Feature of the Month: Office Attack Simulator

Feature of the Month: Office Attack Simulator

This month we will be featuring a built-in Office Attack Simulator that comes with Microsoft Office Advanced Threat Protection.

What is an Office Attack?

There are many types of online attacks that could affect your business or you personally. Some of these you may have heard of – such as phishing – whereas some are more obscure – such as Password-Spray. In this article, we will be talking about three of these: Spear Phishing, Password-Spray attacks and Brute-Force Password attacks.

These are related as they are all types of attacks that you can craft in Office’s Attack Simulator, which comes with an Advanced Threat Protection (Plan 2) license. To access this simulator, you need to navigate to your organisation’s security and compliance centre in the Office Portal. Once there, click Threat Management, then Attack Simulator.

The following examples are all types of attacks that you can simulate using this service. They can be customised towards targeting specific users or groups and will automatically generate reports so you can accurately identify areas of improvement in terms of online security in your organisation.

Spear Phishing

Phishing, as a generic term, is a type of online attack that works as a social engineering attack. These tend to surface as fraudulent emails, calls or texts that ask users for specific personal information such as card details or address details. They do this by disguising themselves as something they are not – commonly banks or government services.

Spear Phishing is a more direct approach at getting information from individual users in companies; this is achieved by imitating someone else, such as a director or line manager.

In the attack simulator, you can craft a custom email to send to either users, groups or everyone with a link to click – meaning you can make it as obvious or as discreet as you wish. You will then receive a report stating who clicked on the link, allowing you to identify areas for improvement so you can educate people on the dangers of such emails.

Password-Spray Attacks

Everyone knows the struggle of choosing a password, especially when it has to meet what seems like hundreds of parameters to be considered safe. This can sometimes lead people to, a generic password, like ‘password123’ or ‘firstname1’. Password-Spray attacks attempt to find out who uses these passwords.

These attacks are usually pre-determined, as the person carrying out the attack most likely has a list of all of the users in your organisation that they previously obtained. All they then need to do is try and log in to those accounts using a list of generic passwords and see which ones work. This is why you have incorrect counters and automatic blocking in place – to stop people attempting over and over again.

In the attack simulator, you can simulate such an attack by choosing a few parameters. You need a list of users (which is already built-in) and some generic passwords. You can then select the users you wish to send the attack to and start it; this will run and let you know who in your company has one of the generic passwords.

Brute Force Attacks

A brute force attack is another example of an attack that requires the attacker to first have a list of users in an organisation. This type is similar to a Password-Spray attack, though much more focused. In this case, one person is, and the attacker is trying as many passwords as possible on the user’s account. The goal of this attack is that one of the passwords is successful.

In the office attack simulator, you can specify a list of passwords to use for this attack using a .txt file, and it will attempt them all on the person’s account. If any of them are successful, it will tell you in the report.

If you would like to upgrade your organisation to an Advanced Threat Protection Plan 2 please send an email to [email protected]

Learn more about Office 365 products by signing up to one of our free Office 365 taster sessions.

Leave a Reply

Your email address will not be published. Required fields are marked *