This chapter covers Attack Simulator in Microsoft Defender, a key tool for testing your organization's security posture without real risk. For the MS-900 exam, understanding Attack Simulator is part of Objective 3.1, which covers threat protection capabilities in Microsoft 365 Defender. Expect 1-2 questions on what Attack Simulator does, its scenarios, and how it relates to other Defender tools. This chapter will give you the precise details you need to answer those questions correctly.
Jump to a section
Attack Simulator in Microsoft Defender is like a fire drill that doesn't just test the alarm—it secretly tries to open doors, pick locks, and send phishing emails to employees to see who falls for it. Imagine a security company that wants to test its own defenses. They hire a professional penetration tester who, with permission, tries to break into the building. The tester might try to trick reception into letting them in (phishing), check if doors are unlocked (malware), or see if employees leave passwords on sticky notes (weak credentials). The tester then reports back exactly which doors were unlocked and which employees let them in, so the company can fix those weaknesses. In the same way, Attack Simulator runs realistic, safe attack scenarios inside your Microsoft 365 tenant—like simulated phishing emails or malware attachments—to see how users and security policies respond. It never causes real damage, but it reveals exactly where your defenses are weak. The key is that it's automated and safe: Microsoft provides the attack payloads, and they run in a contained environment, so no actual compromise occurs. The results show you exactly which users clicked a phishing link or which devices allowed a malicious script, allowing you to target training and policy changes. Just like a fire drill reveals blocked exits and slow evacuations, Attack Simulator reveals your organization's real-world security gaps before a real attacker finds them.
What is Attack Simulator?
Attack Simulator is a feature within Microsoft Defender for Office 365 that allows security administrators to launch realistic, simulated cyberattacks against their own users. It is designed to test the effectiveness of security policies, user awareness, and detection capabilities without causing actual harm. The tool is available in Microsoft 365 Defender portal (security.microsoft.com) under Email & Collaboration > Attack simulation training.
Why Attack Simulator Exists
Traditional security training often relies on generic awareness videos or annual slide decks. Attack Simulator addresses the need for practical, hands-on testing that mimics real attacker behavior. It helps organizations identify weak points in their human defenses—like users who click phishing links—and in their technical controls, such as anti-phishing policies. The results directly inform targeted training and policy adjustments.
How Attack Simulator Works Internally
Attack Simulator operates by using pre-built attack payloads that are hosted and executed within Microsoft's secure infrastructure. When an admin launches a simulation, the following steps occur:
Payload Selection: The admin chooses from a library of attack types, including credential harvesting (phishing), malware attachments, and link-based attacks. Each payload is a realistic template that mimics common attack vectors.
Targeting: The admin selects which users or groups to target. This can be all users, specific groups, or individual users. The simulation respects user scope and can exclude certain users if needed.
Delivery: For phishing simulations, the email is sent from a real Microsoft-owned domain (e.g., @microsoft.com) or a custom domain configured by the admin. The email is crafted to bypass standard anti-spam filters—since it's coming from Microsoft's own infrastructure, it's not blocked. However, it does not bypass user awareness; users see the email in their inbox like any other.
User Interaction: When a user clicks a link in a phishing simulation, they are taken to a landing page that explains it was a simulation. For malware simulations, if a user opens an attachment, a simulated malware payload is executed in a sandboxed environment—no actual malware runs. The user is then shown a training notification.
Data Collection: All user actions are logged: who received the email, who opened it, who clicked the link, who downloaded the attachment, and who reported it as phishing. This data is aggregated in the Attack Simulator dashboard.
Reporting: The admin sees detailed reports showing user susceptibility, including which users clicked, how many times, and whether they reported the simulation. This data can be exported to CSV for further analysis.
Key Components, Values, and Defaults
Attack Types:
Credential Harvest: Simulates a phishing email that asks for credentials.
Malware Attachment: Attaches a file that, when opened, simulates malware execution.
Link in Attachment: A document contains a malicious link.
Link to Malware: A link in the email body leads to a malware download site.
Drive-by URL: A link that redirects to a malicious website.
OAuth Consent Grant: Simulates an OAuth app requesting permissions.
Payloads: Pre-built templates with realistic branding (e.g., fake Microsoft login page). The payloads are updated regularly to reflect current attack trends.
Training Campaigns: After simulation, admins can assign training modules to users who failed. Training is delivered via Microsoft's training platform, with modules on phishing, malware, etc.
Permissions: To use Attack Simulator, you need one of these roles: Global Admin, Security Admin, or Attack Simulation Admin (a new role specific to this feature).
Licensing: Attack Simulator is available in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2. It is not available in E3 or lower plans.
Default Settings: By default, simulations are not scheduled. Admins must manually create and launch them. The training can be set to automatically assign after a user fails.
Configuration and Verification
To create a simulation:
Go to Microsoft 365 Defender portal > Email & Collaboration > Attack simulation training.
Click "Launch a simulation."
Choose the attack type (e.g., Credential Harvest).
Select the payload (e.g., "Microsoft 365 Upgrade" phishing template).
Choose target users (you can upload a CSV or select groups).
Configure training: either assign specific training or let users choose.
Set the landing page (the page shown after clicking).
Review and launch.
You can also use PowerShell to automate simulations:
New-Simulation -Name "Test Phishing" -AttackType CredentialHarvest -PayloadId <ID> -TargetUserIds @("user@domain.com")To view results:
Get-SimulationReport -SimulationId <ID>Interaction with Related Technologies
Attack Simulator works closely with:
Microsoft Defender for Office 365: The same anti-phishing and anti-malware policies that protect real users are what the simulation tests. If a simulation is blocked by policies, it indicates a potential false positive in your security controls.
Microsoft 365 Defender: Attack Simulator results feed into the overall security score and threat analytics. It helps measure the effectiveness of your security posture.
Microsoft Endpoint Manager: For malware simulations, the endpoint detection and response (EDR) capabilities in Microsoft Defender for Endpoint can detect the simulated malware and generate alerts, testing your detection pipeline.
Azure Active Directory: The OAuth Consent Grant simulation tests how users respond to rogue app permissions, which is tied to identity policies in Azure AD.
Important Exam Details
Attack Simulator is not a penetration testing tool; it is a simulation tool. It does not exploit real vulnerabilities or cause actual compromises.
Simulations are safe and do not modify user data or systems.
The tool is only available in Defender for Office 365 Plan 2 or Microsoft 365 E5.
The role Attack Simulation Admin is specifically created for this feature.
Users who click are not penalized; the goal is training and awareness.
The simulation emails come from Microsoft's infrastructure, so they are not blocked by anti-spam, but they are also not marked as safe—they appear as normal emails.
Common Misconfigurations
Not excluding critical users (e.g., executives) from simulations, which can cause confusion.
Using the same payload repeatedly, which users may learn to recognize.
Not following up with training after the simulation.
Assuming that a low click rate means users are fully secure—simulations only test one attack vector.
Trap Patterns on the Exam
Wrong: "Attack Simulator requires Microsoft 365 E3." Correct: E5 or Defender for Office 365 Plan 2.
Wrong: "Attack Simulator can be used to test real exploits." Correct: It only uses simulated payloads.
Wrong: "Attack Simulator is part of Microsoft Defender for Cloud." Correct: It's part of Defender for Office 365.
Wrong: "Users who click are automatically given security training." Correct: Training is configurable; it can be automatic or manual.
Select Attack Type
The admin chooses from six attack types: Credential Harvest, Malware Attachment, Link in Attachment, Link to Malware, Drive-by URL, and OAuth Consent Grant. Each type tests a different user behavior. For example, Credential Harvest tests if users enter credentials on a fake login page, while Malware Attachment tests if users open suspicious attachments. The choice determines the payload and the training that will be assigned. This step is critical because it defines the threat scenario you want to test. The exam may ask which attack type tests for credential theft—the answer is Credential Harvest.
Choose Payload Template
After selecting the attack type, the admin picks a specific payload from a library of pre-built templates. Each payload has a name, description, and language. For example, a payload named "Microsoft 365 Upgrade" mimics an email asking users to upgrade their account by clicking a link. Payloads are updated by Microsoft to reflect current real-world phishing campaigns. The admin can preview the email to see exactly what users will see. Some payloads include attachments or specific URLs. This step ensures the simulation looks realistic.
Target Users and Groups
The admin specifies which users will receive the simulation. Options include all users, specific groups (e.g., Finance team), or individual users imported via CSV. The admin can also exclude certain users, such as IT staff who might be aware of the simulation. Targeting is important to focus on high-risk groups. The exam may test that you can target based on Azure AD groups. The simulation respects user scope; if a user is not in the target list, they won't receive it.
Configure Training and Landing Page
The admin decides what happens after a user interacts with the simulation. For phishing simulations, a landing page is shown after clicking the link. The admin can choose from Microsoft-provided landing pages or create a custom one. The landing page informs the user that they were part of a simulation and may provide immediate training. The admin can also assign training modules that users must complete. Training can be mandatory or optional. This step ties the simulation to awareness improvement.
Launch and Monitor Simulation
The admin reviews the simulation settings and launches it. The simulation runs immediately or can be scheduled for a future time. During the simulation, the admin monitors the dashboard for real-time results, such as how many users have clicked or opened attachments. After the simulation ends, a detailed report is available, showing per-user actions. The admin can export data for compliance or further analysis. This step is where the results are collected and used to improve security.
Attack Simulator is deployed by organizations that want to proactively test their users' security awareness without waiting for a real attack. Here are two specific enterprise scenarios:
Scenario 1: Large Financial Institution A bank with 10,000 employees uses Attack Simulator quarterly to test all users. They configure simulations for Credential Harvest and Malware Attachment. After each simulation, they automatically assign a 5-minute training module to any user who clicked. Over the course of a year, they saw click rates drop from 15% to 2%. The security team exports the results to a SIEM for correlation with other security events. Performance considerations: For 10,000 users, the simulation emails are sent in batches to avoid overwhelming Exchange Online. The admin uses the Attack Simulation Admin role to delegate simulation creation to the awareness team without giving them full security admin rights. Misconfiguration example: Initially, they excluded the CEO, but a real phishing attack targeted the CEO, who clicked. They learned to include executives in simulations, but with a separate payload and immediate personal training.
Scenario 2: Mid-Sized Tech Company A 500-employee SaaS company uses Attack Simulator to test the effectiveness of their new anti-phishing policy. They simulate a Credential Harvest attack that mimics a Google Docs sharing invitation. The simulation reveals that 20% of users clicked, even though the anti-phishing policy is set to high. They realize the policy does not catch all links because the simulation uses a legitimate-looking URL that is not in any threat intelligence feed. They then adjust their policy to block newly registered domains. They also use the OAuth Consent Grant simulation to test if users approve malicious app permissions. They find that several users approved a fake app, leading them to implement app consent policies in Azure AD. Common pitfalls: The company initially ran simulations too often (weekly), causing user fatigue and desensitization. They switched to monthly, with varied payloads. They also learned that simulations must be accompanied by training—without training, click rates did not improve over time.
Both scenarios illustrate that Attack Simulator is not a set-and-forget tool. It requires ongoing tuning, payload variety, and integration with training programs to be effective. The exam may ask about these best practices, such as varying payloads and combining with training.
The MS-900 exam tests Attack Simulator under Objective 3.1: Describe the threat protection capabilities of Microsoft 365 Defender. Specifically, you need to know: - What Attack Simulator does: It simulates real-world attacks to test user awareness and security policies. - Available attack types: Credential Harvest, Malware Attachment, Link in Attachment, Link to Malware, Drive-by URL, OAuth Consent Grant. - Licensing requirements: Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2. - Required role: Global Admin, Security Admin, or Attack Simulation Admin. - Where to access it: Microsoft 365 Defender portal > Email & Collaboration > Attack simulation training. - Relationship to training: Simulations can automatically assign training to users who fail.
Common wrong answers on the exam: 1. "Attack Simulator is used to test real vulnerabilities in the network." This is wrong because it only uses simulated payloads and does not exploit actual vulnerabilities. 2. "Attack Simulator requires Microsoft 365 E3." Wrong—it requires E5 or Defender for Office 365 Plan 2. 3. "Attack Simulator is found in the Microsoft 365 admin center." Wrong—it's in the Microsoft 365 Defender portal. 4. "Attack Simulator can test ransomware attacks." While there is a malware simulation, it does not simulate ransomware encryption; it only tests if users open malicious attachments.
Specific numbers and terms that appear on the exam: - The phrase "simulated phishing attacks" is often used. - The term "Attack Simulation Training" is the official name in the portal. - The role "Attack Simulation Admin" is a specific role that can be delegated. - The licensing requirements: E5 or Defender for Office 365 Plan 2.
Edge cases the exam loves: - If a user reports a simulation email as phishing, that is a positive behavior—the user recognized the threat. The exam may ask what action to take: encourage reporting. - If a simulation is blocked by anti-phishing policies, it indicates a policy false positive—the admin should review the policy. - The exam might ask which attack type tests for users approving malicious OAuth apps: OAuth Consent Grant.
How to eliminate wrong answers: - If an answer mentions "real exploits" or "actual compromise," it's wrong. - If an answer mentions a lower licensing tier (E3, Business Premium), it's wrong. - If an answer says Attack Simulator is in the Security & Compliance Center, it's wrong (it's now in Defender portal). - If an answer says it tests network vulnerabilities, it's wrong—it tests user behavior and email policies.
Attack Simulator is a tool in Microsoft Defender for Office 365 that simulates phishing and malware attacks to test user awareness.
Available attack types: Credential Harvest, Malware Attachment, Link in Attachment, Link to Malware, Drive-by URL, OAuth Consent Grant.
Licensing requirement: Microsoft 365 E5 or Defender for Office 365 Plan 2.
Required admin role: Global Admin, Security Admin, or Attack Simulation Admin.
Access location: Microsoft 365 Defender portal > Email & Collaboration > Attack simulation training.
Simulations are safe and do not cause real damage; they are designed for training.
Users who interact with simulations can be automatically assigned training modules.
Attack Simulator is not a penetration testing tool and does not test network vulnerabilities.
The OAuth Consent Grant attack type tests if users approve malicious app permissions.
Results can be exported to CSV for reporting and integration with SIEM systems.
These come up on the exam all the time. Here's how to tell them apart.
Attack Simulator
Tests user behavior through simulated attacks
Provides per-user click rates and training assignments
Requires manual setup and targeting
Focuses on social engineering and email threats
Available only in E5 or Defender for Office 365 Plan 2
Microsoft Secure Score
Measures overall security posture based on configuration
Provides a numerical score with improvement actions
Automatically calculates score based on enabled policies
Covers all security areas (identity, devices, apps, etc.)
Available in all Microsoft 365 plans with varying features
Mistake
Attack Simulator can test for real malware infections.
Correct
Attack Simulator only uses simulated malware that runs in a sandboxed environment. No actual malware is executed, and no real infections occur. It tests whether users open suspicious attachments, not whether your antivirus detects real malware.
Mistake
Attack Simulator is available in all Microsoft 365 plans.
Correct
Attack Simulator requires Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2. It is not included in E3, Business Premium, or other lower-tier plans.
Mistake
Attack Simulator can be used to test internal network security.
Correct
Attack Simulator only tests email-based threats and user behavior. It does not test network security, firewalls, or endpoint vulnerabilities. It is focused on phishing and social engineering.
Mistake
Users who click on simulation links are automatically penalized or reported to HR.
Correct
The purpose is training, not punishment. Users who click are typically assigned a training module. Their actions are logged for awareness, but there is no automatic HR action. The goal is to improve security awareness.
Mistake
Attack Simulator simulations are identical to real attacks and can cause data loss.
Correct
Simulations are designed to be safe. They do not exfiltrate data, modify files, or cause any damage. The payloads are controlled by Microsoft and do not perform any malicious actions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Attack Simulator is a feature in Microsoft Defender for Office 365 that allows admins to launch simulated phishing and malware attacks against their own users. It helps test user awareness and security policies without real risk. It is available in Microsoft 365 E5 or Defender for Office 365 Plan 2. The simulations include credential harvesting, malware attachments, and OAuth consent grants.
Attack Simulator requires Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2. It is not available in E3, Business Premium, or other lower-tier plans. If you have Defender for Office 365 Plan 2 standalone, you also have access. The exam often tests this licensing requirement, so remember E5 or Plan 2.
The roles that can manage Attack Simulator are Global Admin, Security Admin, and the specific Attack Simulation Admin role. The Attack Simulation Admin role is designed to delegate simulation management without giving full security admin rights. Other roles like Exchange Admin or Helpdesk Admin cannot manage simulations.
Go to Microsoft 365 Defender portal (security.microsoft.com) > Email & Collaboration > Attack simulation training. Click 'Launch a simulation.' Choose the attack type (e.g., Credential Harvest), select a payload, target users, configure training, and launch. You can also use PowerShell with the New-Simulation cmdlet.
Attack Simulator does not simulate ransomware encryption. It has a Malware Attachment attack type that tests if users open a malicious attachment, but the payload simulates malware execution in a sandbox—it does not encrypt files. For ransomware simulation, you would need a different tool.
If a user reports a simulation email as phishing, that is a positive behavior—they correctly identified a suspicious email. The admin can see this in the simulation report. The user should be praised or given positive feedback, not penalized. The exam may ask what the correct response is: encourage reporting.
No, Attack Simulator is accessed through the Microsoft 365 Defender portal (security.microsoft.com) under Email & Collaboration > Attack simulation training. It is not in the Microsoft 365 admin center (admin.microsoft.com). The exam may present the admin center as a wrong answer.
You've just covered Attack Simulator in Microsoft Defender — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?