Phishing attack simulation in Exchange online – Part one


One of the biggest dangers in the industry for IT professionals is attacks on their own company network.
There are different types of attacks. As I have described in a previous article, one of the biggest threats are phishing attacks.

There are several providers of employee training aimed at improving awareness of such attacks on the market.


Microsoft itself also offers such tools for its customers. Depending on the licensing, an internal simulated company attack can be carried out in a few simple steps. Microsoft offers different variations of those attacks, which are described in details in this and further articles.


In this article we explain the configuration and execution of such a simulated attack to capture user credentials.

Available attacks

Currently Microsoft offers three kind of attack simulations. Those are:

  • Display name spear fishing attack
  • Password spray attack
  • Brute force password attack


About Password spray and brute force password attacks I will write in a dedicated article.


Before we start to create and run a simulated attack in our company, we need to make the following steps sure:

  • As written earlier, the organizations messaging system has to be hosted in Exchange online. Microsoft’s attack simulator is not available for on-premises Exchange environments. If we want to run a simulated attack on on-premises environments, unfortunately we will need third party tools.
  • An IT Engineer, who has to prepare and run the simulated attack needs to be a global administrator un the company’s Office 365 Tenant.
  • The multi factor authentication is turned on for at least the global administrators of the Office 365 Tenant.
  • The organization has Office 365 Advanced Threat Protection Plan 2 enabled. However, in that case the option “Attack simulator” will be available in th Security & Compliance Center.

The Office 365 Advanced Threat Protection Plan 2 is also included in the Office 365 ATP Plan 2.

ATP Plan 2 is also part of the following Office 365 plans:

  • Office 365 E5
  • Office 365 A5
  • Microsoft 365 E5

If your organization don’t run any of those plans, they can be purchased dedicated as an add-on for certain subscriptions.

To learn more, see Feature availability across ATP plans.

Attack one – Display Name

So that we can start planning a simulated attack, we have to go to our Security & Compliance Center first, then we browse further on Threat management > Attack simulator.


In our first case we select the Spear Phishing attack option and click Launch Attack.


Now the configuration wizard is started. First, we have to give our simulation a campaign name. If this is defined, continue with Next.


In the next step the target users are defined. A single attack can be executed against the entire organization or only against individual users.


In the next step various settings has to be made. This is also where the theme of the attack is defined. On one hand it is about the design of the message. What should be displayed as the sender of the phishing message? What should be the sender’s e-mail address?

Further you can select in a dropdown window which fake target web address should be presented.

Last two points are real destination web address and the message subject.

Note: Remember that the Custom Landing Page URL should be a dedicated website, where the users, who have fallen into the trap will be redirected. On this dedicated website the users should get the information that he has been part of a simulated phishing attack.

I am currently preparing such a landing page, as soon as it is ready, you are welcome to refer to it. The custom landing page does not store any information entered by the user. This is a simple redirecting to an info page.


The next step is to generate the message for the users. Microsoft offers a template, which is not very good.

Every administrator, who prepares such a simulation can set up a message either in text form or source form (HTML).

I have prepared a HTML message for you below (I advice you to use the “Download Now” Button if you want to get the File below). My template contains the custom variables and also the link variable for the forwarding.

If you want, feel free to use that one and of course you can modify it so it fits into your scenario.


Or as a File:

Download Now



The configuration of the simulated attack is now complete. Click Finish to start it.


The attack has started – User view


Let’s change perspective now. We have started the simulation. Since Microsoft has configured the simulated attack for its own tenant, we don’t have to worry that the message will end up in the SPAM folder. Normally the phishing message will end up in the inbox as usual.

This message can look like the following example:


After opening the message, we also see who the sender is (including the defined e-mail address) and subject.

It is also exciting that the predefined variables are immediately dragged in the mail text and the affected user is personally addressed by name:


Further down in the message there is also a button with a link. If the user clicks on this link, he will be redirected to a simulated Microsoft Sign-In Page.

This is the fake link, that we had defined earlier in the wizard during simulation configuration.


If the user has now also entered his credentials and then clicked on Log-In, he has become a victim of the simulated attack. The redirection follows the Custom Landing Page URL which has been defined by the administrator. As already mentioned, I will soon provide such a landing page for free to use.




After the simulation is finished, we can go back to the Admin Center as administrator. We can see at a glance how far the simulation has progressed and with a click on View Report we can see further details.


As we can see in the picture below, we get a clear and structured overview here of the test results. Finally, we can also export them.

Passwords of the users are not listed of course, but which users have clicked on the link and which have entered their credentials.


Conclusion | Preview Part two

As we could see, such a simulation is very easy and fast to implement. Only the phishing message itself and the landing page need more time. How hard such a simulation should be for the users, depends on the administrator.

He can send the message consciously “inaccurately” or generate – depending upon enterprises – also very specifically.

From my point of view, it is important to carry out such simulations time by time and to train the users afterwards.

In one of my next articles I will also describe the Password Spray attack and Brute-force password attack.

But I started with this example because I think this is by far the biggest threat.



Leave a Reply

Your email address will not be published. Required fields are marked *