Microsoft securitySecurity and complianceIntermediate24 min read

What Is Attack simulation training? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Attack simulation training is a tool in Microsoft 365 that helps organizations test their employees' ability to spot real cyberattacks. IT admins can create fake phishing emails or password attacks and send them to users to see who clicks, enters credentials, or falls for the trick. The results help companies train staff to be more security-aware and reduce real-world risks.

Commonly Confused With

Attack simulation trainingvsAnti-phishing policies

Anti-phishing policies are security controls that automatically block or flag suspicious emails before users see them. Attack simulation training sends fake attacks to test users. Anti-phishing policies protect; attack simulation training tests and trains.

Anti-phishing policy blocks an email from 'support@paypa1.com' (spoofed). Attack simulation training sends a fake email from 'noreply@contoso-verify.com' to see if users click.

Attack simulation trainingvsMicrosoft Defender for Office 365 Safe Links

Safe Links is a protective feature that scans URLs in emails and blocks malicious links in real time. Attack simulation training uses its own links that are safe and controlled. Safe Links is about protection; training is about education.

Safe Links would block a link to a known malware site. A simulation link goes to a Microsoft-hosted training page and is never harmful.

Attack simulation trainingvsUser risk policies in Azure AD Identity Protection

User risk policies automatically respond to real risky user behavior, like leaked credentials. Attack simulation training is a manual, scheduled test that does not affect the user's real risk level. One is automated risk response; the other is planned training.

If a user’s credentials are found on the dark web, Azure AD Identity Protection flags them as high risk. Attack simulation training would not affect that risk score at all.

Must Know for Exams

For the MS-102 exam, attack simulation training is a core topic under the “Implement and manage Microsoft 365 security and threat protection” objective domain. Candidates are expected to know how to configure and launch simulated attacks, how to interpret simulation reports, and how to assign training content. The exam often includes scenario-based questions where you are given a company’s security weaknesses, like a high click-through rate on phishing simulations, and you must recommend the correct training or policy changes. You also need to understand the licensing requirements: attack simulation training is available with Microsoft 365 E3 or E5, but advanced training features and custom payloads may require E5 or Azure AD Premium P2.

In the SC-900 exam, attack simulation training appears in the “Describe the capabilities of Microsoft 365 security solutions” section. Here the focus is broader and less technical. You are expected to know what the tool does, its purpose as a user training and awareness tool, and how it fits into the larger Microsoft security ecosystem. Questions might ask: “Which tool can you use to run phishing simulations in Microsoft 365?” or “Which security solution includes attack simulation training?” The answer is Microsoft 365 Defender. SC-900 does not require deep configuration knowledge, but you must recognize the tool’s name and its primary function.

Both exams may test your understanding of the difference between simulation types. For example, you might be asked: “Which type of attack uses a fake login page to capture credentials?” The answer is credential harvesting. Or, “Which simulation type uses commonly guessed passwords across multiple accounts?” That is a password spray simulation. You should also know that users who fall for a simulation can be automatically enrolled in training, and that the training can be mandatory or optional based on policy. Exam questions often mix these details into a case study, so reading carefully is essential.

Finally, you should be prepared for questions about permissions. Attack simulation training requires the Attack Simulation Administrator role or the Security Administrator role in Azure AD. Global Administrators can also perform these tasks, but the principle of least privilege suggests using a delegated role. Expect a question that presents a scenario where a helpdesk technician needs to run a simulation but cannot, and you must identify the missing role assignment.

Simple Meaning

Think of attack simulation training like a fire drill for your company’s email inboxes and security habits. Imagine you work in an office building. Every month, the fire alarm goes off unexpectedly. You have to drop everything, calmly walk to the exit, and meet outside. The first time it happens, people might panic or take the elevator, which is dangerous. But after a few drills, everyone knows exactly what to do, they don’t even hesitate when a real fire happens. Attack simulation training is the same idea, but for cyberattacks instead of fires.

In this digital fire drill, your IT team sends fake but realistic emails that look scary, maybe they say your account is expired, you won a prize, or someone shared a document with you. If you fall for it by clicking a link, entering your password, or opening a fake attachment, the system records that. You get immediate feedback: “That was a test! Here is what you should look for next time.” Over time, these drills train your brain to pause and think before clicking, just like a fire drill trains you to not use the elevator.

The tool doesn’t just send random phishing emails. It uses actual real-world attack techniques, like credential harvesting (asking for your password), malware attachments (files that install bad software), and link-based attacks (links that lead to fake login pages). You can also run password spray simulations, where an attacker tries common passwords across many accounts, to see how easy it is to break in. The whole point is to help people become human firewalls, not just tech firewalls. It turns every employee into a sensor who can spot and report real attacks before damage happens.

For IT certification learners, especially those studying for MS-102 (Microsoft 365 Administrator) and SC-900 (Microsoft Security, Compliance, and Identity Fundamentals), this tool shows how security is not just about software, it’s about people and processes. Attack simulation training is a key feature in Microsoft 365 Defender and Azure Active Directory Premium P2. It helps administrators measure risk, train users, and create security policies that adapt to real threats.

Full Technical Definition

Attack simulation training is a cloud-based security service integrated into Microsoft 365 Defender that enables tenant administrators to design, deploy, and analyze simulated cyberattack campaigns targeting their organization’s users. It is part of the Microsoft 365 Defender portal’s Attack simulation training module, which is available to organizations with Microsoft 365 E3, E5, or Azure Active Directory Premium P2 licenses. The tool supports multiple attack types, including credential harvesting, malicious attachment, link-based attacks, and brute-force password attacks like password spray.

At its core, the simulation engine uses a pre-built library of attack templates that are regularly updated based on real-world threat intelligence from the Microsoft Intelligent Security Graph. These templates mimic actual phishing campaigns, including email content, sender addresses, domain spoofing, and social engineering tactics. Administrators can also create custom payloads by uploading their own email templates and specifying landing pages. The simulations are delivered via Exchange Online mail flow, where the simulated phishing emails bypass normal anti-phishing and anti-spam filters because they are marked as trusted by the system. This ensures that only targeted users receive the test.

When a user interacts with a simulated attack, such as clicking a link or entering credentials on a fake login page, the action is logged in the simulation’s report. The fake login pages are hosted on Microsoft’s infrastructure and are designed to capture the user’s username and password hash without actually storing or misusing the credentials. For password spray simulations, the service attempts to log in using commonly guessed passwords against a list of target accounts. Failed login attempts are recorded but throttled to avoid locking accounts or triggering Azure AD smart lockout.

The training component kicks in after a user falls for the simulation. Depending on the configuration, the user may be redirected to a training page with a short video, article, or interactive module that teaches how to identify similar threats in the future. Administrators can assign specific training content from the Microsoft training library or link to their own custom training resources. The overall results are aggregated into a dashboard showing the percentage of users who clicked, entered credentials, or reported the email as phishing. Reports can be filtered by department, user group, or geography.

From a compliance and security operations standpoint, attack simulation training supports Zero Trust principles by continuously testing user behavior and driving adaptive policies. For example, an administrator can create a policy that automatically enrolls users who fail a simulation into a conditional access block, requiring them to complete training before regaining access to sensitive resources. IT professionals must understand that while this tool helps improve security posture, it does not replace traditional security controls like multi-factor authentication (MFA), anti-phishing policies, or endpoint detection. It is a complementary layer focused on the human element.

For exams like MS-102 and SC-900, candidates need to know that attack simulation training is configured under the Microsoft 365 Defender portal’s Email & collaboration section. Key configuration options include selecting attack types, targeting specific users or groups, scheduling immediate or phased launches, assigning training content, and reviewing reports in the Simulation dashboard. The service uses RBAC (role-based access control) so that only users with the Attack Simulation Administrator or Security Administrator role can create and manage simulations.

Real-Life Example

Imagine you are the safety manager for a large office building with hundreds of employees. Your boss asks you to run a monthly emergency drill to see how people react when a suspicious package is left in the lobby. You decide to place a fake, harmless package near the main entrance and watch what happens. Some employees walk right past it, ignoring it completely. Others pick it up and bring it to their desk. A few call security immediately. After the drill, you gather everyone together and explain what the package looked like, why it was suspicious, and what the correct procedure is: don’t touch it, call security, and evacuate the area. Over several months, you repeat the drill with different types of fake packages, some look like normal deliveries, others have no return address, some are open with wires showing. Gradually, employees get better at spotting the red flags and following the right protocol.

This is exactly how attack simulation training works, but in the digital world. Instead of a physical package, the IT team sends fake phishing emails that look like real threats. In the first simulation, maybe 30% of users click the link, just like the employees who picked up the package. In the next simulation, you include training for anyone who clicked, and the failure rate drops to 15%. Over time, the training changes behavior. The package, or the phishing email, becomes a teachable moment rather than a disaster. The key difference is that in the physical world, a real bomb would be catastrophic. In the digital world, a real ransomware email could encrypt your entire company’s data. Attack simulation training prevents that catastrophe by giving people practice before the real attack arrives.

The analogy also maps to the reporting aspect. In the building drill, the safety manager records who called security and who handled the package. In attack simulation training, the tool logs who clicked, who reported the email, and who entered their password. The reports show the IT team which departments are most vulnerable, allowing them to tailor extra training to high-risk groups. Just like the safety manager might run additional drills for the mailroom staff, the IT admin can target simulations at the finance team who handle payment requests, a common phishing target.

Why This Term Matters

Attack simulation training matters because people are the most vulnerable part of any security system. You can have the best firewalls, multi-factor authentication, and antivirus software in the world, but if an employee clicks a malicious link and enters their credentials, an attacker can bypass all of that. According to industry reports, over 90% of data breaches start with a phishing email. Attack simulation training directly addresses this by turning every employee into an active defense layer. It doesn’t just test people, it trains them in a safe environment where a mistake doesn’t cause real damage.

For IT professionals managing a Microsoft 365 environment, this tool also provides hard data for security reporting and compliance. You can show auditors and executives that your organization proactively tests its users and measures improvement over time. This is especially important for meeting standards like ISO 27001, SOC 2, or NIST, which require security awareness training and testing. The tool also supports automation: you can schedule monthly simulations, send automated training to users who fail, and generate reports on demand. This reduces the manual work of designing and running phishing tests.

Another critical reason this matters is that real-world attackers are constantly evolving their techniques. Attack simulation training updates its templates based on current threat intelligence from Microsoft, so the simulations stay relevant. For example, during tax season, simulations might mimic fake IRS emails. During a global event, attackers might send fake donation links. The training adapts. Without this kind of testing, organizations have no way of knowing how their users would behave in a real attack. They are flying blind. Finally, attack simulation training is tightly integrated with Microsoft’s security stack. Data from simulations can feed into reports in Microsoft 365 Defender, and administrators can use the results to create conditional access policies that require mandatory training for high-risk users.

How It Appears in Exam Questions

In the MS-102 exam, attack simulation training questions appear primarily as scenario-based multiple-choice or case study items. A typical question might describe an organization that has noticed an increase in real phishing attempts targeting the finance department. The company wants to test employee awareness before a real attack succeeds. The question asks: which Microsoft 365 tool should you use to create and launch a controlled phishing test? The correct answer is Attack simulation training in Microsoft 365 Defender. A distractor might be “Anti-spam policies in Exchange Online Protection” or “Microsoft Defender for Office 365 Safe Links,” both of which are protective, not testing, tools.

Another common question pattern involves interpreting simulation results. You might be shown a report that indicates 45% of users in the sales department clicked a phishing link in a simulation, while only 10% in IT clicked. The question then asks: which policy change would most effectively reduce the risk in the sales department? Options might include: assigning a custom training campaign to the sales users who clicked, increasing the email spam filter sensitivity, or disabling link previews in Outlook. The correct answer is to assign targeted training to the affected users, as the simulation is already indicative of a training gap.

Configuration-based questions are also common. For example: “You need to run a password spray simulation against all users in the marketing department. Which two steps must you take first?” Correct steps would include creating a simulation in the Attack simulation training module and selecting the password spray attack type, as well as choosing the marketing user group as the target. A possible distractor might be “Enable MFA for all marketing users,” which is a security control, not a prerequisite for a simulation.

For SC-900, questions are more conceptual. A typical question: “Which of the following best describes the purpose of attack simulation training in Microsoft 365?” The correct answer would be something like: “A tool that allows organizations to run simulated attacks to test user awareness and provide training.” Distractors might include: “A tool that blocks phishing emails automatically” or “A tool that encrypts emails.” The SC-900 exam also includes matching questions where you have to link security tools to their functions. Attack simulation training would be matched with “User training and awareness.”

Troubleshooting questions are rarer but do appear. For instance, a question might describe an administrator who has created a simulation but it never reaches users. Possible causes: the users are not licensed for the feature, the simulation was scheduled incorrectly, or the attack type is not supported. The correct answer often involves checking the licensing and ensuring users are assigned an appropriate Microsoft 365 license (E3 or E5). Understanding these patterns helps you identify distractors that mix up protective tools with testing tools.

Practise Attack simulation training Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Contoso, Ltd. is a mid-sized accounting firm with 500 employees. The IT security team has noticed that several employees recently reported receiving suspicious emails asking them to verify their Office 365 password. The team wants to proactively test how many employees would actually fall for a similar email. They decide to run attack simulation training.

The security administrator logs into the Microsoft 365 Defender portal and navigates to Attack simulation training. She selects “Create a simulation” and chooses the “Credential harvest” attack type. She uses the pre-built template that mimics a password reset notification. The email looks exactly like a real one from Microsoft, with a link pointing to a fake login page hosted by Microsoft. She targets all users in the finance and accounts payable department, which has 80 people. She schedules the simulation to launch at 10:00 AM Tuesday morning, a busy time when employees are likely to be distracted.

On Tuesday, the emails arrive. By the end of the day, 35 out of 80 employees have clicked the link. Of those, 20 entered their credentials on the fake page. The simulation automatically redirects those 20 users to a mandatory training page with a 5-minute video on spotting phishing emails. The training page explains that the email lacked the user’s full name, had a spoofed sender domain, and the link URL was suspicious. The next month, the admin runs the same simulation again to the same group. This time, only 8 employees click, and 2 enter credentials. The training has clearly improved awareness. The admin then schedules quarterly simulations and sets a policy that any user who fails twice in a row must complete a longer training course before accessing sensitive financial systems.

Common Mistakes

Thinking attack simulation training is the same as anti-phishing policies in Exchange Online Protection.

Anti-phishing policies are protective controls that automatically block or mark suspicious emails. Attack simulation training is a testing tool that deliberately sends fake phishing emails to users to see how they react. One is defensive, the other is diagnostic and educational.

Use anti-phishing policies to block real attacks, and use attack simulation training to test and train users. They work together but are not the same thing.

Believing that running a simulation automatically causes real harm or compromises accounts.

Simulations are fully controlled and safe. The fake landing pages do not actually store credentials. The tool is designed to mimic attacks without any real risk. It is a completely safe environment for mistakes.

Explain to stakeholders that simulations are harmless and designed specifically to train without damaging the organization. All captured data is only used for reporting and training triggers.

Assuming that all users need a special license or role to receive simulations.

Users only need to be licensed for Microsoft 365 E3 or E5 (or a standalone plan with the feature) to be targeted by simulations. They do not need a special role. The roles needed are only for the administrator creating the simulations.

Verify that your target users have the correct base license (E3 or E5). Only the admin needs Attack Simulation Administrator or Security Administrator role.

Configuring a simulation and expecting it to bypass security controls automatically, then being surprised when users don't receive it.

Attack simulation training emails are inherently trusted by the system, so they skip spam filters. However, if you have custom transport rules or connector filtering that strips certain content, it may still interfere. The simulation does not override custom mail flow rules.

Before creating simulations, test that your mail flow rules do not block or modify the simulation emails. Use the simulation preview feature to verify delivery.

Exam Trap — Don't Get Fooled

{"trap":"In an exam question, you are asked which role is required to run attack simulation training. Options include Global Administrator, Security Administrator, Attack Simulation Administrator, and User Administrator. Learners often choose Global Administrator because they think only the top role can perform security tasks."

,"why_learners_choose_it":"Learners assume that security-sensitive operations like sending fake attacks require the highest administrative privilege. They do not realize that Microsoft has delegated a specific role for this exact function to follow the principle of least privilege.","how_to_avoid_it":"Remember that Microsoft has dedicated roles for specific tasks.

Attack simulation training has its own role: Attack Simulation Administrator. If that role is not listed, Security Administrator is also valid. Global Administrator can do it but is not the only role.

Look for the specific role name in the answer options."

Step-by-Step Breakdown

1

Select simulation type

The administrator chooses from credential harvest, malicious attachment, link-based, or password spray. This determines how the faux attack behaves. Credential harvest sends a fake login page; password spray tries common passwords against many accounts.

2

Choose a template or create custom payload

Microsoft provides pre-built templates that mirror real-world attacks. You can also upload your own email HTML and specify a landing page. Templates are updated with current threat intelligence, making simulations realistic.

3

Target users or groups

You can target specific user accounts, groups, or entire departments. This allows you to focus on high-risk groups like finance or new hires who may be more susceptible. You can also exclude security or IT staff.

4

Configure schedule and delivery

Simulations can be launched immediately or scheduled for a future date. You can choose to send all emails at once or stagger them over several days to avoid overwhelming users or notice patterns.

5

Assign training content

For users who fall for the simulation, you can assign mandatory or optional training. Microsoft offers a library of short training videos and articles. You can also link to your own internal training resources.

6

Launch and monitor

The simulation runs based on your schedule. The system tracks who opened, clicked, entered credentials, or reported the email. Results are visible in the Simulation dashboard in real time, allowing for immediate analysis.

7

Review reports and adjust policies

After the simulation, administrators review the click rate, credential harvest rate, and training completion rate. These metrics can drive policy changes, such as creating conditional access rules that require training for repeat offenders.

Practical Mini-Lesson

Attack simulation training is not just about sending fake emails, it is a comprehensive user behavior analytics tool that should be integrated into your organization’s security awareness program. To use it effectively in practice, you must first understand your user base. Start by identifying the most targeted groups in your organization, such as executives, finance, HR, and customer support. These groups are often the primary targets in real-world attacks. Run your first simulation as a baseline, do not provide training beforehand. This gives you an honest measurement of your current risk level. Many organizations find that 30-40% of users click a credential harvest simulation on the first attempt.

After the baseline, assign training to every user who failed. Do not limit training to only those who entered credentials; include those who clicked any link. In the training, highlight the specific red flags of the simulation they fell for, for instance, the sender email domain was slightly misspelled, or the message had a false sense of urgency. Then, schedule a second simulation one month later to the same users. Compare the results. A well-run program will see a significant reduction in failures. However, be aware of “simulation fatigue”, if you run too many simulations, users may become desensitized or frustrated. A good cadence is one simulation per month per target group, with varied attack types.

What can go wrong? First, users might report the simulation email to your security team as a real threat. This is actually a good outcome, as it means they are reporting suspicious emails, but it can cause an unnecessary incident response. To avoid this, clearly communicate to all users that you are running a security awareness program and that they should treat all suspicious emails as real, but if they are ever unsure, they should forward only the headers to the security team for analysis. Second, a poorly configured simulation could accidentally generate real security alerts in other systems. Always run a small pilot simulation to a group of IT staff first. Finally, remember that attack simulation training is not a one-time project. Phishing techniques evolve, so your simulations must evolve too. Use the latest templates from Microsoft and periodically custom-create simulations based on current attack trends visible in your region or industry.

For IT professionals preparing for exams, a practical takeaway is to know how to configure a simulation from start to finish. In the Microsoft 365 Defender portal, navigate to Email & collaboration > Attack simulation training. Click “Create a simulation,” then choose the attack type. In the “Training” step, select “Assign training for specific actions” and choose “Phishing” if the user clicks. In the “Add training” step, you can select from Microsoft’s library or add custom URLs. Finally, in the “Review and launch” step, verify that the users are correctly targeted and that the simulation will bypass your mail flow rules. This entire workflow is fair game for exam scenario questions.

Memory Tip

Attack simulation training: Test before the test (simulate attacks to train users, not just to catch them).

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Do I need any special license to use attack simulation training?

Yes, attack simulation training is included with Microsoft 365 E3 and E5 licenses, as well as Azure Active Directory Premium P2. Some advanced features like custom training or automated enrollment may require E5.

Can attack simulation training harm my users or their accounts?

No, the simulations are completely safe. Fake login pages do not capture real credentials, and links lead only to training content. The tool is designed to train without any real risk.

How often should I run simulations?

Most organizations run one simulation per month per target group. Starting with quarterly simulations and gradually increasing frequency is a best practice. Avoid overwhelming users with too many tests.

What types of attacks can I simulate?

You can simulate credential harvesting, malicious attachments, link-based attacks, and password spray attacks. Each type mimics a different real-world attack technique.

Will users know they are being tested?

Users are not informed in advance, which is intentional to get accurate results. However, you should communicate broadly that a security awareness program exists, so users know to treat all suspicious emails carefully.

Can I use attack simulation training to enforce mandatory training?

Yes, you can configure simulations to automatically enroll users who fail into mandatory training. You can also create policies that block access to certain resources until training is completed.

Summary

Attack simulation training is a powerful, integrated tool in Microsoft 365 that allows organizations to proactively test and improve their users’ security awareness without introducing real risk. By sending realistic phishing and password attack simulations, IT teams can measure vulnerability, assign targeted training, and track improvement over time. It is a critical component of a modern security strategy that complements traditional technical controls like anti-phishing policies and multi-factor authentication.

For IT certification exams, particularly MS-102 and SC-900, candidates must understand that attack simulation training is not a defensive tool but an educational and diagnostic one. It is configured in the Microsoft 365 Defender portal, requires appropriate licensing (E3 or E5), and uses role-based access control (Attack Simulation Administrator or Security Administrator). The tool supports multiple attack types, customizable payloads, and automated training assignments. Exam questions will test your ability to choose the right tool for the scenario, interpret simulation results, and understand the licensing and role requirements.

The key takeaway for learners is this: in cybersecurity, people are both the weakest link and the most powerful defense. Attack simulation training gives you the ability to strengthen that link in a safe, controlled, and repeatable way. Mastery of this concept will not only help you pass your exams but also make you a more effective security professional in the real world.