Quick look at Attack Simulator on Office 365

Brute-force attack and email phishing get their age, but never be considered old techniques in security. The two techniques target primarily to vulnerable system and especially to non-technical users who have no awareness of security. Specific to Office 365 which is widely being used by millions of people, the target to such a collaborative environment is exponentially increasing every day.

Participated in a few private channels, I often see questions regarding credential being compromised. Some were related to unhappiness when the source of attack came from Microsoft cloud datacenter, but being rejected to remediate. By that matter, we would come up with a question: should we simulate an attack to our organization to see what would happen and to prepare preventive actions? If that was a need, would there by any legal agreement we would take before the simulation? I got a half of the answer for you. That is Attack Simulator on Office 365.

Attack Simulator in fact was introduced back to Microsoft Ignite 2017 but only provided access to Office 365 Universal Preview program for limited registration. And the public preview was stated to be announced in the week of Mar 19th. However, the week of Mar 26th is the time for you. There are three types of attack initially Microsoft provides. All of them are categorized in Account Breach.

  • Spear Phishing
  • Brute-force Password Attack
  • Password Spray Attack

We will explore each through the article.


There are some prerequisites before you can simulate your own attack. First, Attack Simulator is part of Office 365 Threat Intelligence solution. It means Attack Simulator is only available in Office 365 Enterprise E5. Next, the account you will use to perform a simulation must be the global administrator in the Office 365 subscription, or a member of Security Administrator group in Security & Compliance Center.

More importantly, this account must enable multi-factor authentication. This would be to make sure you are the one who own the account to simulate the attack.

If you don’t see Attack simulator navigation under Threat Management in the Security & Compliance Center, maybe Microsoft hasn’t released it yet to your subscription. However, you can access directly via this URL https://protection.office.com/#/attacksimulator. Once you are in the page, you need to set up by just clicking Setup button.

If you are not lucky enough, you will receive internal error during the API call to Microsoft SecureScore API. You have to wait and come back later then.

Perform simulated phishing attack

Email phishing can be simply explained as a technique to trick users to click on a trapping URL linked to a fake website that provides user login form. This is an attack to persuade user to enter personal information especially user credential. Without awareness, it’s easy to be trapped because the fake website looks exactly the one you are familiar with (e.g. Facebook, PayPal….).

Phishing attack simulation only works with Exchange Online. You cannot test with Exchange On-premises.

Under Display Name – Spear Phishing , click Launch Attack to start your simulation setup. From Start, just give a name for your attack (e.g. target to who loves to buy iPhone X with only $100). You are given two templates: Prize Giveaway and Payroll Update. Each template has its own look-and-feel design, and asks for specific purpose (e.g. Payroll Update persuade you to update payroll account).

In Target recipients, you enter the target user. You must enter each user individually. Per my test, group is not supported.

Now, the very important part is to compose an email. If you use Prize Giveaway template, fields are automatically populated. Phishing Login server Url contains list of back-end websites capturing information and credential you enter after being redirected. When composing an email, try to link selected login server url on a button to this parameter ${loginserverurl} .

Compose something meaningful to your user (download HTML source here). It’s not only to simulate attack but also to test whether your user has enough security awareness after some corporate information security training sessions. Where you are ready, hit Confirm and click Yes.

Open up the email, this looks exactly a ‘real’ congratulation email, doesn’t it? If you use another email entered in From, such as tcook@apple.com (CEO Apple), it won’t let you surprised. It uses exactly the email as if it comes from Apple Email system.

Even if you click the email address, it shows the corporate address. Now, let’s click the button. You will be redirected to the login page. Enter your username/email and click Next.

You are directed to /Login/USubmitted which captures your password. This can be realized easily by tracing the Http request with Developer Tool on your browser. The destination page target user gets into is this one (http://portal.prizegiveaway.net/Login/Phished)

Go back to the Attack Detail in Display Name – Spear Phishing, the result shows that target user supplied credential. Not that the phishing doesn’t target to verify whether credential is valid or not. It is only to grab the credential.

The simulation setup is not that hard. The hardest part would be how to compose a good email to trick your target user.

Perform simulated brute-force password attack

In the past, I wrote a post titled Brute-force attack mitigation on Azure which briefly gives you description about what a brute-force attack is. In a nutshell, brute-force attack is to conduct continuous guess on your password based on predefined dictionary (and if AI is used, dictionary is no longer necessary).

Similar to phishing simulation, the setup is straightforward. The only thing you need to pay attention to is the list of password. Enter the password under The password(s) to use in the attack and press Enter in your keyboard. This is not the only password the simulation engine uses if you upload a list of password on each line. The list of common credentials can be downloaded here.

Perform further steps and wait for the report.

Perform simulated password spray attack

Password spray attack is slightly different from brute-force attack. While brute-force technique conducts guess on many different password attempts, Password spray aims to use a good password to try with many users. With this technique, you don’t need a list of hundreds or thousands of password to be guessed, you only need one common password which high probability of being used and you try with a list of user accounts.

The simulation setup for password spray attack is similar to the brute-force one. The only different is that Password spray doesn’t provide the ability to upload list of password due to its nature.

Missing the ability to upload the list of user account can be considered a disadvantage when setting up. You have to enter each user individually one by one.

Monitoring the simulated attack

Monitoring brute-force attack would not be possible. You can only capture Sign-ins activity via Azure Active Directory. From the logged sign-in activity, realize the attack source is Tracing this IP address, you will know the source is from one of Microsoft Azure datacenters. No matter where the user belongs to, the source would only come from the US region.

Another interesting thing is the client & application. The target attack seems to be only Exchange Online credential over Exchange Online REST API (or Graph).

Attack Simulator API

I’m unsure at this moment. It looks like the following are the APIs.

API documentation including HTTP method and request body haven’t been provided yet.

Attack Simulator Benefit

Although, Attack Simulator does not give too much in a practical attack, it can still be helpful in some cases. First, it helps for an examination to test your user’s information security awareness. Second, using Attack Simulator, you wouldn’t have to sign any legal agreement with Microsoft or any 3rd party for an attack examination. When you perform an attack, you own your responsibility and any security incidents caused. Finally, with Attack Simulator, you can test security feature and monitoring (e.g email scam, user sign-in risk, conditional access test..).


Leave a Reply

© 2018 The Soldier of Fortune.