Test your employee’s with a fake Phishing Attack using Microsoft Office 365

Fake Phishing Email

Office 365 Phishing Test: Assess Your Employees with a Fake Attack | Leap IT

We are all aware of the cyber security issues surrounding IT, and despite all the constant chatter about this, people still fall for scams.

You can send your staff to all the cyber security courses available and share videos on YouTube, but it’s still very hard for your employees to remember them while doing their day-to-day jobs.

This is because it’s all theory-based, examples of what might happen, what you might need to look for, and what you might need to do. However, incorporating attack simulation into your training can make a significant difference.

By launching a fake phishing attack, you can provide practical, hands-on experience that helps employees recognise and respond more effectively to real threats.

Office 365 now comes with Simulated Phishing Attacks to test your Employees.

Simulated email attacks and fake phishing emails are nothing new. Companies have been offering this service for several years. However, it is only affordable for big corporations because simulations and reports come with expensive price tags (upwards of £5K).

Finally, Microsoft offers a solution for the SME market that allows you to schedule regular fake phishing emails for your employees. You can even access analytical data to see which Employees opened the email, entered their credentials, or opened the attachment.

This solution is also considerably cheaper and requires a Microsoft Defender for Office 365 Plan 2 licence at £3.80 per month on a 12-month contract!

When setting up simulations, you can use the assigned training page to select training content preferences, add training to simulations, and configure the recurrence of simulation automation.

The assign training feature allows you to assign specific training for attack simulations.

The types of phishing emails that you can send (or payloads, as Microsoft calls them) can be selected from default templates like the one below:-

This email tries to get the user to click on the password link and then takes them to a fake login page to see if they enter their email credentials. If so, this is also captured in the report.

If you want to test the accounts department, for example, you can even create custom phishing emails that look as though they have come from your suppliers. You can also select specific users or groups as target users for simulations to ensure the training is relevant.

As well as emails that try and get your login details, there are also phishing emails that pretend they have come from DropBox sharing a file like the example below:-

Detailed reports show you which users fell for the phishing email.

Someone can then review the reports to see which users opened the email and entered their credentials, highlighting those users most at risk.

After configuring the attack simulation, you can select end-user notification options, including Microsoft default notifications and customised end-user notifications, to inform users about the training.

It also offers statistics showing the percentage of compromised people within your organisation and compares this to the average percentage of users compromised by this type of email. The Microsoft default notification is recommended for delivering these notifications effectively.

Phishing attacks can be simulated to run for as long as you want, for example, over a month. During this time, users can be targeted with several different payloads, with reports on each one available. It will even show you any repeat offenders who may have fallen for more than one phishing email. Simulation automation can schedule these recurring simulations, ensuring consistent training and assessment.

All this enables you to educate your employees rather than “name and shame them.” Microsoft refers to it as positive reinforcement, and I like that term. We are all in this together!

Office 365 also sends training videos to the users who fall foul of the email.

For me, this is the real jewel in the crown of all Phishing Simulation products from Office 365, in that training videos are automatically assigned when users are caught out. The videos are specific to what type of email caught them, so they are more aware in the future. These types of emails often include malicious attachments or malware attachments disguised as harmless files like Word or Excel documents.

These videos are relatively short, at around 7 minutes or less, and Office 365 will even monitor the users and email them if they fail to watch the videos and complete the exam. The training videos help users recognise and avoid cyber-attacks, including phishing and malware attacks.

If you want any more information on this product or even some advice on how you can run it for your own Company, email us at hello@leapit.co.uk

Identifying Phishing Emails

How to Check for Phishing Emails

Phishing emails can be challenging to spot, but you can use several key indicators and methods to identify them effectively. Here are some steps to help you check for phishing emails:

Examine the Sender’s Email Address

  • Check for Unusual Email Addresses: Look closely at the Sender’s email address. Phishing emails often come from addresses that appear similar to legitimate ones but may have slight variations or misspellings.
  • Verify the Domain: Ensure that the email is from a trusted domain. For example, legitimate Microsoft emails will come from domains like “@microsoft.com.”

Look for Suspicious Subject Lines

  • Be Wary of Urgency: Phishing emails often create a sense of urgency or fear, with subject lines like “Immediate Action Required” or “Account Suspended.”
  • Check for Unusual Requests: Subject lines that contain unusual or unexpected requests, such as asking for personal information, are red flags.

Inspect the Email Content

  • Check for Spelling and Grammar Errors: Phishing emails frequently contain poor spelling and grammar, which is uncommon in legitimate business communications.
  • Look for Mismatched Branding: Authentic emails from companies will use consistent branding. Look for inconsistencies in logos, colours, and fonts.

Hover Over Links Without Clicking

  • Check the URL: Hover over any links in the email to see the actual URL. Phishing emails may have links that appear to be legitimate but lead to suspicious websites.
  • Verify Secure Connections: Ensure the URL begins with “https://”, indicating a secure connection. However, be aware that some phishing sites also use SSL certificates.

Beware of Attachments

  • Avoid Opening Unknown Attachments: Phishing emails may contain a malicious attachment. Only open attachments from known, trusted sources.
  • Scan for Malware: Use your antivirus software to scan attachments before opening them.

Confirm Through Another Channel

  • Contact the Sender Directly: If you receive a suspicious email from a known contact or Company, contact them through a different communication method to verify the email’s authenticity.
  • Do Not Use Provided Contact Information: Avoid using phone numbers or email addresses provided in the suspicious email for verification.

Utilise Office 365 Security Features

  • Use Microsoft 365 Defender: Microsoft 365 Defender can help detect and flag potential phishing emails. Ensure this feature is enabled and configured.
  • Report Suspicious Emails: Use Outlook 365’s phishing report feature to report suspected phishing emails to Microsoft for further analysis.

Following these steps, you can effectively identify phishing emails and protect yourself from scams and security threats. Always stay vigilant and double-check any suspicious emails.

Recognising Genuine Emails from Microsoft

Identifying authentic emails from Microsoft is crucial to avoid phishing scams. Here are some key points to help you recognise genuine emails from Microsoft:

1) Verify the Sender’s Email Address

  • Trusted Domains: Genuine Microsoft emails will always come from official Microsoft domains such as “@microsoft.com” or “@office365.com.” Be cautious of slight misspellings or variations in the domain name.
  • Check the Full Email Address: Look at the full email address, not just the display name. Phishing emails might use a display name like “Microsoft Support” but have a suspicious email address.

2) Consistent Branding and Design

  • Professional Appearance: Legitimate Microsoft emails will have a professional and consistent appearance, including using Microsoft’s official logo, fonts, and colour schemes.
  • High-Quality Images: Check for high-quality, correctly formatted images. Poor image quality or distorted logos are often signs of phishing attempts.

3) Personalisation and Context

  • Personalised Information: Genuine emails from Microsoft often include personalised information, such as your name or account details. Be wary of generic greetings like “Dear Customer.”
  • Relevant Content: The content of the email should apply to your interactions with Microsoft services. If you receive an email about a product or service you don’t use, it could be a phishing attempt.

4) Links and URLs

  • Hover Over Links: Before clicking any link in the email, hover over it to see the URL. Genuine Microsoft links will direct you to official Microsoft websites, such as “microsoft.com” or “office.com.”
  • Secure Connections: Ensure that any links you intend to follow start with “https://” indicating a secure connection. However, remember that some phishing sites also use SSL certificates, so this alone is not guaranteed.

5) Verify Contact Information

  • Official Contact Methods: Genuine Microsoft emails will provide official contact information. Cross-check any provided phone numbers or email addresses with those listed on Microsoft’s official website.
  • Avoid Embedded Contact Info: Be cautious if the email asks you to contact support using information embedded in the message. Instead, use contact details from Microsoft’s website.

6) Common Themes in Phishing Emails

  • Urgency and Fear: Phishing emails often try to create a sense of urgency or fear, prompting you to act quickly. Genuine Microsoft emails are less likely to use such tactics.
  • Unexpected Attachments: Be cautious of unforeseen attachments, especially if the email claims to be from Microsoft. Verify the necessity and legitimacy of any attachments before opening them.
  • Malware Attachment: Attackers often send emails with malware attachments disguised as harmless files like Word or Excel documents. These attachments contain malicious code that can harm your computer when opened.

7) Utilise Office 365 Security Features

  • Phishing Detection Tools: Use Office 365’s built-in security features, such as Microsoft 365 Defender, to help detect and flag suspicious emails.
  • Report Suspicious Emails: If you suspect an email might be a phishing attempt, use Outlook 365’s phishing report feature to notify Microsoft.

By paying attention to these details, you can better differentiate between genuine emails from Microsoft and potential phishing attempts, ensuring the protection of your personal information and security.

Checking and Reporting Phishing Emails

Steps to Verify and Report Phishing Emails

1) Verify the Email

  • Check the Sender: Confirm the Sender’s email address is from a trusted domain.
  • Inspect Links: Hover over links without clicking to check the URL for legitimacy.
  • Look for Red Flags: Be cautious of urgent requests, spelling errors, and generic greetings.

2) Report the Email

  • Use the Phishing Button: In Outlook 365, click the “Report Phishing” button to flag the email.
  • Forward to Microsoft: If the button is unavailable, forward the email to Microsoft’s phishing report address (phish@office365.microsoft.com).
  • Notify Your IT Department: Inform your IT department or security team about the suspicious email for further investigation.

By quickly verifying and reporting phishing emails, you can help protect your organisation and prevent potential security breaches.

ManagingManaging Spam and Phishing Protection

Checking and Managing Spam in Office 365

  1. Access the Spam Folder:
    • In Outlook 365, navigate to the “Junk Email” folder to review potential spam messages.
  2. Review and Manage Emails:
    • Regularly check this folder to ensure legitimate emails aren’t being misclassified.
    • Mark any legitimate emails as “Not Junk” to train the filter.

Configuring Spam and Phishing Filters

  1. Access Admin Center:
    • Log in to the Office 365 Admin Center and go to the “Security & Compliance” section.
  2. Set Up Filters:
    • Configure spam and phishing settings under “Threat management”> “Policy”> “Anti-spam” and “Anti-phishing.”
  3. Adjust Sensitivity:
    • Fine-tune the sensitivity levels for spam and phishing detection to balance protection and email accessibility.
  4. Whitelist Trusted Senders:
    • Add known safe domains and email addresses to the whitelist to prevent them from being marked as spam.

By regularly managing spam and phishing settings, you can maintain a more secure and efficient email environment in Office 365. Advanced Phishing and Security Features


Ensuring the security of your email environment in Office 365 is crucial to protecting sensitive information and maintaining productivity. By effectively identifying phishing emails, using tools like the phishing button in Outlook 365, and configuring spam and phishing filters, you can significantly reduce the risk of falling victim to phishing attacks. Regularly reviewing and managing your spam settings further enhances your email security.

By staying vigilant and proactive, you can create a safer and more secure email experience for yourself and your organisation. Implement these best practices and continuously educate yourself on the evolving tactics of cyber threats to avoid potential risks.

“It is a common belief that confidence is directly linked to competence.”

Attack simulation training, however, allows your employees to apply the theory they have learned to real-life scenarios. Simulation training will allow them to gain experience and, in turn, give them confidence to manage similar real-life scenarios. It is a common belief that confidence is directly linked to competence.

“Did you know a pilot will do a month of simulation flying before even stepping on an aircraft?”

You only need to look at the aviation industry to see how flight simulators work to train pilots. Did you know a pilot will do a month of simulation flying before stepping on an aircraft?

This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies.