Feeding the Attack Simulator

%3CLINGO-SUB%20id%3D%22lingo-sub-2672834%22%20slang%3D%22en-US%22%3EFeeding%20the%20Attack%20Simulator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2672834%22%20slang%3D%22en-US%22%3E%3CP%3EPrevious%20commentators%20have%20noted%20the%20simulator's%20tendency%20to%20send%20attacks%20in%20a%20single%20wave.%20This%20can%20lead%20to%20a%20comment%20from%20one%20recipient%20warning%20another.%20Additionally%2C%20the%20wave%20may%20overwhelm%20local%20IT%20support.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20my%20mind%20it%20makes%20sense%20to%20split%20a%20large%20recipient%20base%20up%20into%20slices%20to%20be%20attacked%20at%20different%20times%20and%20possibly%20with%20minor%20variations%20in%20the%20payload.%20I%20had%20been%20looking%20at%20dynamic%20groups%20to%20do%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20I%20correct%20in%20saying%20no%20type%20of%20dynamic%20group%20is%20acceptable%20to%20the%20attack%20simulator%3F%20I%20have%20tried%20the%20new%20Microsoft%20365%20groups%2C%20but%20with%20the%20group%20features%20suppressed%20to%20prevent%20the%20group%20itself%20from%20mailing%2C%20the%20simulator%20will%20not%20mail%20the%20membership%20either.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3Eset-UnifiedGroup%20-Identity%20%24Group.Name%20-HiddenFromExchangeClientsEnabled%3C%2FPRE%3E%3CPRE%3Eset-UnifiedGroup%20-Identity%20%24Group.Name%20-UnifiedGroupWelcomeMessageEnabled%3A%24false%3C%2FPRE%3E%3CPRE%3Eset-UnifiedGroup%20-Identity%20%24Group.Name%20-SubscriptionEnabled%3A%24false%3C%2FPRE%3E%3CPRE%3Eset-UnifiedGroup%20-Identity%20%24Group.Name%20-AlwaysSubscribeMembersToCalendarEvents%3A%24false%3C%2FPRE%3E%3CPRE%3Eset-UnifiedGroup%20-Identity%20%24Group.Name%20-AutoSubscribeNewMembers%3A%24false%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2672834%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPhishing%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPrevention%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2673293%22%20slang%3D%22en-US%22%3ERe%3A%20Feeding%20the%20Attack%20Simulator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2673293%22%20slang%3D%22en-US%22%3EAsk%20and%20you%20shall%20receive%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-compliance-and-identity%2Fannouncing-exciting-updates-to-attack-simulation-training%2Fba-p%2F2455961%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fsecurity-compliance-and-identity%2Fannouncing-exciting-updates-to-attack-simulation-training%2Fba-p%2F2455961%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2679523%22%20slang%3D%22en-US%22%3ERe%3A%20Feeding%20the%20Attack%20Simulator%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2679523%22%20slang%3D%22en-US%22%3EVasil%2C%20that%20was%20exactly%20what%20I%20was%20looking%20for.%20I%20gave%20it%20a%20try%20and%20the%20Randomize%20Send%20Times%20feature%20did%20not%20work%20-%20everything%20arrived%20at%20the%20same%20time.%20I%20was%20using%20a%20single%20attack%20to%20a%20group%20of%20eight%20recipients%20over%20a%20short%20period%20of%20four%20days%2C%20which%20may%20have%20caused%20the%20random%20algorithm%20a%20problem.%20Does%20anyone%20know%20if%20there%20is%20documentation%20for%20the%20new%20feature%20beyond%20the%20June%20announcement%2C%20or%20am%20I%20better%20off%20speaking%20to%20Product%20Support%3F%3C%2FLINGO-BODY%3E
Contributor

Previous commentators have noted the simulator's tendency to send attacks in a single wave. This can lead to a comment from one recipient warning another. Additionally, the wave may overwhelm local IT support.

 

To my mind it makes sense to split a large recipient base up into slices to be attacked at different times and possibly with minor variations in the payload. I had been looking at dynamic groups to do this.

 

Am I correct in saying no type of dynamic group is acceptable to the attack simulator? I have tried the new Microsoft 365 groups, but with the group features suppressed to prevent the group itself from mailing, the simulator will not mail the membership either.

 

set-UnifiedGroup -Identity $Group.Name -HiddenFromExchangeClientsEnabled
set-UnifiedGroup -Identity $Group.Name -UnifiedGroupWelcomeMessageEnabled:$false
set-UnifiedGroup -Identity $Group.Name -SubscriptionEnabled:$false
set-UnifiedGroup -Identity $Group.Name -AlwaysSubscribeMembersToCalendarEvents:$false
set-UnifiedGroup -Identity $Group.Name -AutoSubscribeNewMembers:$false

 

4 Replies
Vasil, that was exactly what I was looking for. I gave it a try and the Randomize Send Times feature did not work - everything arrived at the same time. I was using a single attack to a group of eight recipients over a short period of four days, which may have caused the random algorithm a problem. Does anyone know if there is documentation for the new feature beyond the June announcement, or am I better off speaking to Product Support?
Opening a support case wouldn't hurt.
I'd argue that opening a support case would hurt the sanity of anyone doing so.

I have yet to have a single Phishing Attack Simulator ticket NOT take weeks or months to resolve, and most result in outright changes to the entire product due to the abysmal QC Microsoft has shown with their O365 product suite in the past few years, and the attack simulator top among that.

There was a stretch of a month that it outright wouldn't load reports correctly on any browser including the newly GA Edge, and it took around 3 months for them to allow us to delete simulations that we ran as internal trial run/tests (hiding didn't remove them from the report metrics) - and 8 months later I'm still seeing metrics reporting deleted run clicks/trainings and trainings that are spamming users months later.

Support meanwhile likes to respond with a few days of gathering data you provided them in the initial email/ticket but have to explain 2-3 times in different ways, and then radio silence as they 'escalate' the issue to someone that doesn't communicate any form of helpful or even informational updates outside of 'we're working on this' or some shade of that.

I should make a post about this, come to think on it.
www.000webhost.com