Microsoft Attack Simulator: simulation report showing all users clicked link when none did

Brad Bussie 0 Reputation points
2023-11-30T18:27:25.26+00:00

Under attack simulation training in Defender for Cloud, I run a Social Engineering - Drive-by URL simulation. I sent a test to 10 users and then looked at my dashboard. The simulation report shows all ten users clicked the message link AND read the message. However, no one actually opened/read the message or clicked the link.

I suspect this could be caused by existing Microsoft Threat Policies, specifically the Safe Links or Anti-phishing policy. Something appears to be reading the message and clicking the link automatically to see what it is/where its going.

I see where one could configure Advanced Delivery where it has an entire area devoted to third-party phishing platforms, however... that doesn't seem to be the right place.

Any idea how to "white list" Microsoft Attack Simulator to.... Microsoft?

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
37,626 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,651 Reputation points Microsoft Employee
    2023-12-01T09:02:37.68+00:00

    @Brad Bussie

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you have created an attack simulation path test for your environment but suspect that the URL were accessed by Threat policies/safe links. Now you are looking for a way to whitelist/exclude the simulation mails from Threat policies.

    Please do correct me if you find the above described ask is not understood well.

    Kindly follow the given steps to exclude the simulation mails from being scanned by safe links:

    • Within Attack simulation training settings > Payload, once you click on the selected payload you would be able to find the sender of the simulated email, PFB example:

    Recording 2023-12-01 141543

    • Now Navigate to Policies & rules > Threat policies > Preset Security Policies > Strict protection > Manage Protection settings > Impersonation protection > Trusted senders and domains and

    Add trusted email addresses and domains to not flag as impersonation.

    User's image

    Email messages from these senders will not be flagged as impersonation.

    Thanks,

    Akshay Kaushik

    Please "Accept the answer (opting Yes under "Helpful")" and "share your feedback ". This will help us and others in the community as well.