Phishing is one of the biggest security threats facing organizations today. Phishing is an attack that involves tricking people into revealing sensitive information through fraudulent emails, messages or websites and it’s crucial to have a plan in place to defend against these attacks.
One way to assess your organization’s vulnerability to phishing is to conduct a phishing awareness test. Microsoft Defender for Office 365 (MDO) provides a powerful set of tools to help you run these tests and ensure that your users are aware of the dangers of phishing.
However, it’s important to configure exceptions for these tests to avoid disrupting normal business operations. In this blog post, we’ll discuss advantages and disadvantages of awareness tests and how to configure exceptions for phishing awareness tests in Defender for Office 365.
Advantages of doing awareness tests
- Increased employee awareness: By simulating realistic phishing attacks, employees can gain a better understanding of how these attacks work and what to look out for.
- Reduced risk of successful attacks: By identifying and addressing weaknesses in employee behavior related to phishing, such as clicking on suspicious links or providing sensitive information in response to phishing emails, companies can reduce the risk of successful attacks.
- Cost savings: Phishing attacks can be very costly for organizations, not only in terms of the potential loss of data and revenue, but also in terms of the time and resources required to respond to an attack. By reducing the risk of successful attacks through phishing awareness tests, organizations can potentially save significant amounts of money.
- Compliance requirements: Many industries and regulatory bodies have specific requirements related to cybersecurity awareness and training for employees. Conducting phishing awareness tests can help organizations meet these requirements and avoid potential penalties or fines.
- Improved security culture: By prioritizing cybersecurity awareness and training for employees, organizations can help foster a culture of security and create a more proactive approach to cybersecurity. This can help to ensure that security is a top priority throughout the organization and can lead to improved security practices overall.
Overall, conducting phishing awareness tests can help organizations to identify and address vulnerabilities related to phishing attacks, reduce the risk of successful attacks, and create a culture of security that prioritizes cybersecurity awareness and training for employees.
Disadvantages of awareness tests
- Employee distrust: If employees feel like they are being constantly monitored and tested, it can lead to feelings of distrust and resentment. This can be especially true, if phishing tests are conducted without proper communication and explanation beforehand.
- False sense of security: While phishing awareness tests can help to identify vulnerabilities and improve employee awareness, they may also create a false sense of security. Employees may become complacent and assume that they are protected from all phishing attacks, even when the testing scenarios may not reflect the full range of tactics that real attackers may use.
- Lack of effectiveness: If phishing awareness tests are not properly designed or executed, they may not be effective in identifying vulnerabilities or improving employee awareness. This can result in wasted time and resources, as well as a potential increase in risk, if employees assume that they are protected, when they are not.
- Potential for employee stress: Repeated and frequent testing can cause employee stress and anxiety, especially if the tests are not communicated properly or are overly difficult. This can negatively impact employee morale and productivity.
- Ethical concerns: There may be ethical concerns related to conducting phishing awareness tests, especially if employees are not properly informed or if sensitive data is used as part of the testing scenarios. It is important to ensure that any testing is conducted in an ethical and transparent manner, with the goal of improving security and protecting the organization as a whole.
Overall, while there are potential disadvantages to conducting phishing awareness tests, these can be mitigated through proper communication, testing design, and ethical considerations. With the advantages and disadvantages in mind, we will prepare the technical configuration to start an awareness test. Get the details like sender IPs, included URLs, sender address from the one doing the assessment or let them send you an email.
In the following configuration steps, we will assume that you got a test phishing mail and you need to extract all details to add the information as exclusion.
Configuration
Navigate to Threat Explorer:
Search for mails detected as phishing or quarantined (adjust your filter to get the correct mail):
Open mail properties:
Extract the “SMTP mail from address” and “Sender IP” and copy it into Notepad:
Scroll down and copy the URL that your users are lured to click on:
Change the URL and delete http/https:// and replace it with “~”. At the end remove everything after the top level domain and also add a “~”.
For example, “https://company.click.test.com/id/guid” should be transferred to “ ~company.click.test.com~”. This will include all subdomains and add a wildcard suffix. See also the following screenshot for examples:
Source: Allow or block URLs using the Tenant Allow/Block List – Office 365 | Microsoft Learn
Another way to check detail for “MailFrom” and sending mail server in mail header:
Open the mail entity, view the header, copy the mail header into your clipboard and paste it into “Microsoft Message Header Analyzer”.
“View header” from mail:
Copy the information into Clipboard:
Paste the information into Message Analyzer and click on “Analyze headers”:
Scroll down a little bit to number 2 “Authentication-Results” and check the “smtp.mailfrom”:
If you have all information, navigate to “Policies & rules” in M365 Defender portal:
Click on “Threat policies”:
Under rules you will find “Advanced delivery”:
Click on “Phishing simulation” and on “Edit” or “Add”:
Enter the information you copied into your Notepad and click on the small window that shows up under the text box:
If everything is set up, save it and test it out again. Make sure that you get all information like sending IP from your partner you work with, so that you do not get any errors during the awareness test.
The URL will still be protected by Safe Links and wrapped, but ignored through the policy you just set up.
Conclusion
In my opinion, despite the disadvantages of a test, the advantages outweigh them. To secure your environment, I recommend doing regular phishing awareness tests and giving good e-learning material to your employees.
With Defender for Office365 it is easy to set up a third-party awareness test. If you want to get more information to configure Defender for Office365 take a look at the official documentation: Microsoft Defender for Office 365 – Office 365 | Microsoft Learn
If you have any issues or questions, do not hesitate to contact me. You can connect with me on LinkedIn, Twitter and Mastodon. Thanks for reading and sharing.
Sources:
Allow or block URLs using the Tenant Allow/Block List – Office 365 | Microsoft Learn
Be First to Comment