Why would you want to simulate a phishing attack on your own organization?
Email hygiene filters work wonders, effectively identifying and blocking a substantial portion of email sent across the global Internet as SPAM or containing malicious content. Even with such a high rate of filtering success, as in life nothing is perfect, and this is a constantly evolving cyber-battle, so there is always a chance some unwanted email will get past even the best hygiene scanners. The attackers are business people and they are smart - very smart. Microsoft and other security companies track millions of attacks each year and analyze each one for intelligence gathering and mitigation efforts. It is this very rich data that enables us to provide some of the best security defenses in the world (see more here). But with attack vectors constantly changing, what is often the last line of defense is people - your organization's users. They must be trained and constantly re-trained to identify legitimate emails from those phishing emails are malicious and well-crafted.
In March 2018, Microsoft released its latest toolset to assist you in efforts to train your users on the identification and dangers of phishing emails. Now part of some Office 365 plans, the Office 365 Attack Simulator does exactly what the name implies, including email spear phishing simulations, brute force password attacks, and password spray attacks. There is plenty of information available on this product already, but for this blog series I am focusing on how to write your own phishing simulation emails to use in this tool. I also have written over ten examples you can use and modify as needed for your own simulations. Read below for more information on how to plan your simulated phishing attack in the Office 365 Attack Simulator. Good hunting!
What you need to get started:
Leadership Approval: Before launching a spear phishing attack (even a simulated one) on your own users, it is best to obtain approval from your organization's leadership team. In your request, explain why this simulation is so important. Explain that even with the best security detection and defenses in place, roughly 75% of all company breaches now start with phishing attempts designed to steal user credentials. Once stolen, an attacker will then use this open door to start walking through the network (often undetected for months) looking for the newest form of currency - your organization's data. Most importantly though, highlight this is a benign simulation that will not cause harm to your users. Rather, the simulation is to track just how susceptible your organization is to malicious emails. The results will enable you to move forward with next steps to train your users.
You may want to limit the people you speak to about this simulation because you want this to be as real as possible, potentially catching them off guard.
Technical Requirements: There are several technical requirements needed to prepare the simulation. These are already defined in this link under the "Before You Begin… section," so there is no need to republish them here.
Simulated Phishing Email Examples:
Now that you know why a phishing simulation can be so effective and what you need to get started, how do you design your simulation emails? How do you trick your users into believing these are real emails and to take the requested action? Often, all that is needed to initiate an infection or credential theft is just a click on a hyperlink - the goal of many phishing attacks. So, we'll focus on the design of our phishing emails with this in mind.
The new Office 365 Attack Simulator tool has several phishing simulation email templates to choose from when designing your self-imposed attack. To provide you with additional phishing simulation examples, I created several more that you may also choose to use as they are written or that you may modify for your own environment. Since blogs are not meant to be novels, I have created several blogs to host a list of these examples. Each of the blogs below contains about five phishing templates.
Phishing Examples for the Microsoft Office 365 Attack Simulator - Part One (Background) current page
Phishing Examples for the Microsoft Office 365 Attack Simulator - Part Three (Simulations 6-10)
Consider using multiple phishing emails as part of your simulation. Using the same simulated phishing email is more likely get noticed by users and recognized as fake. Remember, the attackers are smart business people and most likely not going to use the same phishing emails either. Rather, they will use a combination of many phishing emails sent over a period of days or weeks to your organization. You should consider doing the same.
In each of the phishing simulated emails, be sure to include several of these items that are often used in phishing attacks:
- Give the reader a reason to take immediate action. What will they gain with the action taken? Or, what do they run the risk of losing without action?
- Keep the emails short. Just a few sentences within just a few paragraphs.
- Make the email "from name" and "from email address" be something noticeable in your organization
- Make sure the email resolves to an internal account so it appears as an account name and not an external email address with an @ in it.
- Use the same terminology in the email simulation that is used internally. For example, what is your IT/Technical department known as? Use the same department name in the simulated phishing emails. Or, what is your company social committee called? What is your HR Department known as?
- Use program names, contest names, registration request titles, etc. as names within the emails. Then, insert a hyperlink to one of the Office 365 Attack Simulator sites to track the clicks.
- If you are adding some pictures or design to your email, make sure it fits within the 'look' of your organization. What is the typical look of a broadcast email sent around internally - use that to make it even more real!
- Include multiple phishing emails as part of each simulation.
- Always test the simulation first on a few test accounts. Make sure the system is recording the hyperlink clicks of each test user correctly.
With your simulated phishing emails now written, how do you use them in the Office 365 Attack Simulator?
If not already familiar with the steps to access the Office 365 Attack Simulator, there are plenty of articles and videos available already, so I don't need to rehash the steps here. Below are a few great links to get you started.
For an overview and quick walk through of the Office 365 Attack Simulator, see this six-minute Microsoft Mechanics video:
This TechNet blog provides instructions about how to launch a simulated attack:
Recommendations on next steps:
The goal of the simulated phishing attack is to first record how many of your users will click on what could otherwise be a malicious hyperlink. And second, to help educate them on how to quickly identify fake phishing emails. Additionally, you want to report on the initial user click rate and then click rates after a user awareness program has been implemented - hopefully, you will see an improvement because of your efforts!
The initial and follow up recorded hyperlink clicks by your employees need to be tracked and reported to your organization's leadership team. Security is not just a concern for the technical team, but rather for the leadership team of every organization. Let the leadership team know just how bad the problem is and ask the question, "What if this were a real phishing attack? What could have been the impact of a significant data breach from our organization?" Then remind them that the best security posture is to always assume a breach has already occurred - you just haven't found it yet. The Office 365 Attack Simulator will enable you to report how many users clicked on the phishing emails and who.
One you have completed your simulated phishing attacks, determine your plan of action to educate your users. Consider letting the entire organization know about the simulated phishing attack and perhaps the concerning results. Then, provide several resources that will inform your users how to quickly identify phishing emails. Consider hosting an internal SharePoint site with articles or videos to learn more about the topic. Consider creating some mandatory training. Below is a great article from Microsoft about how to identify key characteristics of a phishing email:
Just as important as identifying a phishing email, is how to report it. Microsoft has created a no charge SPAM/Phishing/Junk reporting add-in to Outlook that takes minutes to install on a single machine or to deploy to all Outlook users in an Office 365 tenant. I published a blog several weeks ago about this fantastic new plug-in. This is the link:
To further secure user credentials in your organization, consider enabling Multi-Factor Authentication (MFA). MFA is available to all Office 365 users, no matter the subscription level. Notice in this blog how concerned we are with users being tricked by a phishing email designed to steal their credentials - a username and password. With MFA enabled, you will have created very powerful new line of defense (that we highly recommend). If a username and password is stolen, with MFA enabled there is little chance an attacker can move any further into your network. For more information on MFA, see the links below:
The new Office 365 Attack Simulator is an excellent product to have in your toolbox to help further secure your environment. With users being the last line of defense in this ever-evolving cyber battle where credentials and data is the new currency of criminals, user education is now more important than ever in the identification of fake emails.
Please make periodic use of the Office 365 Attack Simulator and use the examples to make the simulations even more realistic. Happy hunting!