Microsoft Office 365 ATP Attack Simulator

Microsoft Office 365 ATP Attack Simulator

Microsoft Office 365 ATP Attack Simulator is used to determine how end users behave in the event of a phishing attack, and checks for weak passwords within your tenant. In one of my previous blog post, I already mentioned the Attack Simulator, and in this blog post, I will go into the Attack Simulator in more depth.

Microsoft Office 365 ATP Attack Simulator consists of four simulated attacks: Spear Phishing (Credentials Harvest), Spear Phishing (Attachment), Brute Force Password (Dictionary Attack), and Password Spray Attack.

Note: The difference between a Brute Force attack and a Password Spray attack is that with a Brute Force attack, you are trying to log-in on a single identity with multiple passwords. With a Password Spray attack, you are trying to log-in with a unique password on various identities. Microsoft Office 365 ATP Attack Simulator contains both.

An overview of all possible attacks within the Attack Simulator

Spear Phishing (Credentials Harvest)

Let us take a look at the Spear Phishing (Credentials Harvest) attack first.

A spear phishing attack is a targeted attempt to acquire sensitive information like user names and passwords by masquerading as a trusted entity on a targeted victim. This Spear Phishing attack will use a website to obtain usernames and passwords by asking the victim to log-in.

Let us take a look at what options we have if we launch a Spear Phishing (Credentials Harvest) attack. We can use two different templates: Prize Giveaway and Payroll Update, but you can change any detail as well if needed during the wizard.

Provide a name to the campaign

The next option is to whom we send the phishing e-mail.

Select the recipients

Note: The total recipients that a single campaign can support is 10.000 recipients. You can either select an individual recipient or import a list of recipients.

The next step is to select the e-mail details.

Provide e-mail details

At this moment you can only select a domain from a list as a phishing landing page, which includes:

The last option which you can set is the body of the e-mail. Since I selected a template at the beginning of the wizard, an e-mail body is already created but can be changed.

E-mail body
E-mail body as code

The Phishing Campaign is pretty good, and I love seeing this all happening within the tenant. Here is my concern about the phishing campaign though:

  1. Even though Microsoft uses HTTP on purpose due to security awareness, I think HTTPS should also be supported as phishing websites do not limit itself to HTTP either.
  2. There is a set of domain URLs that you can choose for the phishing campaign. I would like to see custom domains to make the campaign more realistic.
  3. The capture portal does not look like a Microsoft Office 365 log-in portal. It would be better to set a custom capture portal (e.q. with a company logo or a copy of an ADFS portal) to make it more realistic or a replica of the Microsoft Office 365 log-in portal.
  4. The user can log-in to the portal using a user name and password, but there is no multi-factor authentication support. Since Microsoft forces companies to enable multi-factor authentication, support for multi-factor in the phishing campaign would be very welcome.

Spear Phishing (Attachment)

Now let us take a look at the Spear Phishing (Attachment) attack.

The idea of the Spear Phishing (Attachment) attack is the same as the Spear Phishing (Credentials Harvest) attack except for two options: Attachment Type and Attachment Name.

Select attachment type

The recipient will see the following message when opening the attachment:

View of phishing attachment

The recipient also receives a link in the e-mail that goes to a phishing landing page. The idea is the same as the Spear Phishing (Credentials Harvest) attack by forcing the victim to log-in to the portal to steal user names and passwords.

Here I have some concerns as well:

  1. The attachment does not work when you open it in view mode. If you open the attachment in view mode, Attack Simulator does not notice it.
  2. The attachment does not contain anything malicious. I would love to see a Word document with a macro as a malicious attachment for the attack to be more realistic.

Brute Force Password (Dictionary Attack)

The idea behind a Brute Force Password attack is to try to guess a password for a single identity using as many passwords as possible.

Brute Force Password (Dictionary Attack)

I have some concerns here as well:

  1. This Brute Force Password (Dictionary Attack) attack or the Password Spray attack does not work when multi-factor is enabled. The Attack Simulator works but does not show any results when MFA is enabled, making it useless.

Note: If you want to ban known or weak passwords, I recommend looking at the Password Protection feature in Azure AD Premium.

Password Spray Attack

The Password Spray Attack is the same as the Brute Force Password (Dictionary Attack), except here is a single password used on multiple identities.

Password Spray Attack


I like the idea that anyone can create a phishing campaign with a few clicks of a button. What I like most is that all data never leaves the tenant. 

Unfortunately, the Attack Simulator needs a lot of work before it can be considered a proper awareness campaign service. If you want to ban well-known passwords from your tenant, I recommend the Azure AD Premium feature: Password Protection instead of testing passwords using the Attack Simulator.

Even though I have some concerns, the Attack Simulator is only one of many features in the Microsoft Office 365 ATP license. Looking at other elements like Safe Attachment, Safe Links, Anti-phishing policies, Reporting, and Automated investigation and response in the Microsoft Office 365 ATP license, I would recommend any organization to purchase Microsoft Office 365 ATP. Safe Attachment, Safe Links, Anti-phishing policies, and Automated investigation and response are a must-have, but I will go in-depth on these later.

Microsoft Azure AD Premium

Microsoft Azure AD Premium

Every Microsoft 365 tenant contains an Azure AD free edition. The free version includes Core Identity and Access Management, and Business to Business Collaboration. Even though the free edition comes with many features like Multi-Factor Authentication (MFA), Password Protection, Azure AD Connect sync, and Single Sign-On (SSO), Microsoft offers two additional plans called Azure AD Premium P1 and P2.

This article will explain the differences between the two and take a more in-depth look into Azure AD Premium.

Azure AD Premium Features

The difference between Azure AD Premium P1 and P2 is Identity Protection and Identity Governance. But before we look at the features of Identity Protection and Identity Governance, let’s take a look at the premium features first.

The free version contains Password Protection, but it is not possible to use custom banned passwords. Custom banned passwords is one of the premium features. You can set a list of passwords that users cannot use as their password. Simple passwords like “Company Name” is not allowed. Password Protection for Windows Server Active Directory does the same as Password Protection, but for on-premises.

Self-service password reset eliminates the users to call the ServiceDesk to change their password. The user can change their password on a portal that does not need any support from the company. Azure AD Join makes it possible to auto-enroll your mobile device.

A noticeable feature in Azure AD Premium is Conditional Access. Conditional Access, as the name implies, grants, or block access to certain conditions. You can force MFA, block specific applications, block legacy authentication, etc.

Identity Protection and Identity Governance

An Azure AD Premium P2 feature not included in Azure AD Premium P1 is Identity Protection and Identity Governance. Identity Protection is a feature that detects risky accounts based on many indicators (atypical travel, malware linked IP address, and many more). Conditional Access uses these detections to allow or block an identity. Using Identity Protection makes it possible to mitigate an attack within seconds due to an automated response to a risky user.

Identity Governance contains Privileged Identity Management (PIM), Access Reviews, and Entitlement Management. PIM makes it possible to control, manage, and monitor access to essential resources in your organization. PIM provides Just-In-Time (JIT) access to Azure AD and Azure resources, assign time-bound access, asks for approval, and much more. Identity Governance also includes Access Review to review access regularly to make sure only the right people have continued access.

Conditional Access, Identity Protection, and Privileged Identity Management help organizations control their identities and definitely worth checking.


Azure AD Premium comes with Microsoft 365 E3, Microsoft 365 E5, or a separate license.


With features like conditional access, Azure AD premium is a must.

Microsoft Office 365 ATP

Microsoft Office 365 ATP

Every Office 365 tenant, which includes e-mail, is protected by Exchange Online Protection (EOP). EOP is a cloud-based e-mail filtering service that protects against spam and malware. EOP filters inbound and outbound e-mail using rules and policies based on the sender’s reputation, keywords, e-mail address, and sophisticated algorithms.

When it comes to phishing, security awareness of your employees is critical. Any given employee needs to be able to identify if an e-mail they received is malicious. If a malicious e-mail is received, the employee should then know what to do when it comes to handling the e-mail.

Microsoft Office 365 ATP helps lower the risk of a user receiving a malicious e-mail in their mailbox. EOP is the first line of defense e-mail filtering, whereas Microsoft Office 365 ATP is the advanced cloud-based e-mail filtering. In this blog post, I will take a more in-depth look into Microsoft Office 365 ATP.

Microsoft Office 365 ATP Protection

Configuration, protection, and detection

The “main” features of Microsoft Office 365 ATP are Safe Attachments, Safe Links, and Anti-Phishing policies.

Safe Attachments

Safe Attachments is a feature that protects the organization from malicious attachments being received by e-mail and blocks files that identify as malicious in Teams and document libraries (OneDrive and SharePoint). Safe Attachments uses machine learning and analysis techniques to detect malicious intent.

There are several options that you can configure for Safe Attachments: monitor, block, replace, and Dynamic Delivery. All attachments, before delivery, are scanned in a sandbox for malicious content. With Dynamic Delivery, the e-mail gets delivered in the user’s inbox, and with a slight delay, the attachment will be attached to the e-mail if the attachment considered to be safe. The slight delay will have a user-impact since the e-mail is delivered first and the attachment later.

Safe Links

Safe Links is a feature that protects the organization from malicious links sent in an e-mail. The original URL will be re-written after being scanned. The original URL will still be shown by the end-user to prevent confusion, but when the user clicks the link, it will first go to “<original url>” for monitoring purposes. Once a user clicks a link, Microsoft knows who clicked the link since it first goes to the re-written link before the user visits the original URL. During an incident, it is nearly effortless to detect which user clicked the link to mitigate the attack by acting (a password reset, for example).


Anti-Phishing policies use machine learning models and advanced impersonation-detection algorithm to prevent impersonation of users and domains. When the sending domain or sending user has suspecting malicious intent, Anti-Phishing will prevent the e-mail from delivery. An administrator can set different options what will happen with suspicious e-mail. So if your company is called and you will receive an e-mail from (hence the double L), the e-mail is marked as suspicious if other indicators identify as spam. A suspicious e-mail can be as simple if the sender’s name is the same as the recipient’s name, the signature used in an e-mail, text in the body’s content, etc.

Zero-hour Auto Purge

Even with all these countermeasures in place, more advanced hackers will eventually get an e-mail delivered in the mailbox. When this happens, Explorer is the tool to hunt manually, but there’s an automated tool as well called Zero-hour Auto Purge (ZAP). ZAP is an e-mail protection feature that retroactively detects and neutralizes (e.q. deleting) malicious phishing, spam, or malware messages delivered to Exchange Online mailboxes. If Microsoft identifies a malicious e-mail, ZAP will remove the malicious e-mail in all Exchange Online mailboxes.

Attack Simulator

At the beginning of the blog post, I mentioned: “awareness of your employees is critical.” Microsoft recognizes this as well and created a feature called the Attack Simulator. Attack simulator contains four simulated attacks that you can use to higher the user’s awareness within your tenant. The four attacks include; Spear Phishing (Credential Harvesting), Spear Phishing (Attachment), Brute Force Password (Dictionary Attack), Password Spray Attack.


Microsoft Office 365 ATP is a separate license, but it comes with additional license plans as well. There are two different licenses: Plan 1 and Plan 2. Microsoft Office 365 ATP Plan 2 includes Microsoft Office 365 ATP Plan 1, including Threat Tracker, Explorer (advanced threat investigation), Automated investigation and response, and the Attack Simulator.

Microsoft Office 365 ATP Plan 1 comes with the following license plan: Microsoft 365 Business Premium.

Microsoft Office 365 ATP Plan 2 comes with the following license plans: Office 365 E5, Office 365 A5, and Microsoft 365 E5.

Microsoft Defender ATP

Microsoft Defender ATP

Gartner named Microsoft as a leader in the endpoint security platform back in 2019. Looking at Microsoft Defender Advanced Threat Protection (ATP) today, the product has evolved even more. Most people may recognize the name Microsoft Defender, but do not know the name ATP. That is because Microsoft Defender ATP is more focussed on the business market, whereas Microsoft Defender is more focussed on the consumer market. This article will explain the differences between the two and take a more in-depth look into Microsoft Defender ATP.

Microsoft Defender vs Microsoft Defender ATP

Two Microsoft products protect your device from malware; Microsoft Defender and Microsoft Defender ATP. Microsoft Defender is an antivirus solution where Microsoft Defender ATP is a paid Endpoint Detection and Response (EDR) solution. The difference between the two is that an antivirus solution protects the device from known malware, where an EDR solution protects the device from known malware, and it looks at the program’s behavior. This way, an EDR solution can prevent an attack even when it is not yet known as malicious.

Microsoft recently changed Windows Defender ATP’s name to Microsoft Defender ATP due to the many platforms Microsoft Defender ATP supports. These include Windows, macOS, Linux, Android (private preview), and iOS (public preview).

Microsoft Defender is a non-centralized antivirus solution for consumers where Microsoft Defender ATP is an endpoint-protection platform for an organization. Microsoft Defender ATP is a cloud-based solution that contains a dashboard to get a clear overview of the health of your devices within your organization.

Microsoft Defender ATP Dashboard

Even though Microsoft Defender and Microsoft Defender ATP are two different products, they do compliment each other. You can install a non-Microsoft antivirus solution, but there are many advantages to run Microsoft Defender and Microsoft Defender ATP together. The benefits of Microsoft Defender ATP are endless, but I will highlight the most important ones.

Microsoft Defender ATP

Microsoft Defender ATP integrates perfectly with other Microsoft security products like Microsoft Cloud App Security (MCAS), Microsoft Intune, Azure Information Protection, Azure ATP, Office 365 ATP, and Microsoft Threat Protection (MTP). Integration is used for data correlation to evaluate an event quicker and more accurately. If you use the full Microsoft stack products and configure it correctly, only nation state-sponsored attackers might have a chance to get unnoticed.

Microsoft Defender ATP is one of the best EDR solutions out there, and third-party sources can be used as input for data correlation to make an even better evaluation if something is malicious.

Threat & Vulnerability Management

Threat & Vulnerability Management (TVM) is a built-in capability in Microsoft Defender ATP that uses a risk-based approach to discover, prioritize, and remediate endpoint vulnerabilities and misconfigurations. Microsoft Defender ATP maintains a software inventory per device to evaluate the software installed on the device if it is out-of-support or if it contains any vulnerabilities. Microsoft also recommends security mitigations based on what it detects on the endpoint. Old used protocols are security recommendations, for example.

Incident Response

When an incident occurs, you can start a scan initiated from the portal, restrict all apps that are not signed by Microsoft or isolate the device entirely from the network. If a device is in isolation mode, the only communication that can take place between the device and the Microsoft Defender ATP portal. At this point, you can still investigate the incident and take mitigation steps. Automated remediation takes this a step further and automatically apply the mitigation steps recommended by Microsoft. The automatic remediation steps can be approved manually or even automatically to stop an attack as soon as possible.

Incident Graph

My favorite feature of Microsoft Defender ATP is the incident graph. The incident graph is a responsive view. The incident graph tells the story of the cybersecurity attack in a single overview.

Microsoft Defender ATP Incident Graph

Threat Experts

There is an option to call a threat expert from Microsoft if you need help. Threat Experts can help when your organization has an urgent threat that needs to be analyzed. The threat Expert will help investigate the root cause or scope of the incident. Once enabled in the advanced features options, a 30-day trial will start. If your organization wants to have permanent threat experts support, you will need to have at least 10.000 seats.


Microsoft Defender ATP is a separate license, but it comes with additional license plans as well. Microsoft Defender ATP comes with the following license plans: Windows 10 E5, Microsoft 365 E5, and Microsoft 365 E5 Security.

Microsoft Defender ATP Licenses


Microsoft Defender ATP is one of the best, if not the best, Endpoint Detection and Response (EDR) solutions out there. Microsoft Defender ATP is more than an EDR solution. Microsoft Defender ATP detects outdated software, vulnerabilities, automated responses to threats, and integrates into other Microsoft products, which increases security due to data correlation.

For more information about Microsoft Defender ATP, check this link.

Microsoft PrintDemon vulnerability

Microsoft PrintDemon vulnerability

PrintDemon (CVE-2020-1048) is a vulnerability that uses the Windows Printer Spooler to escalate privileges, bypass Endpoint Detection & Response (EDR), and gain persistence. The Windows Printer Spooler has a long history of vulnerabilities, including a vulnerability (CVE-2010-2729) used by the well-known Malware called Stuxnet in 2010.

Printer Attributes

A printer must be associated with two attributes: A printer port and a printer driver. Setup the printer port to ‘PORTPROMPT, makes it possible to print to a file. There is no check when using the PowerShell command ‘Add-PrinterPort’ if the user has permission to access the location set as the printer port. So the user is free to set any location for the printer port as a low-privileged user. When you print to the printer, it uses the printer port to print to a file. If the user does not have write permission to the location, the print job gets queued. Once you restart the spooler service, the print job will execute with SYSTEM privileges, and the file will also get dropped with these privileges. Since SYSTEM is a high-privileges account, you can drop a file anywhere on the system as a low-privileged user, hence the name privilege-escalation.

Markup Bytes

There was one problem, however. When you print a string to the printer, it looks like there are some markup bytes at the beginning of the file as the printer thinks you are printing and not to a file. Since the first few bytes of a file is the signature (magic bytes) of a file, it can not be touched if you want to execute it in a usual way.

PowerShell commands used during the attack

I wanted to check if I was able to write a valid executable file to disk without any markup bytes at the beginning of the file. The script linked below creates a printer with a malicious printer port and write a byte array to the newly created printer. This way, it is possible to dump a valid binary on disk as SYSTEM once you restart the spooler service.


Attacks like DLL hijacking is possible as a low-privileged user using the PrintDemon bug. Microsoft released a patch last week. After installing the patch, the system checks if the user has permissions, which you set as a port on a printer, before creating the port. Unfortunately, the patch prevents creating a new malicious port, but malicious ports created before the patch still work.

The C# code can be found here and the PowerShell code can be found here.