AzureFeeds

Attack Simulation Training in Microsoft Defender for Office 365 is a powerful capability for improving your organization’s resilience to phishing and social engineering attacks. However, the effectiveness of these simulations depends heavily on how well they are configured and managed. In this guide, we’ll walk through how to take full advantage of the platform by leveraging dynamic groups, simulation automations, training localization, and training reminders.

1. Target the Right Users with Dynamic Groups

Where to configure it: Microsoft Entra Admin Center > Groups > New Group

Why it matters: Dynamic groups allow you to automatically include users in specific roles or departments without manual updates. This is especially useful when targeting high-risk departments like Finance, HR, or Legal with customized phishing simulations.

How to set it up:

1. Navigate to the Microsoft Entra Admin Center (https://entra.microsoft.com)


2. Go to Groups and select New group


3. Choose Security as the group type and Dynamic User for membership


4. Under Dynamic user rules, use a query like: (user.department -eq “Finance”)


5. Name and create your group

Dynamic groups are continuously updated based on user attributes, so you don’t have to manually maintain the list. This is particularly helpful for ensuring new hires in a department are automatically included in relevant security campaigns.

Best Practices:

• Create separate dynamic groups for different departments and roles


• Tailor attack simulation training precisely to the audience you want to target.
  
  

2. Automate Phishing Simulations with Simulation Automations

Where to configure it: Microsoft 365 Defender Portal > Email & Collaboration > Attack Simulation Training > Simulation Automations

Why it matters: Repetition builds resilience. Automations let you schedule ongoing, recurring simulations that simulate real-world phishing campaigns without manually launching each one.

Step-by-step automation setup:

1. Navigate to Attack Simulation Training > Simulation Automations

2. Click + Add automation

3. Automation name: Define a clear and descriptive name for tracking purposes

4. Select technique(s): Choose one or more phishing techniques (e.g., Credential Harvesting, Malware Attachment)

5. Select payloads and login page: Pick email templates and associated login pages for the simulation

6. Target users: Select your intended recipients – this is where dynamic groups come in

7. Assign training: Enable automatic training assignment to users who fail the simulation

8. Select end user notification: Configure the message that users will receive during/after simulation

9. Simulation schedule: Choose either:

• Randomized: Sends emails at random times within your selected scope


• Fixed: Sends emails at the same time to all users

10. Schedule details (if randomized selected):

• Choose start/end dates


• Select days of the week for delivery


• Limit number of emails per period


• Optionally randomize email send time of day

11. Launch details: Set criteria or approval flow for launching the automation

12. Review simulation automation: Confirm settings before activating

Best Practices:

• Use multiple payloads per technique to create a more realistic experience


• Randomize delivery to simulate real-world attack unpredictability


• Review campaign performance quarterly to refine tactics

4. Localize Training Content Based on User Language

Users are more likely to understand and retain training if it’s delivered in their native language. Microsoft Defender supports over 30 languages for training content.

Users can update their own settings at https://portal.office.com

How users update language settings:

1. Go to https://portal.office.com


2. Click on your profile icon and choose View account


3. Navigate to Settings & Privacy > Language and Region


4. Update Display language and save

Administrator Tip: Send a reminder to users to verify their language settings before training starts. If a language isn’t supported, content defaults to English.

Best Practices:

• Check the language availability for each training module in the Content Library
  
  

4. Assign Training Based on User Behavior

Where to configure it: During simulation creation or automation > Assign Training

Why it matters: This reinforces correct behavior and closes knowledge gaps.

How to enable it:

1. In your simulation or automation setup, go to Assign training


2. Select the appropriate training module (many include interactive quizzes)

Best Practices:

• Pair credential harvesting payloads with password hygiene modules


• Monitor training assignment logs to ensure they are working as expected

5. Enable Training Reminders to Increase Completion

Where to configure it: Simulation setup > Training notification settings

Why it matters: Users often forget to complete training. Reminders help improve completion rates and show compliance accountability.

How to configure it:

1. Enable Training reminders


2. Set frequency (e.g., once per week or twice per week)


3. Customize the reminder email template (add deadlines, contact points, etc.)

Best Practices:

• Keep reminder emails brief but actionable


• Track reminder performance in training reports


• Consider escalating to managers if users repeatedly ignore training

6. Monitor Reports and Take Action

Where to view it: Microsoft 365 Defender Portal > Attack Simulation Training > Reports

Why it matters: Data drives decisions. Monitoring campaign and training metrics helps identify trends, track user improvement, and justify investments.

What you can see:

• Simulation participation rates


• Clicks, credential submissions


• Training assignment and completion stats

Best Practices:

• Identify users who repeatedly fall for simulations


• Use data to tailor future training and simulations
  
  

Final Thoughts

By combining dynamic group targeting, automation, localized content, automatic training assignment, and reminders, you can build a highly effective and scalable security awareness program using Microsoft Defender for Office 365. The goal isn’t just compliance, but lasting behavior change through frequent, relevant, and personalized training experiences.

If you’re just getting started, focus on building one automation, targeting one group, and measuring outcomes. Then iterate and expand your program over time.