Merge pull request #938 from MicrosoftDocs/AttackSim-chrisda

AttackSim-chrisda to Main

Author: chrisda

defender-office-365/attack-simulation-training-end-user-notifications.md

@@ -12,7 +12,7 @@ ms.collection:
   - tier2
 description: Admins can learn how to create end-user notification email messages for Attack simulation training in Microsoft Defender for Office 365 Plan 2.
 search.appverid: met150
-ms.date: 3/11/2024
+ms.date: 06/14/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -147,6 +147,9 @@ On the details flyout from the **Tenant notifications** tab only, select **Edit
 
        - **Use from default**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the notification back to the default text and layout of the template, select **Reset to default**.
 
+       > [!TIP]
+       > To add images, copy (CTRL+C) and paste (CTRL+V) the image into the editor on the **Text** tab. The editor automatically converts the image to Base64 as part of the HTML code.
+
      - **Code** tab: You can view and modify the HTML code directly.
 
    You can preview the results by selecting **Preview email** at the top of the page.

defender-office-365/attack-simulation-training-faq.md

@@ -13,7 +13,7 @@ ms.collection:
 ms.custom:
 description: Admins can learn how Attack simulation training in the Microsoft Defender portal affects users and can gain insights from simulation and training outcomes.
 search.appverid: met150
-ms.date: 3/14/2024
+ms.date: 06/14/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -313,7 +313,7 @@ The **Delivery status** section on **Report** tab** for a simulation shows the n
 
 - **Successfully received message**
 - **Positive reinforcement message delivered**
-- **Just simulation message delivered
+- **Just simulation message delivered**
 
 Select **View users to whom message delivery failed** to go to the [Users tab](attack-simulation-training-simulations.md#users-tab) tab in the report where the results are filtered by **Simulation message delivery: Failed to deliver**.
 
@@ -380,6 +380,71 @@ You can hover over a section in the chart to see the actual numbers in each cate
 
 :::image type="content" source="media/attack-sim-report-training-campaign-report-tab-all-user-activity.png" alt-text="The All user activity section on the Report tab in the Training campaign report in Attack simulation training." lightbox="media/attack-sim-report-training-campaign-report-tab-all-user-activity.png":::
 
+## Appendix
+
+When you export information from the reports, the CSV file contains more information than what's shown in the report, even if you have all column shown. The fields are described in the following table.
+
+> [!TIP]
+> For maximum information, verify that all available columns in the report are visible before you export.
+
+|Field Name|Description|
+|---|---|
+|UserName|Username of the user who did the activity.|
+|UserMail|Email address of the user who did the activity.|
+|Compromised|Indicates if the user was compromised. Values are Yes or No.|
+|AttachmentOpened_TimeStamp|When the attachment was opened.|
+|AttachmentOpened_Browser|When the attachment was opened in a web browser. This information comes from UserAgent.|
+|AttachmentOpened_IP|The IP address where the attachment was opened. This information comes from UserAgent.|
+|AttachmentOpened_Device|The device where the attachment was opened. This information comes from UserAgent.|
+|AttachmentLinkClicked_TimeStamp|When the attachment link was clicked.|
+|AttachmentLinkClicked_Browser|The web browser that was used to click the attachment link. This information comes from UserAgent.|
+|AttachmentLinkClicked_IP|The IP address where the attachment link was clicked. This information comes from UserAgent.|
+|AttachmentLinkClicked_Device|The device where the attachment link was clicked. This information comes from UserAgent.|
+|CredSupplied_TimeStamp(Compromised)|When the user entered their credentials.|
+|CredSupplied_Browser|The web browser that was used when the user entered their credentials. This information comes from UserAgent.|
+|CredSupplied_IP|The IP address where the user entered their credentials. This information comes from UserAgent.|
+|CredSupplied_Device|The device where the user entered their credentials. This information comes from UserAgent.|
+|SuccessfullyDeliveredEmail_TimeStamp|When the simulation email message was delivered to the user.|
+|MessageRead_TimeStamp|When the simulation message was read.|
+|MessageDeleted_TimeStamp|When the simulation message was deleted.|
+|MessageReplied_TimeStamp|When the user replied to the simulation message.|
+|MessageForwarded_TimeStamp|When the user forwarded the simulation message.|
+|OutOfOfficeDays|Determines whether the user is out of office. This information comes from the Automatic replies setting in Outlook.|
+|PositiveReinforcementMessageDelivered_TimeStamp|When the positive reinforcement message was delivered to the user.|
+|PositiveReinforcementMessageFailed_TimeStamp|When the positive reinforcement message failed to be delivered to the user.|
+|JustSimulationMessageDelivered_TimeStamp|When the simulation message was delivered to the user as part of a simulation with no trainings assigned (**No training** was selected on the **Assign training** page of the new simulation wizard).|
+|JustSimulationMessageFailed_TimeStamp|When the simulation email message failed to be delivered to the user, and the simulation had no trainings assigned.|
+|TrainingAssignmentMessageDelivered_TimeStamp|When the training assignment message was delivered to the user. This value is empty if no trainings were assigned in the simulation.|
+|TrainingAssignmentMessageFailed_TimeStamp|When the training assignment message failed to be delivered to the user. This value is empty if no trainings were assigned in the simulation.|
+|FailedToDeliverEmail_TimeStamp|When the simulation email message failed to be delivered to the user.|
+|Last Simulation Activity|The last simulation activity of the user (whether they passed or were compromised).|
+|Assigned Trainings|The list of trainings assigned to the user as part of the simulation.|
+|Completed Trainings|The list of trainings completed by the user as part of the simulation..|
+|Training Status|The current status of trainings for the user as part of the simulation.|
+|Phishing Reported On|When the user reported the simulation message as phishing.|
+|Department|The user's Department property value in Microsoft Entra ID at the time of simulation.|
+|Company|The user's Company property value in Microsoft Entra ID at the time of simulation.|
+|Title|The user's Title property value in Microsoft Entra ID at the time of simulation.|
+|Office|The user's Office property value in Microsoft Entra ID at the time of simulation.|
+|City|The user's City property value in Microsoft Entra ID at the time of simulation.|
+|Country|The user's Country property value in Microsoft Entra ID at the time of simulation.|
+|Manager|The user's Manager property value in Microsoft Entra ID at the time of simulation.|
+
+How user activity signals are captured is described in the following table.
+
+|Field|Description|Calculation logic|
+|---|---|---|
+|DownloadAttachment|A user downloaded the attachment.|The signal comes from the client (for example, Outlook or Word).|
+|Opened Attachment|A user opened the attachment.|The signal comes from the client (for example, Outlook or Word).|
+|Read Message|The user read the simulation message.|Message read signals might experience issues in the following scenarios: <ul><li>The user reported the message as phishing in Outlook without leaving the reading pane, and **Mark items as read when viewed in the Reading Pane** wasn't configured (default).</li><li>The user reported the unread message as phishing in Outlook, the message was deleted, and **Mark messages as read when deleted** wasn't configured (default).</li></ul>|
+|Out of Office|Determines whether the user is out of office.|Currently calculated by the Automatic replies setting from Outlook.|
+|Compromised User|Indicates if a user been compromised. The compromise signals can vary based on the attack type.|<ul><li>**Credential Harvest**: The user enters their credentials in the login page (credentials aren't stored by Microsoft).</li><li>**Malware Attachment**: The user opens the file and enables editing in protected view.</li><li>**Link in attachment**: The user opens the attachment, and clicks on the link.</li><li>**Link to Malware**: The user clicks on the link and enters their credentials.</li><li>**Drive by URL**: The user clicks on the link (entering credentials isn't required).</li><li>**OAuth**: The user clicks on the link and accepts to share permissions.</li></ul>|
+|Clicked Message Link|Indicates if a user clicked on the message .|The URL in the simulation is unique for each user, which allows individual user activity tracking. Third-party filtering services or email forwarding can lead to false positives. For more information, see [I see clicks or compromise events from users who insist they didn't click the link in the simulation message](attack-simulation-training-faq.md#i-see-clicks-or-compromise-events-from-users-who-insist-they-didnt-click-the-link-in-the-simulation-message).|
+|Forwarded Message|Indicates if a user forwarded on the message .||
+|Replied to Message|Indicates if an end users has replied on the message.||
+|Deleted message|Indicates if an end users has deleted the message.|The signal comes from the Outlook activity of the user. If the user reports the message as phishing, the message might be moved to the Deleted Items folder, which is identified as a deletion.|
+|Permissions granted|Indicates if a user shared permissions in an Oauth-based attack.||
+
 ## Related Links
 
 [Get started using Attack simulation training](attack-simulation-training-get-started.md)

defender-office-365/attack-simulation-training-insights.md

@@ -12,7 +12,7 @@ ms.collection:
   - tier2
 description: Admins can learn how to create and manage landing pages for simulated phishing attacks in Microsoft Defender for Office 365 Plan 2.
 search.appverid: met150
-ms.date: 6/22/2023
+ms.date: 06/14/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -122,6 +122,9 @@ In custom landing pages only, an **Edit landing page** link is available at the
 
         - **Import from library**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the landing page back to the default text and layout of the template, select **Reset to default**.
 
+       > [!TIP]
+       > To add images, copy (CTRL+C) and paste (CTRL+V) the image into the editor on the **Text** tab. The editor automatically converts the image to Base64 as part of the HTML code.
+
      - **Code** tab: You can view and modify the HTML code directly.
 
    You can preview the results by selecting **Preview phish landing page** at the top of the page.

defender-office-365/attack-simulation-training-landing-pages.md

@@ -12,7 +12,7 @@ ms.collection:
   - tier2
 description: Admins can learn how to create and manage login pages for simulated phishing attacks in Microsoft Defender for Office 365 Plan 2.
 search.appverid: met150
-ms.date: 3/11/2024
+ms.date: 06/14/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -116,8 +116,18 @@ When you select a login page from the list by clicking anywhere in the row other
 
        - **Add Next button**: Available only on **Page 1** of two-page logins. Select this link to add the 'Next' button to the login page. The default text on the button is **Next**, but you can change it.
 
+       > [!TIP]
+       > To add images, copy (CTRL+C) and paste (CTRL+V) the image into the editor on the **Text** tab. The editor automatically converts the image to Base64 as part of the HTML code.
+
      - **Code** tab: You can view and modify the HTML code directly.
 
+       > [!TIP]
+       > To avoid sending passwords in plain text from custom login pages, avoid using the variable **name** in HTML code. Instead, use **type**, **id**, or **class**. For example:
+       >
+       > ```html
+       > <input id="input-field-loginPage" type="password" placeholder="Password">
+       > ```
+
    You can preview the results by clicking the **Preview email** button at the top of the page.
 
    When you're finished on the **Review login page** page, select **Next**.

defender-office-365/attack-simulation-training-login-pages.md

@@ -12,7 +12,7 @@ ms.collection:
   - tier2
 description: Admins can learn how to use payload automations (payload harvesting) to collect and launch automated simulations for Attack simulation training in Microsoft Defender for Office 365 Plan 2.
 search.appverid: met150
-ms.date: 5/7/2024
+ms.date: 06/24/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -25,6 +25,8 @@ In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Offi
 
 Payload automation mimics the messages and payloads from the attack and stores them as custom payloads with identifiers in the payload name. You can then use the harvested payloads in simulations or automations to automatically launch harmless simulations to targeted users.
 
+For details about how payload automations are collected, see the [Appendix](#appendix) section at the end of this article.
+
 For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
 
 To see any existing payload automations that you created, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Automations** tab \> and then select **Payload automations**. To go directly to the **Automations** tab where you can select **Payload automations**, use <https://security.microsoft.com/attacksimulator?viewid=automations>.
@@ -146,6 +148,19 @@ For payload automations with the **Status** value **Ready**, select the payload
 > [!TIP]
 > To see details about other payload automations without leaving the details flyout, use :::image type="icon" source="media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
 
+## Appendix
+
+Payload automation relies on email messages that are identified as campaigns by Defender for Office 365:
+
+- Admins [marking messages as phishing](submissions-admin.md#notify-users-about-admin-submitted-messages-to-microsoft) doesn't result in payload harvesting.
+
+- Payload automation requires access to the raw payload, which can include user reported messages that meet the following criteria:
+  - The message was delivered to the Inbox (false negative).
+  - The user reported the message as phishing.
+  - The reported message was submitted to Microsoft (directly by the user or [by an admin from the Submissions portal](submissions-admin.md#submit-user-reported-messages-to-microsoft-for-analysis)), and Microsoft determined that the message was phishing.
+
+- Eligible payloads are harvested if the messages meet the criteria of the payload automation as described earlier in this article (Step 4 in [Create payload automations](#create-payload-automations)).
+
 ## Related links
 
 [Get started using Attack simulation training](attack-simulation-training-get-started.md)