Bringing Automation in Attack Simulation Training and Security Preset together

-
                                     
While utilizing Preset Security Policies in Microsoft Defender for Office 365, that focuses on a "set-and-forget" security posture, organizations can leverage automation in Attack Simulation Training (AST) to further strengthen the security directly through the end users (aka human firewall) by carrying out recurring, randomized testing. In other words, Preset Security Policies help in handling technical blocks (Safe Links, Safe Attachments) while Simulation Automations target the human element.

I tested the Automation feature back in December 2025, but never got to blogging about it, and so decided to put a quick read together.

Automation in Attack Simulation Training is a closed-loop system which allows organizations to -

- Send simulated phishing emails
- Observe user behavior
- Automatically train users who fail
- Repeat at a defined frequency
- Track improvement over time

There are obviously some licensing & prerequisites, but nothing out of the ordinary if you are already setup for MDO and EXO -

- Defender for Office 365 Plan 2 (or M365 E5)
- Security Admin or Global Admin role
- Attack Simulation Training enabled
- Users have Exchange Online (EXO) mailboxes

Enabling Automation in Attack Simulation Training

1. Open https://security.microsoft.com and navigate to Email & collaboration → Attack simulation training.
2. Go to Automation and click on Create automation.



3. Configure Automation Basics by giving a name and description and then hit Next.


4. Select all the techniques you want to include in the automation policy. For all intend and purposes, I am just selecting Malware Attachment.



5. Select payloads to include in the automation. You can randomize it or select up to 20 available payloads manually. For testing in my own tenant, I just went with the Randomize option.



6. Choose how users are selected. I am testing on my own tenant so I am selecting all users, but it is highly recommended to test and validate against a cohort group. You can exclude Break-glass accounts,
Service mailboxes, Executives (optional, but not recommended long-term)


7. Assign Training as relevant to your organization. You can chose from Microsoft' catalog or let Microsoft decide for you in the automation.


8. Select the landing page. You can use the default landing page templates available or create your own.


9. Select how you want the end user notifications to be handled. I chose to use Microsoft's default end user notification and set my own simulation frequency interval.


10. Set the simulation schedule. I chose to use fixed schedule. Note - I already tested this a month back, but for all demonstration purposes, I have populated more recent dates.



11. Configure the launch details for additional customization to the automation.


12. Review the settings and confirm the policy.

What Happens After Automation is Enabled?

Defender sends phishing simulation and user clicks on the email and interacts with the attachment.




Training email sent automatically. Example - 


User can also initiate the training from the attachment (if applicable).



User's actions are monitored on Defender as well.



That's it for now. Until next time..

Comments

Post a Comment

Popular posts from this blog

Fixing Tamper Protection Blob Error 65000 using Microsoft Intune

-
Image
I recently encountered an issue with enabling Tamper protection as part of the implementation of Defender for Endpoint in one of customer's tenant and considering how unusual the behavior was and how I didn't encounter this before, I decide to blog my experience. If you have been battling with the same issue, then this blog may just help you. There are multiple ways to enable Tamper protection as part of MDE. One can enable at a tenant level using Defender portal or do it using Intune. I normally choose the Intune, especially when dealing with endpoints to maintain uniformity with other Defender policies being managed by Intune. However, in this particular instance, the issue started cropping randomly on some endpoints where tamper protection would not enable and throw an error code 65000, as show below. Additionally, the status in Defender will report as Unknown instead of reporting Active or something else like EDR in block mode to suggest that Defender Antimalware is running...
Read more

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){              ...
Read more

Removing OEM configured bookmarks from Edge

-
Image
I believe most will agree when I say that OEM branded configuration on Windows devices can be both unwanted and frustrating to remove. Especially when you provisioning devices using Autopilot and want to apply organization's configuration policies. I recently encountered an issue with Lenovo Windows 11 devices that came pre-installed and configured with things that the customer didn't want. While the procurement process gets worked out with the supplier to provide a clean image, I still needed to address these unwanted items. One of the items were pre-configured Edge bookmarks that had no place in the bookmarks that I was putting in place. It was obvious that they had to go.  The bookmarks are located under  C:\Users\<Userprofile>\AppData\Local\Microsoft\Edge\User Data\Default If you open it then you can match contents with what shows up in the favorites on Edge. Solution I created a simple 1 line script to delete the Bookmarks file as part of the Autopilot provisioning ...
Read more