Overview.

Attack Simulation Training is a feature of Microsoft Defender for Office 365 (available with a Defender for Office Plan 2 license) that.

---

Launching An Attack Simulation.

Prerequisites.

• Microsoft Defender for Office 365 (MDO) Plan 2 license.

To launch a simulated phishing attack, perform the following steps:

1. Navigate to the Microsoft Defender portal → Email & collaboration → Attack simulation training → Simulations.

2. Select Launch a simulation.

3. Choose the technique you’d like to use.

The available options are:

• Credential harvest.

• Malware Attachment.

• Link in Attachment.

• Link to Malware.

• Drive-by URL.

• OAuth Consent Grant.

• How-to Guide.

In this example, I am going to use the technique Malware Attachment. With this technique, a malicious actor creates a message, with an attachment added to the message. When the target opens the attachment, typically some arbitrary code such as a macro will execute in order to help the attacker install additional code on a target's device, or further entrench themselves.

MITRE Reference: Phishing: Spearphishing Attachment, Sub-technique T1566.001 - Enterprise | MITRE ATT&CK®

Once you have chosen the technique you’d like to use:

1. Enter a simulation name. In this example, I will name it AST_AllUsers_MalwareAttachment.

2. Enter a description (optional).

3. Select Next.

4. Choose the payload name. I will use DocuSign Shared Document, which has a compromise rate of 27.23%, but it’s recommended that you choose a payload that you believe will have the highest compromise rate.

4. Send a test email (recommended). Selecting this option will save and send the selected payload to the currently logged in user for formatting validation. It will not be included in any simulation reporting and will not work as part of an end to end simulation scenario.

5. Select Next.

6. On the “Target users” blade, add existing users and groups or import a list of email addresses. In this example, I will only select my own user object.

7. Select Next.

8. Choose whether you’d like to exclude users or groups from this campaign, and select Next.

9. Select training preferences, assignment, and customise a landing page for this simulation. In this example, I will use Assign training for me (Recommended), and 30 days after Simulation ends as the training due date.

8. Select Next.

9. Choose a Phish landing page. A landing page provides a learning moment to the user after getting phished. In this example, I will use Microsoft Landing Page Template 4, which looks like the following:

10. Choose Next.

11. Select end user notification preferences for this campaign. I will use Microsoft default notifications (recommended), but you may wish to either not deliver notifications or use custom end user notifications. In this example, I will set the delivery preference to Deliver during simulation, however it may be more appropriate to deliver this notification after the simulation has completed, as doing so reduces the likelihood of users alerting one another while it is in progress. I will also set the training reminder notification to Twice a week.

12. Select Next.

13. On the “Launch details” blade, specify when the simulation should start and whether the payloads should be removed from user inboxes. You can schedule the launch up to a maximum of 14 days in advance, and set the simulation to end after any period between 2 and 30 days. In this example, I will Launch this simulation as soon as I’m done, and configure the simulation to end after 21 days.

14. Specify whether you’d like to enable `region aware timezone delivery.

Region aware delivery uses the mailbox time zone of each targeted user to decide when the message should be delivered. Delivery can vary by about one hour either side depending on the user’s time zone.

For example:

At 07:00 GMT, an administrator creates and schedules a campaign to start at 09:00 GMT on the same day.
User A’s mailbox is set to UTC+3.
User B’s mailbox is set to GMT (UTC+0).

At 09:00 GMT, the simulation message is delivered to UserB. With region aware delivery enabled, the message is not sent to UserA at this time, because 09:00 GMT is 12:00 in UserA’s time zone. Instead, the message is sent to UserA at 09:00 in their own time zone on the following day.

This means the campaign may initially look as if it has only delivered to users in one region. As time progresses and users in other time zones reach the scheduled delivery time, the number of targeted users increases.

If region aware delivery is disabled, the campaign follows the organiser’s time zone and all users receive the message at the same GMT time.

15. Select Next.

16. Finally, review your Simulation information before you launch it. If you followed along with me, your simulation review should look like the below:

Delivery Platform
Email

Technique
Malware Attachment

Name
AST_AllUsers_MalwareAttachment

Payloads
DocuSign Shared Document

Target Users
1 targeted users or groups
0 users or groups excluded

17. Select Submit.

18. Next, Go to Attack simulation training overview, or View all payloads.

Note: this simulation launched near instantly. I scheduled the simulation at 18:33:34 and received the email in my inbox at 18:35:00, from the sender notificationsrelyadmin@bankmenia.org (DocuSign Info).

The Result:

---

Attack Simulation Training.

Attack Simulation Trainings helps you assess phishing risk, train users, and evaluate their progress through an intelligent phishing risk reduction tool.

Security trainings are the best in class trainings made available by Microsoft for you to train your professionals about security and compliance of your organisation and help in improving their behaviour to common attacks and rules.

Training campaigns can be run to train your employees on topics including security, compliance, privacy, or social engineering risks.

To create a training campaign:

1. Navigate to the Microsoft Defender portal → Email & collaboration → Attack simulation training → Training.

2. Select Create new.

3. Enter a training name. In this example, I will name it AST_AllUsers_AllTraining.

4. Enter a description (optional).

5. Select Next.

6. Add existing users and groups or import a list of email addresses.

7. Select Next.

8. Choose users or groups to be excluded from this campaign.

9. Select Next.

10. Select training modules.

Below is the list of all available trainings that you can use to run a campaign or a simulation:

Social Engineering and Phishing.

• Social engineering via email

• Insider Threats

• Identity theft – Example of an attack

• Real or not real? How deep is the fake?

• Computer Compromise

• C-Level email impersonation

• AI: Helpful tool or threat?

• Credential Theft

• Browser-in-the-browser attack

• Application account compromise

• Unintentional Insider Threat

• Sharing an organisation’s computer

• Risky USB

• Phishing by Phone

• Handling Unidentified Individuals

• Friend or Foe?

• Working Remotely

• Travelling Securely

• The Clean Desk Principle

• Mobile Devices

• Secure sharing of sensitive information

• Spear Phishing

• Mass-marketing phishing

• Business Email Compromise (BEC)

• Phishing websites

• How to report suspicious messages

• Spoofing: how to avoid falling victim

Malware, Ransomware and Technical Threats.

• Ransomware

• Malicious Software

• Cyber Fraud

• Cyber Attack Detection

• Malicious digital QR codes

• Malicious printed QR codes

• Risks associated with file transfer

Data Protection, Privacy and Compliance

• Privacy Awareness

• GDPR Essentials

• CCPA Essentials

• Personally Identifiable Information (PII)

• Protected Health Information (PHI)

• HIPAA/HITECH

• Protecting your information from Wi-Fi security risks

• Protecting Sensitive Information – Information Handling

• Preventing Security Breaches

• Countering Misinformation

• Identity Theft

• Financial Data Exposure

• Employee Data Breach

• Importance of Security Culture in the Organisation

• Personal Information Protection and Electronic Documents Act

• PCI DSS for Call Centres

• PCI DSS for Retailers

• PCI DSS Awareness

• PCI DSS Awareness

• AI risks and best practices

• Control de acceso

• Understanding app consent requests

• OAuth Consent Grant

Physical Security and Behavioural Security

• How to be security aware

• Applying the Clean Desk Principle

• Access Control

• Responsible Use of the Internet

• Protecting Payment Card Data

• Physical Security

• Smartphones

• Intellectual Property

• Information Lifecycle

• Information Classification

• Incident Reporting

Cloud, Internet and IT Usage.

• Cloud Services

• Cloud Computing

• Bring Your Own Device (BYOD)

• Open Wi-Fi Risks

• Open Web Application Security Project (OWASP) Top 10

Other Awareness Topics

• Privacy

• Passwords

11. Select Next.

12. Select end user notification preferences for this campaign. This can be either Microsoft curated end-user notifications (recommended), or customised end-user notifications. In this example, I will choose Microsoft default notification (recommended), and I will also set the delivery preference of Microsoft default training only campaign-training reminder notification to Twice a week.

13. Select Next.

14. Select the launch and end date and time for your training campaign. You can schedule it up to 14 days in advance, and the end date can be configured to 30 days from the launch date. In this example, I will launch the training as soon as I’m done, and end the campaign 30 days later.

15. Select Next.

16. Review your training campaign information before you launch it.

For example:

Name
AST_AllUsers_AllTraining

Description

Selected users
1 users selected

Training Campaign Content
108 trainings
910 mins 0 sec total duration

Introduction to Information Security
Business Email Compromise
Email
Identity Theft
Malware
Phishing
Ransomware
Social Engineering
Anatomy of a Spear Phishing Attack
Phishing websites
Ransomware
...

Schedule campaign
Scheduled to launch after submission
Scheduled to end on 15/12/2025, 20:00:00

17. Select Submit.

End users can select Go to training from within the email to start their training.

---

Third Party Phishing Simulations.

Phishing simulations are attacks orchestrated by your security team and used for training and learning. Simulations can help identify vulnerable users and lessen the impact of malicious attacks on your organisation.

Third-party phishing simulations require at least one Sending domain entry [source domain or DKIM] AND at least one Sending IP entry to ensure message delivery. URLs present in the email message body will also be automatically allowed at time of click as a part of this phishing simulation system allow.

Note: The Simulation URLs to allow field is optional and available for non-email based phishing simulation campaign scenarios. Specifying URLs in this field ensures that these URLs aren't blocked at time of click for phishing simulation scenarios that use Microsoft Teams and Office apps (Word, Excel, etc).

To configure the advanced delivery of IP addresses, sender domains and URLs that are used as part of your 3rd party phishing simulation:

• Navigate to Microsoft Defender → Email & collaboration → Policies & rules → Threat policies → Advanced delivery → Phishing simulation.

---

Final Thoughts On Attack Simulation Training Within Microsoft Defender for Office 365 (MDO).

The training component within Microsoft Defender for Office 365 is one of the strongest elements of the platform. The content is clear, structured and delivered at an appropriate pace, which makes it suitable for a broad range of end users.

The videos are concise, focused on real behaviours, and avoid unnecessary detail while still offering technically accurate guidance. They reinforce the essential principles of identifying suspicious messages, reporting them correctly and understanding how common attack techniques work in practice.

End users cannot skip ahead or jump past sections they have not viewed. They may pause and rewind, but they can only return to points they have already watched.

For organisations seeking measurable improvements in user behaviour, this structured delivery model aligns well with security awareness best practice recommended by Microsoft and the National Cyber Security Centre.

Overall, the training within MDO complements attack simulations effectively. It reinforces learning rather than relying solely on pass or fail outcomes, and it encourages users to understand the reasoning behind safe email handling rather than memorising steps. When used consistently, it provides a measurable uplift in user readiness and reduces the likelihood of successful social engineering attacks.

If your organisation uses Microsoft 365 heavily and has Defender for Office 365 Plan 2 available, I would highly recommend giving Attack Simulation Training a try!

---

References.

Reference: Simulate a phishing attack with Attack simulation training - Microsoft Defender for Office 365 | Microsoft Learn

Reference: Landing pages in Attack simulation training - Microsoft Defender for Office 365 | Microsoft Learn.

Reference: Attack Simulation Training With Microsoft | YouTube.

Training campaigns in Attack simulation training - Microsoft Defender for Office 365 | Microsoft Learn

Refer to this if you’d like to assign training to users without putting them through a simulation.

Reference: Get started using Attack simulation training - Microsoft Defender for Office 365 | Microsoft Learn

Refer to this for creating training campaigns.

Reference: Configure the advanced delivery policy for non-Microsoft phishing simulations and email delivery to SecOps mailboxes - Microsoft Defender for Office 365 | Microsoft Learn