Office 365 – You can simulate an attack on your Office 365 (preview)

UPDATE March 10, 2018 – I have been informed the invitation code to join the preview portal is no longer valid

Even if we all know Office 365 is quite secure by design, you may want to evaluate by yourself the security level of your tenant.

While you already have the Secure Score ( functionality available, this will basically just help you to identify best practices to implement.

Today, you will be able to simulate an attack against your Office 365 tenant (in preview)

With Attack Simulator, admins can launch simulated attacks on their end users, determine how end users behave in the event of an attack, and update policies and ensure that appropriate security tools are in place to protect the organization from threats.  This preview of Attack Simulator includes three attack scenarios:

  • Display Name Spear Phishing Attack: Phishing is the generic term for socially engineered attacks designed to harvest credentials or personally identifiable information (PII). Spear phishing is a subset of this attack type which is targeted, often aimed at a specific group, individual, or organization.  These attacks are customized and tend to leverage a sender name that generates trust with the recipient.
  • Password Spray Attack: To prevent bad actors from constantly guessing the passwords of user accounts, often there are account lockout policies.  For example, an account will lockout after a certain number of bad passwords are guessed for a user.  However, if you were to take a single password and try it against every single account in an organization, it would not trigger any lockouts.  The password spray attack leverages commonly used passwords and targets many accounts in an organization with the hope that one of the account holder uses a common password that allows a hacker to enter the account and take control of it.  From this compromised account, a hacker can launch more attacks by assuming the identity of account holder.
  • Brute Force Password Attack: This type of attack consists of a hacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.

Before starting, as usual there are some prerequisites:

  • You need to have Office 365 Threat Management
  • You are using Exchange Online to host your mailboxes; at this time, the simulation is not running for on-premises Exchange. Maybe this will come as with now have Threat Management available for on-premises (ATA)
  • You are using Office 365 MFA
  • You need to register to the preview portal ( by using the invitation code (invitation code no longer valid) if you want to provide feedback and influence future features (you will join the Office 365 Universal Preview)

Once all done, you can start Smile

  • Logon to your Office 365 Compliance Center and reach out the Threat Management\Attack simulator section


  • Then choose the attack scenario you want to run; for each you can get some details by using the Attack details link; this link will also gives you attack history


  • To start an attack scenario, just click on the Launch attack button and complete some configuration; the settings depend on the attack scenario


  • Then the reports (is currently, I think this should/will change in the future) are available in the attack details history



Below the phishing email received and the page were users are redirected when you try the Phishing Attack scenario AND your users click on the embedded link


Leave a Comment

Your email address will not be published. Required fields are marked *