Lab4 Microsoft Defender For Office 365 - Attack Simulator
Lab4 Microsoft Defender For Office 365 - Attack Simulator
Lab4 Microsoft Defender For Office 365 - Attack Simulator
During Microsoft Ignite 2020 we announced Microsoft Defender for Office 365, the new name for
Office 365 Advanced Threat Protection. Read more about this and other updates here.
In this lab you will experience the Attack Simulator in the Microsoft 365 Security Center. You will run
realistic attack scenarios in the demo tenant you have created. These simulated attacks can help you
identify and find vulnerable users before a real attack impacts a customer and their business.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-
simulator?view=o365-worldwide
Lab Parts
This lab contains three activities, as shown below:
• Pre-requisites
• Part 1 – Create Attack Simulations
• Part 2 – User Experience
• Part 3 – Review Simulation Dashboard
Pre-requisites
Step 1 – Create Demo Tenant
Before you start you should have completed the “Getting started with Labs”. If you have not
completed this, you will not be able to do this lab. You can find this document which you can download
from https://aka.ms/secpractice-labs.
Each tenant can take up to 24 hours to provision so it’s important that you complete this prior to when
the labs are to be run.
NB – If you already created your demo tenant as part of the Idenity Labs you DO NOT need to do this
again.
In this task, you will create a Microsoft 365 user account for yourself, and assign your account the
Microsoft 365 Global Administrator role, which gives you the ability to perform all administrative
functions within Microsoft 365.
Important: As a best practice in your real-world deployments, you should always write down the
first global admin account’s credentials (in this lab, the MOD Administrator) and store it away for
security reasons. This account is a non-personalized identity that owns the highest privileges possible
in a tenant. It is not MFA activated (because it is not personalized) and the password for this account
is typically shared among several users. Therefore, this first global admin is a perfect target for attacks,
so it is recommended to create personalized service admins and keep as few global admins as possible.
For those global admins that you do create, they should each be mapped to a single identity, and they
should each have MFA enforced.
IMPORTANT: To the right of the Username field is the domain field. select
the M365xZZZZZZ.onmicrosoft.com cloud domain.
Please note, at the time of writing the new Attack Simulator is in Preview and therefore you may
experience some bugs as we embark on this journey. Thank you for your understanding.
on your machine.
2. Navigate to https://security.microsoft.com/homepage
3. Sign in with Global Admin account that you created in the Pre-requisites.
4. From the security center homepage. navigate to Attack Simulator on the left-hand menu.
5. You will arrive at the Overview page – from here you can view details of any recent
simulations and recommendations.
8. Click Next. Provide a Simulation Name, e.g. Lab1 Attack. Click Next.
9. On the Select payload screen you have some pre-prepared payloads to choose from;
alternatively, you can create custom payloads which can be added to the list. The ability to
create custom payloads creates a good opportunity to work with customers, providing an
offering that builds custom simulation payloads to help educate their users.
10. Select Real estate title settlement, notice the Predicted Compromise Rate for each option.
From here you can also see a count of previous simulations launched for each payload type.
Click Next.
11. For this lab we will target all users – select Include all users in my organisation. You will see
that this has also picked up the Conf Room accounts – we can remove these quickly by
typing Conf in the search to filter the list. Proceed to delete the Conf Room user accounts
from the list.
12. Click Next at the bottom of the page to continue.
13. The next screen allows you to assign the training courses and modules based on users
previous simulation and training results.
14. Select Assign training for me (recommended) and click Next.
15. On the next screen you can review what the user will see if they are caught by the
simulation.
16. You can customise the Header and Body content if you wish or leave as default. Click Next
17. Click on the Preview Page to preview the Training Landing Page.
18. Click Next when done.
19. On the Launch Details page – leave as default and click Next.
20. On the Review Simulation page click Submit to begin the Simulation. The simulation will now
submit – which will take a few minutes to process.
1. Close any previous InPrivate or InCognito browser pages left open from the previous part,
thus to avoid any authentication issues.
on your machine.
3. Navigate to Office Portal.
4. Sign in as [email protected] – replace XXXXXX with your tenant id.
5. Use the password provided when you created the tenant.
6. If you have lost this password – log in to AAD as Global Administrator and reset the
password or use SSPR if you completed the previous Identity labs.
7. Close any popups that present themselves and arrive at the Office 365 Portal landing page.
9. Outlook will now open in a new tab – close any Welcome popups if they present themselves.
10. In the inbox you will see two new recent emails – these will be our two simulated payloads.
11. The first to arrive was the malicious attachment from Leah Stephens – open this now.
12. Proceed to open the document attached to the email to trigger the attack.
13. Once you open the document you will be shown with the Training Landing page we created
which advises the user that they have just been phished!
14. Close the email and process to open the other email.
15. If you cannot read French – click on the ellipsis (…) (1) within the email and navigate to view
(2)-> translate.(3)
16. Now that you can read the email – process to Open the Docusign link within the body of the
email to trigger the attack simulation.
17. The link will trigger a file download – once complete, open the downloaded document.
18. Just as before you will arrive at the Training landing page advising that you have been
phished again.
Please take the time to review the payload contents and think about the authenticity and the
likelihood of end users getting phished in this way in the real-world scenarios.
In the simulation portal it advised that the two attack example payloads we used here had a 40%
chance successfully compromising the end user – do you agree?
Part 2 – Complete.
Part 3 – Review Simulation Dashboard
1. Close any previous InPrivate or InCognito browser pages left open from the previous part,
thus to avoid any authentication issues.
on your machine.
3. Navigate to https://security.microsoft.com/homepage
4. Sign in with Global Admin account that you created in the Pre-requisites.
5. From the security center homepage. navigate to Attack Simulator on the left-hand menu.
6. You will arrive at the Overview page – from here you can view details of any recent
simulations and recommendations.
7. On the overview page you will see some information based on what has run so far.
8. Click on the View all simulations to see a summary of your two simulations.
9. Click on your simulations to view more detailed information about the attack: There may be
a time delay (up to 10 mins) in seeing Megan Bowen appear as clicked in the report below
10. From here you can see the number of users that were compromised, i.e. how many clicked
the link and also how many actually opened the attachment. You can click on view users to
see which users received the email and those who were compromised.
11. We also provide recommended Improvement Actions connected to Secure Score:
12. From the user coverage page, you can review users that have been compromised by
simulated attacks.
This completes the lab on Microsoft Defender for Office 365 Attack Simulator.
If you have more time, please explore the dashboard further or create further attacks using different
payload types.
Part 3 – Complete.
End lab
Thank you for taking the time to complete this lab, we hope you enjoyed it.