Microsoft 365 Attack Simulation: A Complete Setup Guide

Most attacks don’t start with advanced malware.
They start with a simple email that looks trustworthy enough to click.

This is why phishing and social engineering remain the easiest ways into an organization. Even with strong defenses, one quick mistake can open the door.

Microsoft 365 Attack Simulation Training helps you test these threats safely. It recreates real attacks so you can see how users respond before a real one occurs.

These simulations matter because:

• Most breaches come from human error, not system failures.
• Users often trust emails that look familiar.
• Real examples work better than theoretical training.

With simulations, you can catch risky behavior early, provide targeted training, and measure your organization’s readiness.

This guide gives you a clear, step-by-step setup process, along with best practices and common pitfalls to avoid - so you can run effective Microsoft 365 attack simulations with confidence.

Before you set up attack simulations, it’s important to confirm that your environment has the right license, permissions, and settings enabled. Getting these prerequisites in place ensures that the feature appears in your tenant and that simulation results are captured correctly.

Microsoft 365 Attack Simulation Training requires Microsoft Defender for Office 365 Plan 2.

It is included in:

• Microsoft 365 E5
• Office 365 E5
• Microsoft 365 E5 Security
• Defender for Office 365 Plan 2 (standalone license)

If your organization uses Microsoft 365 E3 or another plan without Plan 2, the Attack Simulation feature will not appear.

Important Tip: Admins can use the 90-day Defender for Office 365 Plan 2 trial to test all related capabilities if needed.

You also need the correct role to create or run simulations.
The following roles have the required access:

• Global Administrator – full access
• Security Administrator – full security access
• Attack Simulation Administrator – can create and launch simulations
• Attack Payload Author – can create payloads but cannot run campaigns

Using the dedicated Attack Simulation roles is recommended when you want to follow least-privilege access principles.

Unified Audit Logging must be turned on for simulation activity to appear in reports.
If audit logging is disabled, user actions - such as opening an email or clicking a link - will not be recorded.

To enable audit logging:

1. Go to Microsoft Purview Compliance portal
2. Open Audit
3. Select Start recording user and admin activity

This ensures all simulation events and user responses are tracked correctly.

1. Access the Attack Simulation Dashboard

1. 1. Sign in to Microsoft 365 Defender portal: go to https://security.microsoft.com.
   2. Go to Email & Collaboration → Attack Simulation Training → Simulations.

1. 3. In Simulations, click “+ Launch a simulation”.

2. Select a Social Engineering Technique

Choose an attack type:

• Credential Harvest – Fake login page to capture credentials.
• Malware Attachment – Email with a malicious file.
• Link in Attachment – Phishing link inside a file.
• Link to Malware – Link to a malicious download.
• Drive-by URL – Redirects to a compromised website.
• OAuth Consent Grant – Rogue app permission request.
• How-to Guide – Training-only email.

Most phishing tests start with Credential Harvest.

3. Name Your Simulation Campaign

          Enter a simple, clear name such as: “CompanyWide Credential Harvest – Nov 2025”

Add a short description if needed.
This helps keep multiple campaigns organized.

4. Select the Phishing Payload & Login Page

Choose the email template users will receive:

• Browse Microsoft’s Global payloads
• Preview templates
• Send a test email to yourself
• Create a custom payload if needed

If the technique involves credential entry, pick a matching login page.

5. Define Target Users or Groups

Select who should receive the simulation:

• Specific users
• Microsoft 365 groups
• Dynamic groups for role- or department-based targeting
• Optional exclusions

Guest accounts are excluded automatically.

6. Assign Training for Vulnerable Users (Optional)

Choose what happens if users fall for the simulation:

• Assign training automatically (recommended)
• Pick training modules manually
• Redirect to a custom URL
• No training

Set a training due date (7, 15, or 30 days).

7. Customize the Phish Landing Page

Choose what users see after clicking:

• Default landing page
• Custom page or custom URL

Optionally enable payload indicators to highlight phishing clues users missed.

8. Configure End-User Notifications

Decide whether users receive follow-up messages:

• No notifications
• Microsoft default notifications (recommended)
• Custom notifications

You can delay kudos emails until after the campaign ends to avoid tipping off others.

9. Schedule the Simulation Launch

Set:

• Start time (now or scheduled)
• Duration (1–30 days)
• Region-aware delivery if available, so users receive emails during working hours

A 5–7 day window works well for most tests.

10. Review and Launch

Check your settings, optionally send a test, then select Launch.
Your simulation will start immediately or at the scheduled time.

Launching a simulation is only step one.
Monitoring and interpreting results is where the real value comes.
Below are short, actionable steps to check progress and extract useful insights.

Real-Time Monitoring During the Campaign

How to view it:

• Sign in to Microsoft 365 Defender → Attack Simulation Training → Simulations.

• Click your running campaign to open its dashboard.

What you’ll see (updated near real-time):

• Simulation impact - compromised vs reported counts.
• All User activity - clicks, credential submissions, reports, deletes.
• Delivery status - delivered, pending, or failed messages.

Tip: If no deliveries appear, pause and check filters/whitelists or scheduling.

Detailed Simulation Results & Reporting

After (or during) the run, open the simulation details and review:

• Users tab - per-user actions and training status (who clicked, who submitted, who reported).
• Details/Overview - payload used, start/end times, emails sent, delivery issues.
• Key metrics to read:
  • Compromise rate - % who fell for it.
  • Report rate - % who reported the email.
  • Delivery issues - excluded or undelivered addresses.
  • Repeat offenders - users who fail multiple exercises.

Tip: Export the Users list for follow-up and records.

Aggregated Insights Across Simulations

For ongoing programs, use the overview/reports to track trends:

• Coverage - % of org tested.
• Trend - compromise rate over time.
• Training completion - percent finished after assignment.
• Repeat offenders - who needs extra attention.
• Top-level question: Are clicks going down and reports going up?

These aggregated views show whether awareness programs are working or need adjustment.

Interpreting Results & Next Steps

Make the data actionable:

• High compromise rate: increase frequency of training, run targeted campaigns, and brief managers.
• Low report rate: teach reporting workflow and praise/reporting champions.
• Department spikes: run focused training for those teams.
• Repeat offenders: schedule one-on-one coaching or mandatory training.
• Celebrate wins: acknowledge improved report rates publicly.

A good phishing simulation isn’t just about admin settings.
It’s also about understanding what employees will see.
This helps you predict questions, support your users, and design simulations that feel realistic.

Below video demonstrates the end-user perspective of our cybersecurity phishing simulation - showing exactly how the simulated email appears, how a user might interact with it, and what happens when a user is marked as compromised during the test.

Users will receive an email based on the payload you selected.
It will look legitimate and often urgent - for example:

• “You have 5 messages in quarantine - click to release.”
• “Unread encrypted messages awaiting your action.”

The sender may look familiar or slightly altered (sometimes using look-alike domains).
When users interact:

• If they click a link: they’re taken to the fake login page.
• If they enter credentials: nothing harmful happens - the system, simply records their action.
• If they open a malicious attachment type: it simulates a malware scenario without performing any real action.

After failing the simulation, users are shown the landing page you configured.
This page explains that it was a simulation and teaches what clues they missed.

Important reassurance:
These emails are safe, do not infect devices, and do not capture actual passwords - only the behavior.

If a user recognizes the phishing attempt and uses the Report Phishing button in Outlook:

• The system records it as a reported event.
• They are not marked as compromised.
• They will not receive training assignments for this campaign.
• They may receive a “thank you for reporting” email if notifications are enabled.

Reporting is the best possible outcome, and it contributes to your organization’s awareness metrics.

If a user falls for the simulation and training was assigned:

1. They receive an email with a link to their training module.
2. Training usually includes a short video or interactive lesson on phishing awareness.
3. After completion, their status updates automatically in the dashboard.
4. If they don’t complete training, they’ll receive reminders based on the schedule you configured.

This training is lightweight but effective - helping users understand what happened and how to avoid similar threats in the future.

Manual simulations are useful, but long-term awareness requires consistency.
Microsoft Defender for Office 365 includes Simulation Automations, which automatically launch phishing simulations on a schedule - monthly, quarterly, or even randomly.

This keeps your program ongoing without constant admin effort.

To set it up:

• Login to Microsoft 365 Defender portal.
• Go to Email & Collaboration → Attack Simulation Training → Automations
• Select + Create automation.

• The remaining steps are the same as those we covered earlier when launching the simulation.
• Some automated features included in this template are:

• 1. Select the payloads you want to rotate.

• 2. Setup the schedule:

• 1. • Randomized - sends campaigns at unpredictable times
     • Fixed - e.g., first Monday of every month

3. For the final step, select the days of week to start with the Simulation.

Why use it:
Recurring simulations reinforce awareness, reduce predictability, and ensure every user - including new hires - is tested over time.

Using Dynamic Targeting

Automation becomes even more powerful when combined with dynamic groups in Entra ID.

Dynamic Groups

Dynamic groups update automatically as users join teams or the organization.
Examples:

• New hires - target employees in their first 90 days.
• Department-based groups - Finance, HR, Engineering, etc.
• Role-based targeting - staff who regularly handle sensitive data.

Create the dynamic group in Entra ID, then pick it as the target group when building simulations or automations.
This ensures the right people receive the right tests at the right time - with no manual updates.

Focusing on Repeat Offenders

Microsoft 365 can flag repeat offenders - users who fail multiple simulations.

Key points:

• You can adjust the threshold in Attack Simulation Settings (e.g., 2 or 3 failures).
• These users can be targeted with:
  • Focused simulations
  • Additional training
  • One-on-one coaching

This helps security teams address risky behavior early and reduce long-term exposure.

• Start small - run a pilot first, then expand to larger groups.
• Use realistic scenarios - tailor emails to departments and vary the attack types.
• Time it right - avoid holidays and peak workload; send during work hours.
• Promote a positive culture - focus on learning, not punishment; praise reporters.
• Ensure training completion - follow up on assigned modules and use reminders.
• Use results to improve - target weak areas, repeat themes users struggle with.
• Keep simulations ongoing - run regular or automated campaigns for consistency.
• Stay updated - use new payloads and features as Microsoft releases them.

• Microsoft Security Specialists
  Deep expertise in Microsoft 365 Defender, phishing simulation frameworks, and user awareness programs.
• Certified & Experienced Team
  Our consultants hold advanced Microsoft security certifications and have hands-on experience designing realistic, high-impact simulations.
• Human-Focused, Compliance-Ready Approach
  We help you build a security awareness program that aligns with industry standards and supports compliance needs like HIPAA, GDPR, and SOC 2.
• End-to-End Implementation Support
  From planning and payload selection to rollout, reporting, and follow-up training, we guide you through every step with minimal disruption.
• Continuous Improvement & Optimization
  We don’t just help you launch simulations. We help you monitor performance, reduce risk over time, and evolve your entire phishing-resilience strategy.

Ready to strengthen your organization’s phishing defense?
Schedule a free consultation and let our experts build a tailored, effective attack simulation program for your Microsoft 365 environment.

Microsoft 365 Attack Simulation Training gives you a simple, effective way to strengthen user awareness and reduce phishing risk. With the setup steps, monitoring guidance, and best practices covered in this guide, you now have everything you need to run impactful simulations with confidence.

Next steps are straightforward: Start a simulation, review the results, and keep refining your approach.
Make simulations regular, keep training consistent, and stay updated as Microsoft adds new features.

Strong security comes from repetition, awareness, and steady improvement - and these simulations help you build exactly that.

Q1. Why can’t I see Microsoft 365 Attack Simulation Training in my portal?

You need Microsoft Defender for Office 365 Plan 2. Also ensure you have the Attack Simulation Administrator or Security Administrator role.

Q2. Why are users not receiving my Microsoft 365 phishing simulation emails?

Check delivery status. Filters may block attack simulation domains, or targets may lack Plan 2 licenses. Guest or non-mailbox users are automatically excluded.

Q3. Why did the phishing simulation email go to Junk or appear as External?

Exchange Online flagged it. Add approved attack simulation domains to the allow list or use a Tenant notification internal sender.

Q4. Why do users see browser warnings when clicking the phishing link?

Browsers like Chrome may block simulation URLs. The click still appears in the Microsoft 365 attack simulation report, but the landing page may not load.

Q5. Why does the report show a user was targeted but they never saw the email?

Check Junk, Focused Inbox, and the campaign’s delivery log. This can occur in large Microsoft 365 simulated attack campaigns.

Q6. Why do reports show instant clicks that users deny?

Automated scanners or secure gateways often click URLs before users do. The IP in logs will reveal this.

Q7. Why didn’t some users get training after failing a phishing simulation?

If you selected No Training or the user completed that module recently, training may not trigger. Check Training Campaigns status.

Q8. Do replies or forwards count as failing the Microsoft 365 attack simulation?

No. Only clicks, credential submissions, or opening malicious attachments count in Microsoft 365 phishing simulation setup.

Q9. How often should we run Microsoft 365 phishing simulations?

Minimum: twice a year. Recommended: quarterly. For strong programs, use Simulation Automations to run monthly.

Q10. How do we handle repeat offenders in Microsoft 365 Attack Simulation Training?

Use the repeat offender threshold, assign deeper training, or provide one-on-one coaching.

Q11. Which license is needed for Microsoft 365 Attack Simulation Training?

Defender for Office 365 Plan 2 or any E5 SKU. E3 users can add Plan 2 or activate a 90-day trial.

Q12. What is Microsoft Attack Simulation Training?

A built-in Microsoft 365 security simulation tool for phishing, malware, and social engineering testing, paired with awareness training.

Q13. Is notification@attacksimulationtraining.com a legit Microsoft sender?

Yes. It is used for official Microsoft 365 attack simulation email notifications.

Q14. Which Microsoft 365 workloads support phishing simulation?

Exchange Online, Defender for Office 365, Entra ID groups, and Microsoft security training modules.

Q15. Does Microsoft offer phishing training?

Yes - through Microsoft Defender Attack Simulation Training with built-in phishing awareness courses.

Q16. What attack types can I use in Microsoft 365 Attack Simulation?

Credential Harvest, Malware Attachment, Link in Attachment, Drive-by URL, OAuth Consent Grant, and training-only “How-to Guide” scenarios.

Q17. What is the best phishing simulation type for beginners?

Credential Harvest - a classic, high-impact phishing test used in most Microsoft 365 attack simulation setup guides.

Q18. Can I customize the phishing payload in Microsoft 365 Attack Simulation?

Yes. You can create custom payloads and login pages to match internal workflows, brands, or departments.

Q19. Can I target only specific departments or groups?

Yes. You can use Entra ID groups, Microsoft 365 groups, or dynamic groups for advanced targeting.

Q20. Does Attack Simulation Training support automated recurring campaigns?

Yes - through Simulation Automations, allowing monthly or randomized phishing tests.

Q21. Can I customize the landing page shown to users who click?

Yes. Use the default Microsoft landing page or upload your own branded phish landing page.

Q22. Can Safe Links or Safe Attachments interfere with simulations?

Sometimes. Safe Links rewriting or external proxies may trigger false clicks. Whitelisting simulation URLs helps.

Q23. Do simulations store real passwords when users enter credentials?

No. Microsoft never stores or uses real passwords - only the action is logged.

Q24. Can I download detailed Microsoft 365 attack simulation reports?

Yes. You can export detailed user actions, click rates, and compromise rates as CSV.

Q25. How do I improve low report rates in phishing simulations?

Enable “Report Phishing” add-ins, run awareness sessions, and reward users who report - key steps in Microsoft Defender attack simulation training best practices.