Probably the most common attack vector!

Phishing is very likely the most common attack vector, in fact so common that the following stat is called out:

“a 2016 study reports that 91% of cyberattacks and the resulting data breach begin with a phishing email”

Setting up the Social Engineering toolkit or custom phishing solution takes a little time, luckily Microsoft have added in attack simulation features into Office 365! This let’s in house teams perform a range of simulated attacks in safe manner against your organisation. In this post we are going to run through the steps required to create and run a phishing attack simulation!

Navigate to Threat Management

Then click on Attack Simulator

We can see here we’ve got 3 common attacks we can launch:

  • Spear Phishing
  • Brute Force Attack
  • Password Spraying

All 3 attacks are commonly used either in isolation of together to gain an initial foothold into an organisation. For this demo I’m going to run a phishing campaign.

Click Launch Attack

Now enter a name for the campaign (we used DontBePhishFood) then click Next

We now need to select our users. We’re going to see if Tara’s phishing awareness is up to scratch, and for this demo I’m going to include myself.

Once you have selected the targets click Next

We now get to enter some details, please note that you can use a custom URL to direct people after the exercise is complete, for now we are using the defaults!

Click Next when ready

The next stage is to craft an email. I’m going to pretend to be from IT support and I’m even going to reference a legitimate data breach website. Notice we are advising the recipient that they are at risk and in by complying with our request we will be eliminating this risk and making them safe. Be sure to include the Phishing URL Variable. When ready click Next

And if you are all good to go click Finish

Almost instantly I receive the email

So we are going to click on the URL from our phishing email

We are now presented with a sign on dialogue box. We are going to enter our correct email.

Now I know I’m being phished (by myself, so I’m going to enter the wrong creds)

So, we can see here the password field isn’t validated (that’s a good thing). Heading back to our admin console we can see the results of the attack:

Here we can see the details of the attack and the number of successful phishes! Simple to setup these attack simulations should be part of your standard proactive security strategy. Stay tuned for more Phishy Friday blogs with defensive strategies and methods! Stay Safe and don’t get phished!

Leave a Reply