News

Microsoft Adds Attachment Support to Office 365 Attack Simulator

• By Kurt Mackie
• 12/16/2019

Microsoft's Office 365 Attack Simulator tool now has the ability to include message attachments in targeted campaigns.

End users that click on these message attachments, which don't actually contain malware, will get a personalized message. The message tells them that they'll need to get "follow up training on security best practices" from their administrators -- the very people that sent the simulated attack, according to a Friday Microsoft announcement.

Another improvement in the Attack Simulator tool is the ability sort out phishing targets by "directory metadata," such as an employee's "title, city, and department." This improvement can be used to check on high-risk employees, such as people in the finance or HR departments.

"We encourage organizations to target high risk segments of their user population with more frequent simulations to further reduce your risk of getting phished," Microsoft's announcement advised.

The phish reports for IT pros, available after an attack campaign is carried out, also have enhancements. IT pros can now see "IP addresses and client data" in the reports and the actual phish message that was used in a campaign is now shown.

Attack Simulator in Office 365 was launched last year. It's accessed in the Office 365 Security and Compliance Center and requires having Office 365 Advanced Threat Protection Plan 2 licensing. The tool lets IT pros with Office 365 global administrator or security administrator credentials conduct simulated phishing attacks. The aim is to find end users that are prone to clicking on unsafe links in messages. Now their predilections for clicking on unsafe attachments can be tested, too.

The tool supports three kinds of simulated attacks at present, according to Microsoft's documentation:

• Display name spear-phishing attack
• Password-spray attack
• Brute-force password attack

In a Dec. 2 post, Microsoft cybersecurity officials described the effectiveness of so-called "spear phishing" attacks, which typically use the name of person high up in an organization to get recipients to take certain actions. Such attacks can effectively target human resources personnel involved with hiring as they typically interact with unknown outside parties responding to job ads, they noted. Attackers also try to pose using the name of an organization's CEO, or a high official, to get a response.

"Because these attacks are so focused, even tech-savvy executives and other senior managers have been duped into handing over money and sensitive files by a well-targeted email," they wrote.