Running your first Simulated Office 365 Attack: Spear Phishing

I am sure you all know by now about the new Attack Simulation tool, that is now available in Office 365. Attack Simulator was released a while back in preview but is now available for all to use. To use it, you first need to be licensed accordingly, for Office 365 Threat Intelligence. Attack Simulator is included in an E5 subscription or can be purchased as an addon as needed.

To begin your first simulated attack, navigate to the Security and Compliance Center, expand Threat Management and then select Attack Simulator.

When you first access the service, there will be a yellow notification bar, with a Setup Now, link. First, click that link, then wait a few hours before trying to run any of the simulated attacks.

For this example, we will focus on using the first attack method, called Spear Phishing. A spear-phishing attack is a targeted attempt to acquire sensitive information, such as usernames, passwords, and credit card information, by masquerading as a trusted entity. This attack will use a URL to attempt to obtain usernames and passwords. To learn more about the specific attack, click the link labeled Attack Details. Clicking this link will display a page that explains in more detail about the attack, as well as a view of previous simulated attacks.

Either from the previous screen or the detail page, to start the process of an attack, click the Launch Attack button or link.

Attacks Simulations are called campaigns that can be saved and used again. When launching an attack, first a name is required for it, which can be anything. However, there is an option to use an existing template. Clicking the Use Template will display two available options Prize Giveaway and Payroll Update.

The templates give you a starting place for the attack. You do not need to use them; you can create your crafted campaigns too. For this campaign, I have called it Spear-phishing Demo Campaign and did not choose a template. Next, select the users you wish to target with these crafted emails, then press Next. Now you get to set all the properties of the crafted email:

Now, of course, this does require you to know what to type, however, the most important link here is the fake login URL that you wish to use. You can select from a list of predetermined URLs for the Phishing Login server Url.

If you had selected one of the templates such as Payroll Update, this screen is pre-populated for you.

Once you have either selected the existing template or completed the details, next, you can craft the email body as needed.

This shows you what the email will look like once sent to the user or users you designated during the setup of the campaign. Once happy with it, simply press. Next, then Finish. After you have finished the campaign, you will be redirected to the details page where you may need to refresh the history section using the refresh button. Once it refreshes, it should display the history so far.

The email will have been sent and will now be sitting in the recipient’s mailbox ready for them to click.

The final email is then displayed to the recipient, as per the preview you saw within the campaign configuration.

Now to simulate the full attack, as the end user, we can click the Update Your Account Details button. Now depending on what the browser could be, it will either send the user to the fake login page or get stopped. For example, performing this attack within Chrome, displayed a very visible message that this site may not be right.

Upon testing it with Edge, Internet Explorer and Firefox, they all ended up returning the same type of message. However, Internet Explorer did initially load a sign-in page then redirected before I could type anything.

If the browser does not prompt this, the end user is then redirected to the Office 365 login screen. Notice the URL of the site is displaying a not so big message in Edge which could be missed by an end user. The login screen looks just like the normal office 365 login screen as well, so in reality, no-one would question the validity of the site.

The end user would then type in the credentials they use for Office 365, once completed they are sent to a page that explains what just happened and that they should have some training to help them not do this again. This link could be a custom link that displays some specific information provided by Security and IT.

Navigating back to the Attack Simulation details page will then reflect this.

This is a great tool that can be customized to make the emails etc. seem even more realistic, with the added benefit that this is controlled by your tenant. I would recommend that if you have these services, then regularly test your end users. This will assist with training them and of course better security within your organization.

Liam Cleary

I began my career as a Trainer of all things computer related. However, I very quickly realized that programming, breaking, and hacking was a lot more fun. I then spent the next few years working on core infrastructure and security services, until I found SharePoint. I am now the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. My role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes and of course security controls and protection. I am also an eleven-time Microsoft MVP focusing on Architecture but also cross the boundary into Development. My specialty over the past few years has been security in SharePoint and its surrounding platforms. I can also be found at user groups or conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...