Today I wanted to try out the new and very awesome Office 365 Attack Simulator for Office 365.
The idea behind it is that there are certain types of hacking attempts that can bypass security protocols based on their nature, such as a phishing scam, brute force password attack or even password stuffing or as Office 365 calls it password spraying.
Curiosity is an enemy and a friend
The reason these attacks may bypass security protocols is because, by nature, humans click things we should not, we type in passwords wrong a few times when we forget them and use the same password for multiple accounts.
This means it is very difficult to put procedures in place without causing complexity which will later be bypassed and rendering the security useless.
I am not saying all of these can be avoided with the right measures in place, and the Office 365 Secure Score certainly can assist, it is not 100% fail safe.
This brings in the Office 365 Attack Simulator. What it does is launch a specified attack on your Office 365 tenant and simulates what a hacker may be trying on you and your employees. This will then identify security flaws and allow you to resolve them before the bad guys do.
Some of you that are very familiar with #infosec will very quickly point out that the Office 365 Attack Simulator is not needed, and one could simply leverage Kali or a number of other tools to get this job done. But for the new comers out there who do not have this and want a legit reason to hack everyone in the business, this is your tool.
Launch mode activated
To activate the Office 365 Attack Simulator got to this link https://protection.office.com/#/attacksimulator with your privileged Office 365 account.
You will then be presented with this magical dashboard.
And right away get 3 attack options as listed below.
- Display Name – Spear Phishing Account Breach. Phishing is a generic term for a broad suite of attacks classed as a social engineering style attack. This test is focused on Spear Phishing – a more targeted attack, aimed at a specific group of individuals or an organization. Typically, a customized attack with some reconnaissance performed and using a Display Name that will generate trust in the recipient;
- Brute Force Password Attack Account Breach. A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate many consecutive guesses as to the value of the desired data;
- Password Spray Attack Account Breach. A password spray attack against an organization is typically used after a bad actor has successfully enumerated a list of valid users from the tenant, utilizing their knowledge of common passwords used.
I did try to setup a few attacks but got the following error, I think it is because the Office 365 Attack Simulator is still in preview.
So I will keep checking, and once it is up and running, I will complete this blog for you.