, direct an attack at a list of users (the list must be in CSV format) or to direct the attack against a specific Azure AD group.
Make Your Attacks Varied, Frequent, and Consequential
Once you have verified that the Attack Simulation tool is working properly and you have decided where you want to direct a simulated attack, your next consideration should be the attack frequency. Remember, your goal is not to see who clicks on a potentially malicious link, but rather to train users not to click suspicious links. Training requires repetition, so an attack simulation is not one of those things that you should do just once. It's best to launch simulated attacks several times a week, if not even more frequently.
It's equally important to vary the attack. If you use the same simulated phishing message every time, then your users will learn to just ignore that one message. Your simulated phishing attacks will be most effective if users never know what to expect.
Likewise, there must be consequences for a user who clicks on a link within a simulated phishing message. I'm not talking about hauling the user off to HR for termination or disciplinary action, but rather automatically enrolling the user in mandatory training (which is provided by the tool). If a user knows that they are going to have to sit through a boring training session every time they get caught clicking something that they shouldn't then the user is going to be a lot more careful about what they click on.
One More Thing
Microsoft 365 provides numerous fake phishing messages that you can use in your simulated attacks. However, I recommend that you also create some of your own. Most of the fake phishing messages that Microsoft provides contain tell tale signs of a fake message such as misspellings, poor grammar or implausible requests. Those messages accurately mimic the types of messages that users might encounter in the real world. However, that is changing. Generative AI technologies such as ChatGPT and others are making it easy for attackers to compose phishing messages that seem far more legitimate. As such, you may need to create some more authentic looking phishing messages of your own as a way of preparing your users for AI generated, next level phishing attacks.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.