This chapter covers Attack Simulation Training in Microsoft Defender for Office 365, a key tool for assessing and improving user resilience against phishing attacks. For the MS-102 exam, this topic falls under Security Threats (Objective 3.2) and typically appears in 5–8% of questions, often in scenario-based items where you must recommend the correct simulation type or interpret results. Mastering this chapter will help you configure, launch, and analyze simulations, as well as understand how they integrate with other Defender features like Safe Links and Safe Attachments.
Jump to a section
Attack simulation training is like running a fire drill in a large office building. In a real fire drill, you don't actually set the building on fire — you simulate the conditions: you pull the alarm, fill hallways with non-toxic smoke, and have employees practice evacuating. The goal is to test how people react, identify bottlenecks (like someone blocking an exit), and train them so that in a real fire they know exactly what to do. Similarly, attack simulation training sends simulated phishing emails (the 'smoke') to employees. These emails mimic real attacker techniques — they may contain malicious links or attachments, but they are safe because clicks do not cause actual harm. The system tracks who clicks, who reports the email, and who enters credentials on a fake login page. Just as a fire drill reveals who panics and who follows procedure, attack simulation reveals which employees are vulnerable to social engineering. The training then automatically enrolls those users in targeted educational modules to improve their security awareness. In both cases, the simulation is controlled, measured, and used to improve real-world response. Without drills, you only learn your weaknesses during an actual crisis — which is too late.
What Is Attack Simulation Training?
Attack Simulation Training (AST) is a cloud-based capability within Microsoft Defender for Office 365 that allows security administrators to create and launch realistic phishing simulations against their own users. Its primary purpose is to identify users who are susceptible to social engineering attacks, measure the effectiveness of security awareness training, and automatically remediate risk by enrolling users in targeted education. AST is available in organizations that have Microsoft 365 E5, Microsoft 365 E5 Security, or Defender for Office 365 Plan 2 licenses. It is accessed via the Microsoft 365 Defender portal (security.microsoft.com) under Email & Collaboration > Attack simulation training.
How It Works Internally
Attack Simulation Training operates through a combination of pre-built templates, payloads, and a simulation engine that mimics real attacker behavior. When you create a simulation, you choose a technique (e.g., credential harvest, malicious attachment, link in attachment, or link to malware), a payload (the actual email content), and a target audience. The simulation engine then sends the emails using Microsoft's own infrastructure, ensuring they bypass typical email filters. The system tracks user interactions via web beacons and redirect URLs. For example, if a user clicks a link, the request is intercepted by Microsoft's simulation service, which records the click and then either shows a fake login page (for credential harvest) or a training notification. The entire process is logged in the simulation results, which include metrics like click rate, credential compromise rate, and report rate.
Key Components, Values, Defaults, and Timers
Simulation Techniques: The exam expects you to know the four built-in techniques: Credential Harvest, Malicious Attachment, Link in Attachment, and Link to Malware. Credential Harvest simulates a phishing page that asks for username and password. Malicious Attachment sends an email with a simulated malware file (e.g., a .docm with macros). Link in Attachment places a malicious URL inside an attachment (e.g., a PDF with a link). Link to Malware provides a link that leads to a page hosting a simulated payload.
Payloads: Pre-defined or custom email content. Microsoft provides a library of real-world payloads used in actual attacks. You can also create custom payloads with your own branding and language. Payloads include the subject line, sender name, and email body.
Target Users: You can target specific users, groups, or the entire organization. You can also exclude users who have already completed training or who are in certain security groups.
Training Assignment: After simulation, users are automatically assigned training based on their actions. You can choose from Microsoft's curated training courses or upload your own. The training is delivered via the Microsoft 365 Learning Pathways or integrated LMS.
Simulation Schedule: Simulations can be launched immediately or scheduled for a future date/time. There is no default timer; you set the start and end dates. The simulation runs once unless you configure it as a recurring campaign (available via automation scripts, not native UI).
Phish Landing Page: When a user clicks a simulated link, they are redirected to a landing page. For credential harvest, this page mimics a login screen. The default landing page is Microsoft-branded, but you can customize it with your company logo. The page is served from Microsoft's infrastructure.
End User Notification: By default, users are notified after the simulation that it was a training exercise. This notification is configurable; you can choose to notify immediately, after a delay, or not at all. The default is to notify immediately after the simulation ends.
Simulation Duration: The simulation period is the window during which clicks are tracked. Typically, you set a duration of 1–30 days. After the end date, clicks are no longer recorded.
Configuration and Verification Commands
Configuration is done entirely through the Microsoft 365 Defender portal, but you can also use PowerShell via the Exchange Online PowerShell module. For example, to list existing simulations:
Get-SimulationTo create a new simulation:
New-Simulation -Name "Phishing Test Q1" -Technique CredentialHarvest -PayloadId <PayloadId> -TargetGroupId <GroupId> -StartDate 2025-04-01 -EndDate 2025-04-07To view simulation results:
Get-SimulationResult -SimulationId <SimulationId>Note that the PowerShell cmdlets are still evolving; the primary management tool is the portal.
Interaction with Related Technologies
Attack Simulation Training integrates tightly with other Defender for Office 365 features:
Safe Links: During simulation, Safe Links protection is bypassed for the simulation URLs so that users can actually click them. This is configured automatically. After the simulation, the URLs are added to the block list if they were malicious in nature.
Safe Attachments: Simulated malicious attachments are allowed through to the inbox, but real malicious attachments would be blocked. The simulation relies on Safe Attachments not detonating the simulated payload.
User Reported Messages: Users can report simulated emails using the Report Message add-in. The simulation results include a 'Reported' metric showing how many users correctly identified the email as phishing.
Automated Investigation and Response (AIR): Simulations can trigger AIR playbooks if configured, but by default they are excluded to prevent false positives.
Microsoft 365 Defender Alerts: Simulation activities are logged but do not generate security alerts unless you explicitly configure alert policies for simulation events.
Detailed Walkthrough of a Credential Harvest Simulation
Preparation: Admin selects 'Credential Harvest' technique, chooses a payload that mimics a password reset email, and targets all non-admin users.
Delivery: The simulation engine sends the email to each target user. The email appears to come from a legitimate domain (e.g., noreply@contoso.com) but the reply-to address is controlled by Microsoft. The email contains a link that points to https://simulation.microsoft.com/....
User Interaction: When a user clicks the link, their browser sends a request to Microsoft's simulation service. The service records the click event, including the user ID, timestamp, and IP address. It then redirects the user to a fake login page that looks like the Microsoft 365 sign-in page.
Credential Entry: If the user enters their username and password, the simulation service captures those credentials (but does not store the actual password — it only records that credentials were entered). The user is then shown a training notification page explaining that this was a simulation and providing security tips.
Reporting: The user can also report the email using the Outlook Report Message button. If they do, the simulation is flagged as reported, and the admin sees a high 'Reported' metric.
Results: After the simulation ends, the admin views the results dashboard. Key metrics: Users who clicked (click rate), users who entered credentials (compromised rate), and users who reported the email (report rate). The admin can then assign training to the users who failed.
Advanced Configuration Options
Phishing Simulation with Login Page Customization: You can upload your own logo and customize the login page to match your company's branding. This increases realism.
Training Assignment Policies: You can configure automatic training assignment based on user actions. For example, users who click the link are enrolled in 'Phishing Awareness Training', while those who enter credentials are enrolled in 'Advanced Security Awareness'.
Exclusion Lists: You can exclude users who have already completed training within a certain period (e.g., 90 days) to avoid re-training.
Simulation Automation: Using PowerShell or Microsoft Graph API, you can automate recurring simulations, e.g., monthly phishing tests.
Performance and Scale Considerations
Attack Simulation Training is designed to scale to large organizations. Microsoft's infrastructure handles delivery and tracking. However, there are limits: you can have up to 100 active simulations at a time per tenant. Each simulation can target up to 50,000 users. The simulation duration cannot exceed 30 days. These limits are important for exam questions about planning large-scale campaigns.
Integration with Microsoft 365 Defender
Simulation results feed into the Microsoft 365 Defender portal's overall security posture. They are visible in the Threat Analytics dashboard and can be used to calculate your organization's Phish-prone percentage (PPP). This metric is often tracked over time to measure improvement from training. The exam may ask how to interpret PPP trends.
Licensing Requirements
Attack Simulation Training requires one of the following licenses: Microsoft 365 E5, Microsoft 365 E5 Security, or Defender for Office 365 Plan 2. It is not available in E3 or Business Premium without add-ons. This is a common exam trap — candidates often assume it is included in E3.
Data Retention and Privacy
Simulation results are retained for 90 days after the simulation ends. After that, the data is purged. This is important for auditing and compliance scenarios. The exam may test knowledge of this retention period.
Common Misconfigurations
Not excluding VIPs: If you simulate against executives without prior notification, it can cause panic. Best practice is to exclude C-level users or notify them in advance.
Using too frequent simulations: Running simulations too often can lead to 'phishing fatigue' and reduce user vigilance. Microsoft recommends quarterly simulations.
Not customizing payloads: Using default Microsoft payloads may be recognized by savvy users. Customizing the sender name and subject line increases realism.
Ignoring the report rate: A high click rate but low report rate indicates users are not reporting suspicious emails. This requires additional training on reporting mechanisms.
Exam Relevance
On the MS-102 exam, you may be asked to:
Recommend a simulation technique for a given scenario (e.g., a company wants to test if users fall for fake login pages → Credential Harvest).
Interpret simulation results and suggest corrective actions.
Identify the correct licensing requirement.
Configure training assignment based on user actions.
Understand the difference between Attack Simulation Training and other security features like Safe Links.
Summary of Key Numbers
Simulation duration: 1–30 days
Maximum active simulations per tenant: 100
Maximum users per simulation: 50,000
Data retention: 90 days
Training assignment: automatic after simulation ends
Default notification: immediate after simulation
Licensing: E5, E5 Security, or Defender for Office 365 Plan 2
Access Attack Simulation Training
Navigate to the Microsoft 365 Defender portal (security.microsoft.com). Under Email & Collaboration, select Attack simulation training. This is the central hub for creating, managing, and reviewing simulations. The interface shows a dashboard with key metrics like overall phish-prone percentage, number of simulations run, and training completion rates. Ensure you have the required permissions: Security Administrator or Attack Simulation Administrator role. The exam may test the correct role assignment.
Choose Simulation Technique
Click 'Launch simulation' and select a technique from the four options: Credential Harvest, Malicious Attachment, Link in Attachment, or Link to Malware. Each technique mimics a different real-world attack vector. Credential Harvest is the most common and tests if users will enter credentials on a fake login page. Malicious Attachment tests if users open a file that appears to contain malware. Link in Attachment tests if users follow a URL embedded in an attachment. Link to Malware tests if users visit a site that hosts malware. The exam may present a scenario and ask you to choose the best technique.
Select or Create a Payload
Choose a pre-built payload from Microsoft's library or create a custom one. Payloads include the sender name, subject line, and email body. Microsoft's library contains real-world examples used in actual attacks, categorized by technique. You can filter by language, industry, or type. Custom payloads allow you to use your own branding to increase realism. For example, you might create a payload that mimics an internal IT password reset request. The payload is critical for realism; a poorly crafted payload may be easily ignored.
Define Target Users
Select the users to include in the simulation. You can target specific users, groups (including dynamic groups), or the entire organization. You can also exclude users who have already completed training or are in certain security groups (e.g., VIPs). The simulation will only be sent to users who have an active mailbox. You can also set the simulation to include only a percentage of users, which is useful for large organizations to avoid overwhelming helpdesk with queries. The exam may ask how to exclude specific users.
Configure Training and Notifications
After selecting targets, configure what happens after the simulation. You can assign training automatically based on user actions (e.g., clicked link, entered credentials). Microsoft provides curated training content; you can also upload your own. You can choose to notify users that the simulation was a training exercise immediately after they click, at the end of the simulation, or not at all. Default is immediate notification. You can also customize the landing page shown after a click. This step is crucial for the learning outcome.
Launch and Monitor Simulation
Review the simulation settings, then launch it immediately or schedule it for later. Once launched, the simulation runs for the specified duration (1–30 days). During this period, you can monitor real-time results in the dashboard. Key metrics include: number of emails delivered, number of users who clicked, number who entered credentials, and number who reported the email. You can also export results for reporting. After the simulation ends, you can view a detailed report and track user training completion.
Scenario 1: Large Financial Institution Testing Credential Harvest Resistance
A bank with 10,000 employees wants to reduce the risk of credential theft. They deploy a quarterly credential harvest simulation targeting all non-IT staff. They create a custom payload that mimics an internal security alert asking users to verify their account by clicking a link. The simulation is configured to assign a 15-minute training module to any user who clicks the link or enters credentials. After the first simulation, they discover a 12% click rate and a 5% credential entry rate. They use this data to prioritize additional training for high-risk departments like customer service. Over four quarters, the click rate drops to 4% and credential entry to 1%. The bank also uses the 'Reported' metric to track improvements in user reporting behavior. A common misconfiguration they encountered was excluding only the CEO but not other executives, causing panic in the C-suite. They now exclude all C-suite and board members from simulations unless they opt in.
Scenario 2: Healthcare Provider Testing Malicious Attachment Awareness
A hospital system with 5,000 employees uses the Malicious Attachment technique to test if users open simulated ransomware attachments. They use a payload that mimics a fax delivery notification with a .docm attachment. The simulation is set to notify users immediately after clicking that it was a test. They also configure the simulation to bypass Safe Attachments for the simulated payload. After the simulation, they find that 8% of users opened the attachment. They assign mandatory training to those users. However, they notice that the training completion rate is low because users ignore the notifications. They improve by integrating training into their existing learning management system (LMS) and sending follow-up reminders. The hospital also uses the simulation results to update their security policies, such as blocking all .docm attachments at the gateway.
Scenario 3: Technology Company Using Link to Malware Simulation
A software company with 2,000 employees wants to test if users would download a fake executable. They use the Link to Malware technique, which sends an email with a link to a site that simulates a malware download. They customize the landing page to look like a software update prompt. They also configure the simulation to not notify users until after the simulation ends, to avoid tipping off users during the test. After the simulation, they find that 3% of users clicked the link and attempted to download the 'malware'. They use this data to reinforce training on not downloading software from unsolicited emails. A challenge they faced was that some users reported the email to the helpdesk, causing unnecessary tickets. They mitigated this by adding a note in the simulation description that helpdesk staff should be aware of the ongoing simulation.
Common Pitfalls in Production
Over-simulating: Running simulations too frequently (e.g., monthly) leads to user fatigue and desensitization. Best practice is quarterly.
Not customizing payloads: Using default Microsoft payloads results in low realism. Users may recognize the Microsoft-branded simulation pages and ignore them.
Ignoring the helpdesk: Without notifying the helpdesk, they may receive a flood of calls from confused users. Always inform the helpdesk before launching a simulation.
Not tracking training effectiveness: Running simulations without tracking whether training actually reduces risk is wasted effort. Use the 'Phish-prone percentage' trend over time to measure improvement.
Performance Considerations
For organizations with over 50,000 users, you must run multiple simulations in batches because of the per-simulation limit. Use PowerShell or Graph API to automate staggered launches. Also, ensure that your email infrastructure can handle the delivery of simulation emails without affecting legitimate mail flow. Microsoft's infrastructure handles the bulk of the load, but you may need to adjust spam filter policies to allow simulation emails through (though they are automatically allowed by default).
What the MS-102 Exam Tests (Objective 3.2)
The exam focuses on your ability to plan and configure Attack Simulation Training, interpret results, and recommend remediation. Specific sub-objectives include:
Select the appropriate simulation technique for a given scenario.
Configure payloads, target users, and training assignments.
Analyze simulation reports to identify trends and high-risk users.
Understand licensing requirements (E5 or Defender for Office 365 Plan 2).
Differentiate between Attack Simulation Training and other Defender features.
Top 4 Wrong Answers Candidates Choose
Choosing 'Safe Links' instead of 'Attack Simulation Training' for testing user behavior. Many candidates confuse the two. Safe Links is a real-time protection feature that blocks malicious URLs; it does not simulate attacks. The correct answer for testing user susceptibility is Attack Simulation Training.
Selecting 'Link to Malware' when the scenario describes testing if users will open a fake attachment. Link to Malware involves a URL that leads to a malware download; if the scenario mentions an attachment, the correct technique is 'Malicious Attachment'.
Assuming Attack Simulation Training is included in Microsoft 365 E3. It is not. It requires E5, E5 Security, or Defender for Office 365 Plan 2. This is a common trap in licensing questions.
Thinking that simulation results are retained indefinitely. They are retained for only 90 days after the simulation ends. Candidates often forget this retention period.
Specific Numbers and Values to Memorize
Maximum simulation duration: 30 days
Maximum active simulations per tenant: 100
Maximum users per simulation: 50,000
Data retention: 90 days
Default user notification: immediate after simulation ends
Training assignment: automatic based on user actions
Required roles: Security Administrator or Attack Simulation Administrator
Edge Cases the Exam Loves
Excluding users: The exam may ask how to exclude specific users (e.g., VIPs) from a simulation. The answer is to use the exclusion list during target selection.
Custom payloads: The exam may test that custom payloads allow you to use your own branding to increase realism.
Simulation automation: While not in the UI, you can use PowerShell or Graph API to automate simulations. The exam may ask about tools for recurring simulations.
Phish-prone percentage (PPP): This metric is calculated as the percentage of users who clicked or entered credentials across all simulations. The exam may ask how to interpret a decreasing PPP trend (indicates improvement).
How to Eliminate Wrong Answers
If the question asks about 'simulating an attack to test user awareness', eliminate any answer that mentions blocking, filtering, or real-time protection (those are Safe Links or Safe Attachments).
If the question mentions 'training users based on simulation results', eliminate answers that suggest manual training assignment — the correct answer is automatic assignment during simulation configuration.
If the question asks about 'licensing', eliminate any answer that includes E3 or Business Premium without an add-on.
For technique selection, look for keywords: 'login page' → Credential Harvest; 'attachment' → Malicious Attachment or Link in Attachment; 'download' → Link to Malware.
Exam Tips
Always read the scenario carefully: note the specific user action being tested (clicking a link, opening an attachment, entering credentials).
Remember that Attack Simulation Training is a proactive tool, not a reactive one. It is used before an attack occurs.
Know that the simulation results can be exported to CSV for further analysis.
Understand that the 'Reported' metric is a positive indicator — it shows users are correctly identifying phishing attempts.
Be aware that you can customize the landing page and training content to fit your organization's branding and policies.
Attack Simulation Training is a proactive security awareness tool, not a real-time protection feature.
The four simulation techniques are: Credential Harvest, Malicious Attachment, Link in Attachment, and Link to Malware.
Attack Simulation Training requires Microsoft 365 E5, E5 Security, or Defender for Office 365 Plan 2 license.
Simulation results are retained for 90 days after the simulation ends.
Maximum users per simulation is 50,000; maximum active simulations per tenant is 100.
Users are notified of the simulation by default immediately after it ends.
The 'Reported' metric indicates users who correctly identified the simulated email as phishing.
These come up on the exam all the time. Here's how to tell them apart.
Attack Simulation Training
Proactive tool to test user behavior by sending simulated phishing emails
Requires E5 or Defender for Office 365 Plan 2 license
Clicks are tracked and training is assigned automatically
Does not block any URLs; it allows simulated malicious URLs to be clicked
Results include click rate, credential compromise rate, and report rate
Safe Links
Reactive protection that blocks malicious URLs in real time
Available in Defender for Office 365 Plan 1 and Plan 2
No user training component; blocks or warns before click
URLs are scanned at time of click; malicious URLs are blocked
Provides click-time protection and URL detonation
Mistake
Attack Simulation Training is available in all Microsoft 365 subscriptions.
Correct
It requires Microsoft 365 E5, Microsoft 365 E5 Security, or Defender for Office 365 Plan 2. It is not included in E3, Business Premium, or standard plans without add-ons.
Mistake
Simulation results are stored indefinitely for historical analysis.
Correct
Results are retained for only 90 days after the simulation ends. After that, they are purged. You must export reports if you need long-term storage.
Mistake
You can target up to 100,000 users in a single simulation.
Correct
The maximum number of users per simulation is 50,000. For larger organizations, you must run multiple simulations or use automation to target subsets.
Mistake
The default technique is 'Malicious Attachment'.
Correct
There is no default technique; you must choose one of the four when creating a simulation. The exam expects you to know the differences.
Mistake
Users are never notified that a simulation occurred.
Correct
By default, users are notified immediately after the simulation ends. You can configure this to notify after a delay or not at all, but the default is immediate notification.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Attack Simulation Training is a cloud-based tool in Defender for Office 365 that allows admins to send realistic simulated phishing emails to users to test their susceptibility. It tracks clicks, credential entries, and reports, then automatically assigns training to vulnerable users. It requires E5 or Defender for Office 365 Plan 2 licenses.
Go to security.microsoft.com, under Email & Collaboration select Attack simulation training, click 'Launch simulation', choose a technique (e.g., Credential Harvest), select or create a payload, define target users, configure training and notifications, then launch or schedule the simulation.
The four techniques are: Credential Harvest (fake login page), Malicious Attachment (simulated malware in an attachment), Link in Attachment (malicious URL inside an attachment), and Link to Malware (link to a site hosting simulated malware). Each mimics a different real-world attack vector.
Results are retained for 90 days after the simulation ends. After that, they are automatically deleted. You should export reports if you need to keep them longer for compliance or trend analysis.
Yes, during the target selection step, you can exclude specific users or groups. This is commonly used to exclude VIPs, executives, or users who have recently completed training to avoid unnecessary disruption.
Attack Simulation Training is a proactive tool that sends simulated attacks to test user awareness and assign training. Safe Links is a reactive protection feature that blocks malicious URLs in real time when users click them. They serve different purposes: one tests, the other protects.
It requires Microsoft 365 E5, Microsoft 365 E5 Security, or Defender for Office 365 Plan 2. It is not included in E3, Business Premium, or other lower-tier plans without add-ons.
You've just covered Attack Simulation Training in Defender — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?