At this point I am happy to present the third part of my series “Phishing attack simulation”.

In this article we will focus on Brute force Password (Dictionary) attacks.

A brute-force attack dictionary is an automated, trial-and-error method of generating multiple passwords guesses from a dictionary file against a user’s password.

Identical to Spear Phishing attacks, whether Credentials Harvest or Attachment, the prequels are the same.

The ATP Plan 2 is required! ATP Plan 2 is included in:

  • Office 365 E5.
  • Office 365 A5
  • Microsoft 365 E5

If your organization don’t run any of those plans, they can be purchased dedicated as an add-on for certain subscriptions.

To learn more, see Feature availability across ATP plans.


Attack tree – Password attack

So that we can start planning a simulated attack, we have to go to our Security & Compliance Center first, then we browse further on Threat management > Attack simulator.


In our first case we select the Brute Force Password (Dictionary Attack) option and click Launch Attack.


Now the configuration wizard is started. First, we have to give our simulation a campaign name. If this is defined, continue with Next.


In the next step the target users are defined. A single attack can be executed against the entire organization or only against individual users.


Now we need to define the passwords we want to use for our Test. This can be made In two ways:

Manual by adding Passwords to test or by a file.

If you want, I have prepared a TXT File with the currently 10’000 most known and used passwords.

This file you can download below



The configuration of the simulated attack is now complete. Click Finish to start it.


The attack simulation

To check the attack, we need to go to the Attack Details.

Here we can see the current status of the simulation

Note: This can take a while.

Other than in the previous simulations, there are no obvious tasks for the user to do. This test works automatically and will give a result at the end.



After finishing the simulation we see the following report:


As we have seen in this attack, this attack is different from the classic phishing attacks I wrote about earlier. In this simulation you don’t have to wait for a user to interact, you can simply use a list of predefined passwords and wait for the result.

Just keep in mind that the longer the password list and user list, the longer the attack will take.