Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Attack Simulation Training in Defender for Office 365

How to run controlled phishing simulations and embedded training to harden users against real attacks.

Attack Simulation Training is a feature of Microsoft Defender for Office 365 Plan 2 that lets you run controlled phishing simulations against your own users, measure click-through rates, and automatically enrol users who fall for them in training. It's how you stop guessing how susceptible your users are and start measuring.

What you can simulate

The simulation engine ships with a library of techniques real attackers use:

  • Credential harvest — a fake sign-in page that captures clicks.
  • Malware attachment — an attachment that triggers a click metric (no real payload).
  • Link in attachment — a clickable link inside a document.
  • Link to malware — a clickable link to a "malicious" URL.
  • Drive-by URL — a link that simulates a watering-hole compromise.
  • OAuth consent grant — a fake app requesting Microsoft 365 permissions.

Each technique comes with built-in payloads, and you can add your own with custom branding and copy. The payload picker lets you choose by industry, sophistication, and current threat trends.

Targeting and scheduling

  • Targeting: a specific group of users, a department, the whole tenant. Repeat offender targeting picks users who clicked previous simulations.
  • Delivery: one-shot or automated campaigns running on schedules.
  • Region awareness: deliveries can be staggered across time zones.
  • Sender impersonation: simulate internal senders, partner brands, or random external senders.

Training

When a user clicks, they're redirected to training content:

  • Built-in microlearning modules covering the specific technique.
  • Nudge training for first-time clickers, full training for repeat clickers.
  • Optional training-only assignments to specific groups without a simulation.

Training completion is tracked, and you can require it before lifting the consequences of a click (typically a Teams notification or manager email).

Reporting

The simulation surface includes:

  • Per-campaign reports — click rates, training completion, recidivism.
  • Per-user dashboards for managers — who's clicked what.
  • Trend reports over time.
  • Susceptibility comparisons against industry baselines.

Repeat-offender lists are the most useful output: a small number of users tend to drive the bulk of risk, and targeted coaching for those individuals beats blanket training every time.

Operational discipline

A simulation programme is most effective when it's regular and visible:

  • Monthly cadence, escalating sophistication over time.
  • Clear communication to users that simulations happen (don't try to "trick" without ever telling them — that breaks trust).
  • No HR consequences for clicking — culture beats compliance.
  • Tie outcomes to Defender XDR so high-risk users get tighter Conditional Access.

For tenants on E5 or Defender for Office 365 Plan 2, attack simulation is essentially free and pays back disproportionately compared to other training.