Microsoft Office 365 ATP Attack Simulator

Microsoft Office 365 ATP Attack Simulator

Microsoft Office 365 ATP Attack Simulator is used to determine how end users behave in the event of a phishing attack, and checks for weak passwords within your tenant. In one of my previous blog post, I already mentioned the Attack Simulator, and in this blog post, I will go into the Attack Simulator in more depth.

Microsoft Office 365 ATP Attack Simulator consists of four simulated attacks: Spear Phishing (Credentials Harvest), Spear Phishing (Attachment), Brute Force Password (Dictionary Attack), and Password Spray Attack.

Note: The difference between a Brute Force attack and a Password Spray attack is that with a Brute Force attack, you are trying to log-in on a single identity with multiple passwords. With a Password Spray attack, you are trying to log-in with a unique password on various identities. Microsoft Office 365 ATP Attack Simulator contains both.

Figure 1: An overview of all possible attacks within the Attack Simulator

Spear Phishing (Credentials Harvest)

Let us take a look at the Spear Phishing (Credentials Harvest) attack first.

A spear phishing attack is a targeted attempt to acquire sensitive information like user names and passwords by masquerading as a trusted entity on a targeted victim. This Spear Phishing attack will use a website to obtain usernames and passwords by asking the victim to log-in.

Let us take a look at what options we have if we launch a Spear Phishing (Credentials Harvest) attack. We can use two different templates: Prize Giveaway and Payroll Update, but you can change any detail as well if needed during the wizard.

Figure 2: Provide a name to the campaign

The next option is to whom we send the phishing e-mail.

Figure 3: Select the recipients

Note: The total recipients that a single campaign can support is 10.000 recipients. You can either select an individual recipient or import a list of recipients.

The next step is to select the e-mail details.

Figure 4: Provide e-mail details

At this moment you can only select a domain from a list as a phishing landing page, which includes:

http://portal.docdeliveryapp.com
http://portal.docdeliveryapp.net
http://portal.docstoreinternal.com
http://portal.docstoreinternal.net
http://portal.hardwarecheck.net
http://portal.hrsupportint.com
http://portal.payrolltooling.com
http://portal.payrolltooling.net
http://portal.prizegiveaway.net
http://portal.prizesforall.com
http://portal.salarytoolint.com
http://portal.salarytoolint.net

The last option which you can set is the body of the e-mail. Since I selected a template at the beginning of the wizard, an e-mail body is already created but can be changed.

Figure 5: E-mail body
Figure 6: E-mail body as code

The Phishing Campaign is pretty good, and I love seeing this all happening within the tenant. Here is my concern about the phishing campaign though:

  1. Even though Microsoft uses HTTP on purpose due to security awareness, I think HTTPS should also be supported as phishing websites do not limit itself to HTTP either.
  2. There is a set of domain URLs that you can choose for the phishing campaign. I would like to see custom domains to make the campaign more realistic.
  3. The capture portal does not look like a Microsoft Office 365 log-in portal. It would be better to set a custom capture portal (e.q. with a company logo or a copy of an ADFS portal) to make it more realistic or a replica of the Microsoft Office 365 log-in portal.
  4. The user can log-in to the portal using a user name and password, but there is no multi-factor authentication support. Since Microsoft forces companies to enable multi-factor authentication, support for multi-factor in the phishing campaign would be very welcome.

Spear Phishing (Attachment)

Now let us take a look at the Spear Phishing (Attachment) attack.

The idea of the Spear Phishing (Attachment) attack is the same as the Spear Phishing (Credentials Harvest) attack except for two options: Attachment Type and Attachment Name.

Figure 7: Select attachment type

The recipient will see the following message when opening the attachment:

Figure 8: View of phishing attachment

The recipient also receives a link in the e-mail that goes to a phishing landing page. The idea is the same as the Spear Phishing (Credentials Harvest) attack by forcing the victim to log-in to the portal to steal user names and passwords.

Here I have some concerns as well:

  1. The attachment does not work when you open it in view mode. If you open the attachment in view mode, Attack Simulator does not notice it.
  2. The attachment does not contain anything malicious. I would love to see a Word document with a macro as a malicious attachment for the attack to be more realistic.

Brute Force Password (Dictionary Attack)

The idea behind a Brute Force Password attack is to try to guess a password for a single identity using as many passwords as possible.

Figure 9: Brute Force Password (Dictionary Attack)

I have some concerns here as well:

  1. This Brute Force Password (Dictionary Attack) attack or the Password Spray attack does not work when multi-factor is enabled. The Attack Simulator works but does not show any results when MFA is enabled, making it useless.

Note: If you want to ban known or weak passwords, I recommend looking at the Password Protection feature in Azure AD Premium.

Password Spray Attack

The Password Spray Attack is the same as the Brute Force Password (Dictionary Attack), except here is a single password used on multiple identities.

Figure 10: Password Spray Attack

Conclusion

I like the idea that anyone can create a phishing campaign with a few clicks of a button. What I like most is that all data never leaves the tenant. 

Unfortunately, the Attack Simulator needs a lot of work before it can be considered a proper awareness campaign service. If you want to ban well-known passwords from your tenant, I recommend the Azure AD Premium feature: Password Protection instead of testing passwords using the Attack Simulator.

Even though I have some concerns, the Attack Simulator is only one of many features in the Microsoft Office 365 ATP license. Looking at other elements like Safe Attachment, Safe Links, Anti-phishing policies, Reporting, and Automated investigation and response in the Microsoft Office 365 ATP license, I would recommend any organization to purchase Microsoft Office 365 ATP. Safe Attachment, Safe Links, Anti-phishing policies, and Automated investigation and response are a must-have, but I will go in-depth on these later.

Microsoft Office 365 ATP

Microsoft Office 365 ATP

Every Office 365 tenant, which includes e-mail, is protected by Exchange Online Protection (EOP). EOP is a cloud-based e-mail filtering service that protects against spam and malware. EOP filters inbound and outbound e-mail using rules and policies based on the sender’s reputation, keywords, e-mail address, and sophisticated algorithms.

When it comes to phishing, security awareness of your employees is critical. Any given employee needs to be able to identify if an e-mail they received is malicious. If a malicious e-mail is received, the employee should then know what to do when it comes to handling the e-mail.

Microsoft Office 365 ATP helps lower the risk of a user receiving a malicious e-mail in their mailbox. EOP is the first line of defense e-mail filtering, whereas Microsoft Office 365 ATP is the advanced cloud-based e-mail filtering. In this blog post, I will take a more in-depth look into Microsoft Office 365 ATP.

Figure 1: Microsoft Office 365 ATP Protection

Configuration, protection, and detection

The “main” features of Microsoft Office 365 ATP are Safe Attachments, Safe Links, and Anti-Phishing policies.

Safe Attachments

Safe Attachments is a feature that protects the organization from malicious attachments being received by e-mail and blocks files that identify as malicious in Teams and document libraries (OneDrive and SharePoint). Safe Attachments uses machine learning and analysis techniques to detect malicious intent.

There are several options that you can configure for Safe Attachments: monitor, block, replace, and Dynamic Delivery. All attachments, before delivery, are scanned in a sandbox for malicious content. With Dynamic Delivery, the e-mail gets delivered in the user’s inbox, and with a slight delay, the attachment will be attached to the e-mail if the attachment considered to be safe. The slight delay will have a user-impact since the e-mail is delivered first and the attachment later.

Safe Links

Safe Links is a feature that protects the organization from malicious links sent in an e-mail. The original URL will be re-written after being scanned. The original URL will still be shown by the end-user to prevent confusion, but when the user clicks the link, it will first go to “safelinks.protection.outlook.com/?url=<original url>” for monitoring purposes. Once a user clicks a link, Microsoft knows who clicked the link since it first goes to the re-written link before the user visits the original URL. During an incident, it is nearly effortless to detect which user clicked the link to mitigate the attack by acting (a password reset, for example).

Anti-phishing

Anti-Phishing policies use machine learning models and advanced impersonation-detection algorithm to prevent impersonation of users and domains. When the sending domain or sending user has suspecting malicious intent, Anti-Phishing will prevent the e-mail from delivery. An administrator can set different options what will happen with suspicious e-mail. So if your company is called thalpius.com and you will receive an e-mail from thallpius.com (hence the double L), the e-mail is marked as suspicious if other indicators identify as spam. A suspicious e-mail can be as simple if the sender’s name is the same as the recipient’s name, the signature used in an e-mail, text in the body’s content, etc.

Zero-hour Auto Purge

Even with all these countermeasures in place, more advanced hackers will eventually get an e-mail delivered in the mailbox. When this happens, Explorer is the tool to hunt manually, but there’s an automated tool as well called Zero-hour Auto Purge (ZAP). ZAP is an e-mail protection feature that retroactively detects and neutralizes (e.q. deleting) malicious phishing, spam, or malware messages delivered to Exchange Online mailboxes. If Microsoft identifies a malicious e-mail, ZAP will remove the malicious e-mail in all Exchange Online mailboxes.

Attack Simulator

At the beginning of the blog post, I mentioned: “awareness of your employees is critical.” Microsoft recognizes this as well and created a feature called the Attack Simulator. Attack simulator contains four simulated attacks that you can use to higher the user’s awareness within your tenant. The four attacks include; Spear Phishing (Credential Harvesting), Spear Phishing (Attachment), Brute Force Password (Dictionary Attack), Password Spray Attack.

Licensing

Microsoft Office 365 ATP is a separate license, but it comes with additional license plans as well. There are two different licenses: Plan 1 and Plan 2. Microsoft Office 365 ATP Plan 2 includes Microsoft Office 365 ATP Plan 1, including Threat Tracker, Explorer (advanced threat investigation), Automated investigation and response, and the Attack Simulator.

Microsoft Office 365 ATP Plan 1 comes with the following license plan: Microsoft 365 Business Premium.

Microsoft Office 365 ATP Plan 2 comes with the following license plans: Office 365 E5, Office 365 A5, and Microsoft 365 E5.