Merge pull request #1222 from MicrosoftDocs/main

pushing updates live

Author: denisebmsft

defender-office-365/anti-spam-protection-faq.yml

@@ -1,6 +1,6 @@
 ### YamlMime:FAQ
 metadata:
-  ms.date: 6/20/2023
+  ms.date: 06/20/2023
   title: Anti-spam protection FAQ
   f1.keywords:
     - NOCSH

defender-office-365/anti-spam-spam-confidence-level-scl-about.md

@@ -18,7 +18,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn about the spam confidence level (SCL) that applied to messages in Exchange Online Protection (EOP).
 ms.service: defender-office-365
-ms.date: 11/3/2023
+ms.date: 11/03/2023
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>

defender-office-365/anti-spoofing-spoof-intelligence.md

@@ -19,7 +19,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn about the spoof intelligence insight in Exchange Online Protection (EOP).
 ms.service: defender-office-365
-ms.date: 11/2/2023
+ms.date: 11/02/2023
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>

defender-office-365/attack-simulation-training-get-started.md

@@ -19,7 +19,7 @@ ms.custom:
   - seo-marvel-apr2020
 description: Admins can learn how to use Attack simulation training to run simulated phishing and password attacks in their Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations.
 ms.service: defender-office-365
-ms.date: 3/21/2024
+ms.date: 08/14/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -87,20 +87,22 @@ In Attack simulation training, multiple types of social engineering techniques a
 
 The following social engineering techniques are available:
 
-- **Credential Harvest**: An attacker sends the recipient a message that contains a URL. When the recipient clicks on the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
+- **Credential Harvest**: An attacker sends the recipient a message that contains a link<sup>\*</sup>. When the recipient clicks on the link, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
 
-- **Malware Attachment**: An attacker sends the recipient a message that contains an attachment. When the recipient opens the attachment, arbitrary code (for example, a macro) is run on the user's device to help the attacker install additional code or further entrench themselves.
+- **Malware Attachment**: An attacker sends the recipient a message that contains an attachment. When the recipient opens the attachment, arbitrary code (for example, a macro) runs on the user's device to help the attacker install additional code or further entrench themselves.
 
-- **Link in Attachment**: This technique is a hybrid of a credential harvest. An attacker sends the recipient a message that contains a URL inside of an attachment. When the recipient opens the attachment and clicks on the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
+- **Link in Attachment**: This technique is a hybrid of a credential harvest. An attacker sends the recipient a message that contains a link inside of an attachment. When the recipient opens the attachment and clicks on the link, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
 
-- **Link to Malware**: An attacker sends the recipient a message that contains a link to an attachment on a well-known file sharing site (for example, SharePoint Online or Dropbox). When the recipient clicks on the URL, the attachment opens, and arbitrary code (for example, a macro) is run on the user's device to help the attacker install additional code or further entrench themselves.
+- **Link to Malware**<sup>\*</sup>: An attacker sends the recipient a message that contains a link to an attachment on a well-known file sharing site (for example, SharePoint Online or Dropbox). When the recipient clicks on the link, the attachment opens, and arbitrary code (for example, a macro) runs on the user's device to help the attacker install additional code or further entrench themselves.
 
-- **Drive-by-url**: An attacker sends the recipient a message that contains a URL. When the recipient clicks on the URL, they're taken to a website that tries to run background code. This background code attempts to gather information about the recipient or deploy arbitrary code on their device. Typically, the destination website is a well-known website that has been compromised or a clone of a well-known website. Familiarity with the website helps convince the user that the link is safe to click. This technique is also known as a _watering hole attack_.
+- **Drive-by-url**<sup>\*</sup>: An attacker sends the recipient a message that contains a link. When the recipient clicks on the link, they're taken to a website that tries to run background code. This background code attempts to gather information about the recipient or deploy arbitrary code on their device. Typically, the destination website is a well-known website that has been compromised or a clone of a well-known website. Familiarity with the website helps convince the user that the link is safe to click. This technique is also known as a _watering hole attack_.
 
-- **OAuth Consent Grant**: An attacker creates a malicious Azure Application that seeks to gain access to data. The application sends an email request that contains a URL. When the recipient clicks on the URL, the consent grant mechanism of the application asks for access to the data (for example, the user's Inbox).
+- **OAuth Consent Grant**<sup>\*</sup>: An attacker creates a malicious Azure Application that seeks to gain access to data. The application sends an email request that contains a link. When the recipient clicks on the link, the consent grant mechanism of the application asks for access to the data (for example, the user's Inbox).
 
 - **How-to Guide**: A teaching guide that contains instructions for users (for example, how to report phishing messages).
 
+<sup>\*</sup> The link can be a URL or a QR code. QR code support in Attack simulation training is currently in preview.
+
 The URLs that are used by Attack simulation training are listed in the following table:
 
 |&nbsp;|&nbsp;|&nbsp;|
@@ -171,12 +173,17 @@ _End user notifications_ in the simulation send periodic reminders to users (for
 
 ### Payloads
 
-Although Attack simulation contains many built-in payloads for the available social engineering techniques, you can create custom payloads to better suit your business needs, including [copying and customizing an existing payload](attack-simulation-training-payloads.md#copy-payloads). You can create payloads at any time before you create the simulation or during the creation of the simulation. To create payloads, see [Create a custom payload for Attack simulation training](attack-simulation-training-payloads.md#create-payloads).
+Although Attack simulation training contains many built-in payloads for the available social engineering techniques, you can create custom payloads to better suit your business needs, including [copying and customizing an existing payload](attack-simulation-training-payloads.md#copy-payloads). You can create payloads at any time before you create the simulation or during the creation of the simulation. To create payloads, see [Create a custom payload for Attack simulation training](attack-simulation-training-payloads.md#create-payloads).
 
 In simulations that use **Credential Harvest** or **Link in Attachment** social engineering techniques, _login pages_ are part of the payload that you select. The login page is the web page where users enter their credentials. Each applicable payload uses a default login page, but you can change the login page that's used. You can select from built-in login pages, custom login pages that you already created, or you can create a new login page to use during the creation of the simulation or the payload. To create login pages, see [Login pages in Attack simulation training](attack-simulation-training-login-pages.md).
 
 The best training experience for simulated phishing messages is to make them as close as possible to real phishing attacks that your organization might experience. What if you could capture and use harmless versions of real-world phishing messages that were detected in Microsoft 365 and use them in simulated phishing campaigns? You can, with _payload automations_ (also known as _payload harvesting_). To create payload automations, see [Payload automations for Attack simulation training](attack-simulation-training-payload-automations.md).
 
+> [!TIP]
+> QR code payloads are currently in Preview, aren't available in all organizations, and are subject to change.
+
+Attack simulation training also supports using QR codes in payloads. You can choose from the list of built-in QR code payloads, or you can create custom QR code payloads. For more information, see [QR code payloads in Attack simulation training](attack-simulation-training-payloads.md#qr-code-payloads).
+
 ### Reports and insights
 
 After you create and launch the simulation, you need to see how it's going. For example:
@@ -218,6 +225,17 @@ But, sometimes you don't want to wait for users to take correct or incorrect act
 
 - **Training campaigns**: A Training campaign is a training-only assignment for the targeted users. You can directly assign training without putting users through the test of a simulation. Training campaigns make it easy to conduct learning sessions like monthly cybersecurity awareness training. For more information, see [Training campaigns in Attack simulation training](attack-simulation-training-training-campaigns.md).
 
+  > [!TIP]
+  > [Training modules](attack-simulation-training-training-modules.md) are used in Training campaigns, but you can also use Training modules when you [assign training](attack-simulation-training-simulations.md#assign-training) in regular simulations.
+
 - **How-to Guides in simulations**: Simulations based on the **How-to Guide** social engineering technique don't attempt to test users. A How-to guide is a lightweight learning experience that users can view directly in their Inbox. For example, the following built-in **How-to Guide** payloads are available, and you can create your own (including [copying and customizing an existing payload](attack-simulation-training-payloads.md#copy-payloads)):
   - **Teaching guide: How to report phishing messages**
   - **Teaching Guide: How to recognize and report QR phishing messages**
+
+> [!TIP]
+> Attack simulation training provides the following built-in training options for QR code-based attacks:
+>
+> - Training modules:
+>   - **Malicious digital QR codes**
+>   - **Malicious printed QR codes**
+> - How-to Guides in simulations: **Teaching Guide: How to recognize and report QR phishing messages**