diff --git a/defender-office-365/attack-simulation-training-insights.md b/defender-office-365/attack-simulation-training-insights.md
index 88f45b6736..e04fcffd46 100644
--- a/defender-office-365/attack-simulation-training-insights.md
+++ b/defender-office-365/attack-simulation-training-insights.md
@@ -459,7 +459,7 @@ How user activity signals are captured is described in the following table.
|Opened Attachment|A user opened the attachment.|The signal comes from the client (for example, Outlook or Word).|
|Read Message|The user read the simulation message.|Message read signals might experience issues in the following scenarios: - The user reported the message as phishing in Outlook without leaving the reading pane, and **Mark items as read when viewed in the Reading Pane** wasn't configured (default).
- The user reported the unread message as phishing in Outlook, the message was deleted, and **Mark messages as read when deleted** wasn't configured (default).
|
|Out of Office|Determines whether the user is out of office.|Currently calculated by the Automatic replies setting from Outlook.|
-|Compromised User|The user was compromised. The compromise signal varies based on the social engineering technique.|- **Credential Harvest**: The user entered their credentials on the login page (credentials aren't stored by Microsoft).¹
- **Malware Attachment**: The user opened the payload attachment and selected **Enable Editing** in [Protected View](https://support.microsoft.com/office/d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653).
- **Link in Attachment**: The user opened the attachment and clicked on the payload link.
- **Link to Malware**: The user clicked on the payload link and entered their credentials.
- **Drive by URL**: The user clicked on the payload link (entering credentials isn't required).¹
- **OAuth Consent Grant**: The user clicked on the payload link and accepted the prompt to share permissions.¹
|
+|Compromised User|The user was compromised. The compromise signal varies based on the social engineering technique.|- **Credential Harvest**: The user entered their credentials on the login page (credentials aren't stored by Microsoft).¹
- **Malware Attachment**: The user opened the payload attachment and selected **Enable Editing** in [Protected View](https://support.microsoft.com/office/d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653).
- **Link in Attachment**: The user opened the attachment and entered their credentials after clicking on the payload link.
- **Link to Malware**: The user clicked on the payload link and entered their credentials.
- **Drive by URL**: The user clicked on the payload link (entering credentials isn't required).¹
- **OAuth Consent Grant**: The user clicked on the payload link and accepted the prompt to share permissions.¹
|
|Clicked Message Link|The user clicked on the payload link in the simulation message.|The URL in the simulation is unique for each user, which allows individual user activity tracking. Third-party filtering services or email forwarding can lead to false positives. For more information, see [I see clicks or compromise events from users who insist they didn't click the link in the simulation message](attack-simulation-training-faq.md#i-see-clicks-or-compromise-events-from-users-who-insist-they-didnt-click-the-link-in-the-simulation-message).|
|Forwarded Message|The user forwarded the message.||
|Replied to Message|The user replied to the message.||