Simulating a Phishing Attack with Microsoft Attack Simulation Training and Custom Payloads

Phishing is one of the most common cyber threats that is often done via email. Other instances include spear phishing and whaling. This form of cyber threat is fraudulent and involves tricking the victim into revealing sensitive or personal information, including usernames and passwords, financial details, and other credentials. According to the nature of the intent and the goals, phishing can be of various forms: email phishing typically utilizes legitimate but compromised email accounts or facilitates malicious emails that appear unsophisticated; spear phishing selectively targets individuals that have access to the desired resources; and whaling is a rarer form of phishing that targets high-profile individuals, such as celebrities or political figures. Threat actors frequently exploit a variety of cognitive biases in order to make their actions more persuasive and convincing. For instance, they would leverage a variety of triggers, mostly fear, urgency, curiosity, and reward or good news.

Phishing, even in a non-phishing simulation configuration, remains a pressing issue for practically all organizations and employees. Email security incidents have increased 24% year-over-year and 50% in intensity in the past three years. Phishing incidents and email fraud have also risen, nearing 2017 levels. Threat actors have refined their skills, making their messages and profiles nearly indistinguishable from those of typical employees and email servers. As many as 3.4 billion fake emails were sent each day in the first three months of 2020. Phishing simulation systems should be used to educate all members of the team and to test their capability to detect fraudulent email attempts and report them. It is necessary to be cognizant of suspicious behavior and activities. When an attacker infiltrates an organization, they can steal proprietary information and intellectual property, instigate an internal disinformation or propaganda campaign, or access appointment information for particular individuals.

Microsoft Attack Simulation Training Overview

With today’s video tutorial, we figured we wouldn’t focus on the technical side so much for the broader viewership and would instead show the pen test team’s script-kiddie side. Really, this tutorial was done on a lark and is intended more for students who need to get a project done for a class.

Attack Simulation Training allows organizations to easily get a phishing simulation program running. The out-of-the-box offering allows for deep customization based on your organization to craft realistic phishing, physical access, and USB drop simulation campaigns. Larger organizations with security specialists may not have time for individual campaigns, but the data exported can still be analyzed for insight into the effectiveness of company-wide phishing and USB spreading campaigns. Security integration will also cross-correlate Threat and responder data, helping to create a more complete picture of how your organization is being targeted and help direct the pen test team’s efforts there.

The intent of Attack Simulation Training is to get the program users accustomed to dealing with phishing and testable from a security standpoint. You are creating a program of ongoing iteration and learning. The idea is for the staff to mature as they are tested and presented with learning content in a setting where they can, in theory, be socially engineered. A case study on one healthcare center presented a 91.8% reduction in click-through rates over 3 years.

Creating Custom Payloads for Phishing Attacks

A custom payload is crucial for using MAST to aid in tailoring a simulation to a particular organization's environment or applicable threat scenario. It should be based on genuine phishing emails seen or targeting the organization concerned. If the target employee has had the same CyberProtect Phishing Simulation before, creating a new payload for each new simulation can assist in maintaining the element of surprise. Tailored payloads can be more successful than generic phishing content in communicating personally with an individual's organization. Both malicious link and attachment payloads can be tested for link clicks and attachment open events. Running multiple payloads will also assist in launching the Phishing Simulation from multiple accounts in an adversary emulation style.

The choice between sending a link payload, attachment payload, or both should be encouraged through a risk-based approach, i.e., if a threat scenario explicitly states the loss condition includes the download of an attachment. If the next stage of a threat scenario pivots on an attacker acquiring browser-based access, a link click can be employed in order to launch a drive-by exploit kit. It remains important to test the effectiveness of both attachment and link payloads, as it would be assumed a successful phish may result in an attacker grabbing artifacts from both payload subtypes. The more a phishing simulation payload aligns with the potential realistic application of a threat model or scenario, the more likely a successful phish will demonstrate the highest potential risk. This will enable cyber training objectives to be aligned with system development pathways.

The MAST Studio output. While subfolders for the type of payload will be created, specific tests on each payload need to be performed before launching the actual live threats. The following testing is important for robust payloads that can be effectively fielded. Link and Attachment Types. For link payloads, the first phase of testing should ensure that the link points to the intended redirection stage successfully. For attachment payloads, the testing should be focused on confirming the attachment opens. The effectiveness of the payload in achieving these potential successful events should be picked up in the results provided through MAST. Ethical Considerations. The creation of payloads developed in MAST must comply with the country's laws and regulations. Additionally, the payload should only be used as intended, as a legitimate cyber training development tool. Each payload should be ethical and comply with the relevant authorizing, legal, and, where relevant, host organization's policy.

Conducting a Phishing Attack Simulation with Microsoft Tools

Phishing attack simulations require careful planning and strategic execution to be effective. The following is a step-by-step guide to planning and executing a phishing attack simulation using built-in tools for measuring your success. First, define your target audience for your phishing simulations. Who do you want to participate in the simulation attack and what do you want them to take away? Do you wish to target employees not part of your security programs? Do you wish to target a specific region or teams for localized training? The next step is to select your phishing scenarios. Define which type of email will be sent. Attackers typically use fake notifications, financial threats, and agency notifications.

Before the simulation is launched, carefully time and announce the simulated phishing attack to your participants. During the simulation, stay engaged and act upon any and all data points to reduce click rates and improve report rates. The goal is to ensure that everyone who clicks will report and to eventually drive them to not click at all. Make sure to notify users about errors at the time of failure, rather than later. Monitoring your success on the platform is easy and can be done from the main dashboard as well as an individual simulation. Relevant statistics include click rates, report rates, opened rates, and completion rates. An attacked system report will show the number of clicks and successful reports for the entire test. An individual user report will allow you to target specific behavior. In the aftermath of a phishing attack, it's valuable to denote the successes, weaknesses, and results of a simulated attack for the future, as part of a training regime. You can learn and analyze phishing simulation trends to determine how frequently simulated attacks should be conducted.

You can then start to generate content tailored to different teams and projects. The more specific and relevant the simulation is, the more likely it is that your users will “fall” for the scenario. With data on your audience, you should be able to create effective messages and situations for simulation analysis. Finally, make sure to prepare your response to simulated attack recipients, to ensure no operations are disrupted, the response is prompt and proper, and all recipients know how and where to handle and ask about potential security issues. Remember that the goal is to learn which topics to properly train users on. Post-simulation knowledge of trends in failure analysis is valuable to improving the entire company’s security posture when tackling problematic emails. Regularly scheduled training and user conditioning is essential to mitigate risks and can be helpful in many potential outcomes.

Analyzing Results and Improving Security Posture

As a result of this kind of simulation, data surrounding how many employees clicked and entered credentials into these emails, as well as how engaged employees are with the email, can be obtained and investigated. Employee click data, such as the volume of who clicked, opened, and submitted, are all great statistics to gather for management reporting and high-level security posture discussions. Out of all these data points, who clicked and opened are the most important due to the threat actor observing who is most susceptible to click the initial phishing email and who is most susceptible to engage with communications after the initial email click. This can further show which employees require more security awareness training and which require even more advanced threat hunting and phishing simulation.

Management must leverage data garnered from assessment simulations to understand where weaknesses in their security posture are and then take a proactive step in mitigating those weaknesses. Only through constant, continual feedback can organizations prioritize which areas they need to harden, qualify the threat to which they are vulnerable, and make strategic, efficient decisions weighing the risk of possible loss. When more actors are observed receiving the email, it is an appropriate event to develop customized follow-up training for these actors based on the contents of the email and their performance.

Regular phishing simulations also send a message to personnel that security is important and we expect you to be thinking about security in your day-to-day actions and performing these actions rigorously. For training to be further effective, management must convey its commitment to a strong security posture on multiple layers. Holding our actors accountable to the expectation of active thinking about their security not only serves as a check and balance in these quarterly assessments but also becomes a point of pride when our actors start th2o actively report external phishing emails that they receive or participate actively in the phishing simulation program. Show the value of 'ownership' of security through management’s buy-in and commitment to deliver annual performance assessments that test their security sharpness.