Lab – Microsoft Defender for Office 365

During Microsoft Ignite 2020 we announced Microsoft Defender for Office 365, the new name for
Office 365 Advanced Threat Protection. Read more about this and other updates here.

In this lab you will experience the Attack Simulator in the Microsoft 365 Security Center. You will run
realistic attack scenarios in the demo tenant you have created. These simulated attacks can help you
identify and find vulnerable users before a real attack impacts a customer and their business.

Want to learn more:

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-
simulator?view=o365-worldwide

Lab Parts
This lab contains three activities, as shown below:

• Pre-requisites
• Part 1 – Create Attack Simulations
• Part 2 – User Experience
• Part 3 – Review Simulation Dashboard

Pre-requisites
Step 1 – Create Demo Tenant
Before you start you should have completed the “Getting started with Labs”. If you have not
completed this, you will not be able to do this lab. You can find this document which you can download
from https://aka.ms/secpractice-labs.

Each tenant can take up to 24 hours to provision so it’s important that you complete this prior to when
the labs are to be run.

NB – If you already created your demo tenant as part of the Idenity Labs you DO NOT need to do this
again.

Step 2 – Create yourself an Admin account for your demo

tenant.
NB – If you already created your ADMIN ACCOUNT as part of the Identity Labs you DO NOT need to do
this again. Please use the same account that you created in the Identity labs. Go straight to Part 1

In this task, you will create a Microsoft 365 user account for yourself, and assign your account the
Microsoft 365 Global Administrator role, which gives you the ability to perform all administrative
functions within Microsoft 365.

Important: As a best practice in your real-world deployments, you should always write down the
first global admin account’s credentials (in this lab, the MOD Administrator) and store it away for
security reasons. This account is a non-personalized identity that owns the highest privileges possible
in a tenant. It is not MFA activated (because it is not personalized) and the password for this account
is typically shared among several users. Therefore, this first global admin is a perfect target for attacks,
so it is recommended to create personalized service admins and keep as few global admins as possible.
For those global admins that you do create, they should each be mapped to a single identity, and they
should each have MFA enforced.

1. Open an In-private browser (Edge) or New in-Cognito (Chrome)

on your machine and then go to https://admin.microsoft.com/

2. Enter the admin account username that you saved in “Getting started with Microsoft Labs”
to gain credentials.
3. Enter your admin credentials in the sign in as below and click NEXT

4. Enter the password and then click “Sign in”

 5. In the Microsoft 365 admin center, in the left navigation pane, select Users and then
select Active users.
6. In the Active users list, you will see the default MOD Administrator account as well as
some other user accounts.
7. In the Active Users window, select Add a user.
8. In the Set up the basics window, enter the following information:

• First name: Your First Name

• Last name: Your Last Name
• Display name: When you tab into this field, YOUR NAME will appear.
• Username: When you tab into this field, YOURFIRSTNAME-LASTNAME may appear;
if not enter this as the username

IMPORTANT: To the right of the Username field is the domain field. select
the M365xZZZZZZ.onmicrosoft.com cloud domain.

After configuring this field, YOUR username should appear as:

YOURNAME@M365xZZZZZZ.onmicrosoft.com

• Password settings: select the Let me create the password option.

• Password: Set your own complex Password
• Uncheck the Require this user to change their password when they first sign
in checkbox.
9. Select Next.
10. In the Assign product licenses window, enter the following information:
11. Select location: United States (Your Location)
12. Licenses: Under Assign user a product license, select Office 365 E5 and Enterprise
Mobility + Security E5 or if you have Microsoft 365 E5 select this instead.
13. Select Next.
14. In the Optional settings window, in the Roles section select Admin center access By
doing so, all the Microsoft 365 administrator roles are now enabled and available to be
assigned.
15. Select Global Admin and then select Next.
16. On the Review and finish window, review your selections. If anything needs to be
changed, select the appropriate Edit link and make the necessary changes. Otherwise, if
everything is correct, select Finish adding.
17. Once your new username has been added to active users page, select Close.
Part 1 – Create Attack Simulations
In this part, you will create two attack simulations and target them at specific users.

Please note, at the time of writing the new Attack Simulator is in Preview and therefore you may
experience some bugs as we embark on this journey. Thank you for your understanding.

1. Open an In-private browser (Edge) or New in-Cognito (Chrome)

on your machine.
2. Navigate to https://security.microsoft.com/homepage
3. Sign in with Global Admin account that you created in the Pre-requisites.

4. From the security center homepage. navigate to Attack Simulator on the left-hand menu.
5. You will arrive at the Overview page – from here you can view details of any recent
simulations and recommendations.

6. Click on the Simulations menu and launch a new simulation.

7. On the next screen you will begin to build out your simulation. For the first attack we will
create a Malware Attachment simulation.

8. Click Next. Provide a Simulation Name, e.g. Lab1 Attack. Click Next.
9. On the Select payload screen you have some pre-prepared payloads to choose from;
alternatively, you can create custom payloads which can be added to the list. The ability to
create custom payloads creates a good opportunity to work with customers, providing an
offering that builds custom simulation payloads to help educate their users.
10. Select Real estate title settlement, notice the Predicted Compromise Rate for each option.
From here you can also see a count of previous simulations launched for each payload type.
Click Next.

11. For this lab we will target all users – select Include all users in my organisation. You will see
that this has also picked up the Conf Room accounts – we can remove these quickly by
typing Conf in the search to filter the list. Proceed to delete the Conf Room user accounts
from the list.
12. Click Next at the bottom of the page to continue.
13. The next screen allows you to assign the training courses and modules based on users
previous simulation and training results.
14. Select Assign training for me (recommended) and click Next.

15. On the next screen you can review what the user will see if they are caught by the
simulation.
16. You can customise the Header and Body content if you wish or leave as default. Click Next
17. Click on the Preview Page to preview the Training Landing Page.
18. Click Next when done.
19. On the Launch Details page – leave as default and click Next.

20. On the Review Simulation page click Submit to begin the Simulation. The simulation will now
submit – which will take a few minutes to process.

21. Once completed successfully you will be able to click Done.

22. Click on Go to all simulations to return to the Simulations dashboard. You should now see an
entry for the simulation you have created.

23. Click on + Launch a simulation to setup the 2nd Attack Simulation.

24. Select the following social engineering technique:

25. Provide a name for the Simulation, e.g. Lab1 Attack 2.

26. On the next screen use the Docusign review payload, again, Review the different pre-
populated payload options and the Predicted Compromise Rate of each.
 You can click on the name of each payload to view more detailed information of the payload
content. Feel free to explore the other payload options before continuing.

27. When done click Next.

28. Target all users – repeat step 11. to remove Conf Room user accounts. Click Next when
done.
29. Leave the Assign Training screen as default (Assign training for me) and click Next.
30. Click Next on the Training Landing Page screen.
31. Leave the default on the Launch Details page (Launch the simulation as soon as I’m done)
and click Next.
32. On the Review Simulation page click Submit to initiate the simulation.
33. After a few minutes you will see the following screen:

34. Return to the Simulations dashboard by clicking on “Go to all simulations”.

35. You should now see the two simulations you have created with a status of “In progress”.
Part 1 – Complete.
Part 2 – User Experience
In this part of the lab we will log in as a user and view the simulation from their perspective. This
exercise will provide you with insight of the user experience and the activities that get triggered
when a user becomes a victim of the simulated payloads.

1. Close any previous InPrivate or InCognito browser pages left open from the previous part,
thus to avoid any authentication issues.

2. Open a new In-private browser (Edge) or New in-Cognito (Chrome)

on your machine.
3. Navigate to Office Portal.
4. Sign in as Meganb@m365xXXXXXX.onmicrosoft.com – replace XXXXXX with your tenant id.
5. Use the password provided when you created the tenant.
6. If you have lost this password – log in to AAD as Global Administrator and reset the
password or use SSPR if you completed the previous Identity labs.
7. Close any popups that present themselves and arrive at the Office 365 Portal landing page.

8. On the left-hand menu – select Outlook.

9. Outlook will now open in a new tab – close any Welcome popups if they present themselves.
10. In the inbox you will see two new recent emails – these will be our two simulated payloads.
11. The first to arrive was the malicious attachment from Leah Stephens – open this now.

12. Proceed to open the document attached to the email to trigger the attack.

13. Once you open the document you will be shown with the Training Landing page we created
which advises the user that they have just been phished!
14. Close the email and process to open the other email.
15. If you cannot read French – click on the ellipsis (…) (1) within the email and navigate to view
(2)-> translate.(3)

16. Now that you can read the email – process to Open the Docusign link within the body of the
email to trigger the attack simulation.
17. The link will trigger a file download – once complete, open the downloaded document.
 18. Just as before you will arrive at the Training landing page advising that you have been
phished again.

Please take the time to review the payload contents and think about the authenticity and the
likelihood of end users getting phished in this way in the real-world scenarios.

In the simulation portal it advised that the two attack example payloads we used here had a 40%
chance successfully compromising the end user – do you agree?

Part 2 – Complete.
Part 3 – Review Simulation Dashboard
1. Close any previous InPrivate or InCognito browser pages left open from the previous part,
thus to avoid any authentication issues.

2. Open a new In-private browser (Edge) or New in-Cognito (Chrome)

on your machine.
3. Navigate to https://security.microsoft.com/homepage
4. Sign in with Global Admin account that you created in the Pre-requisites.

5. From the security center homepage. navigate to Attack Simulator on the left-hand menu.

6. You will arrive at the Overview page – from here you can view details of any recent
simulations and recommendations.
7. On the overview page you will see some information based on what has run so far.
8. Click on the View all simulations to see a summary of your two simulations.

9. Click on your simulations to view more detailed information about the attack: There may be
a time delay (up to 10 mins) in seeing Megan Bowen appear as clicked in the report below

10. From here you can see the number of users that were compromised, i.e. how many clicked
the link and also how many actually opened the attachment. You can click on view users to
see which users received the email and those who were compromised.
11. We also provide recommended Improvement Actions connected to Secure Score:
 12. From the user coverage page, you can review users that have been compromised by
simulated attacks.

This completes the lab on Microsoft Defender for Office 365 Attack Simulator.

If you have more time, please explore the dashboard further or create further attacks using different
payload types.

Part 3 – Complete.
End lab
Thank you for taking the time to complete this lab, we hope you enjoyed it.

Please visit https://aka.ms/secpractice-labs to access further labs.