Teams Real Simple with Pictures: Launching an Attack Simulation in Teams with Collaborative Security

This blog is part of a series on Teams. For more articles, check back often

Written: 21/05/2023 | Updated: N/A

It’s done. Vuzion is now Infinigate Cloud. And from my own practice perspective the Teams, and the SharePoint Sites have been rebuilt. The lists, and the flows, and the loops, and the Power BI reports. And all has been migrated. There has been legal to do. There has been some architectural to do. There has – truly – been an obscene amount of DevOps tasks. And there has been burndowns the like of which could very much be considered ones for the ages. But it’s done. And I never intended to go six weeks off of the blog, but neither did I anticipate having to practically suspend my community and MVP inputs whilst I had to focus and hone in on what needed to be done on the business end. Now, I am very much looking forward to the next few years at Infinigate Cloud. In the immediate future whilst I am holidaying out on the Isle of Wight with the family, I am looking forward to simply writing this blog. It’s going to be about launching attack simulations within Microsoft Teams which is part of the new Collaborative Security functionalities announced at Secure and which is currently in preview. This’ll need Microsoft Defender for Office 365 Plan 2, of which Attack Simulation Training (AST) is a part, and whilst I’ll only run through a straightforward credential harvest, I hope that it will whet the appetite enough for you to go on and test it and explore more. One note right off the bat – in the context of Teams messages are defined strictly as private 1:1 chat messages. No group chat. No channels. No guests. For now.

So let’s get back on it.

This blog will cover:

  • Enabling Preview
  • Assigning the RBAC role in Azure AD
  • Configuring the User Account to Attack
  • Configuring the Payload
  • Running the Sim
  • FAQ

Note this blog will have abridged steps which will assume some experience with Teams and a Microsoft 365 environment.

Prerequisites

  • Microsoft Defender for Office 365 Plan 2, or a Microsoft 365 licence which includes it (E5)
  • Attack Simulation Administrator, Security Administrator or Global Administrator

ENABLING PREVIEW
At the time of writing this functionality is currently in preview. This initial step of enabling via PowerShell should not be needed in the future

1.) Run Windows PowerShell As Administrator and connect to Exchange online with 

Connect-ExchangeOnline

2.) Run the following command

Set-TeamsSecurityPreview -Enable $true

3.) You can check this by running the following command

Get-TeamsSecurityPreview

Note, this could take several days before the functionality displays in the tenant

ASSIGNING THE RBAC ROLE IN AZURE AD
Let’s start with assigning the RBAC role to the User Account. Note, in this example this will be an administrative account and will also be the attacker in the simulation.

1.) Login to https://login.microsoftonline.com with the admin credentials

2.) Select Admin from the left app rail, or the waffle

3.) In the Microsoft 365 admin portal, select Show All from the left navigation and then select Azure Active Directory

4.) In the Microsoft Entra portal under Azure Active Directory select Users then All Users

5.) Select the User to apply the RBAC role to

6.) Select Assigned Roles

7.) Select Add Assignments and assign either the Attack Simulation Administrator, Security Administrator or the Global Administrator to the user. If you have PIM in play ensure it is a permanently assigned Active role

8.) The user is now configured and ready to go

CONFIGURING THE USER ACCOUNT TO ATTACK
Now that the role is configured on the user, we need to access Attack Simulation Training (AST) and configure it to be used with Teams. This is not configured out of the box

1.) Return to the Microsoft 365 Admin Portal and select Security from the left navigation

2.) In the Microsoft 365 Defender Portal under Email and Collaboration select Attack Simulation Training

3.) Select the tab Settings

4.) Under Teams Simulation Configuration select Manage User Accounts

5.) Select Generate Token. Note the message below states that if another account is to be permitted to attack users it needs to log into ‘this page’ meaning it must have an Azure AD RBAC role.

6.) Select I Agree on the Generate Token prompt. This process will log you back in.

7.) The user account is now configured to attack and Attack Simulation Training is now ready to be used with Teams

8.) One final action is needed here to ensure everything is set up. This should be on by default but needs to be double checked. In the Microsoft 365 Defender Portal under Settings select User reported settings and ensure that Microsoft Teams is Enabled

CONFIGURING THE PAYLOAD
Now that RBAC has been assigned and AST has been configured to work with Teams – since a user account has been configured to attack users and user reporting for Teams is on, it is nearly time to launch the sim. However, before this I am going to create the payload which will be the message containing the phishing link which tries to harvest users credentials in Teams. Note, that unlike email Teams does not have any templated payloads so something has to be created.

1.) On the AST page select the tab Content Library

2.) Under Payloads then Tenant Payloads select Create a Payload

3.) Select Teams then Next

4.) Select the Technique and then Next. This example will use a Credential Harvest

5.) Give the Payload a Name and Description and select Next

6.) Now is the creative part. You will need to think up of a fictitious scenario that will make the user fall for their attack. In this case as a credential harvest I need to have the user provide their login credentials. The cover story is that we are building a new SharePoint sandbox and to login and verify the site. As it is in Teams, this needs to sound relatively informal and not to overblown.

After creating the name and description of the payload, the next page will be building it, this will be the message in teams along with the phishing link that is added to the message. Microsoft provide a list of URL’s to use.

Once done, select Next

7.) Add Indicators if required and select Next

8.) Review the Payload and select Submit

9.) The payload is now created and ready to go

RUNNING THE SIM
All good. The RBAC role was added to the user. AST was configured to use Teams with the user account, and the payload has been deployed. Now it’s time to create the simulation and attack a user to finish off this blog

1.) On the AST page select the tab Simulations

2.) Select Launch a Simulation

3.) Select Microsoft Teams and then Next

4.) Select Credential Harvest and then Next

5.) Add a Name and Description (this example uses TMSSIM1) and select the configured User Account and then Next

6.) Select The Created Payload and then Next

7.) Add users to attack. This could be all users or specific users in the org. Once done select Next

8.) Add Exclusions and select Next. This example excludes the booking calendar as that is not a person within the organisation

9.) Assign Training if required. This could be Microsoft training, or Custom training or even No training ( which is shown here). Once done select Next

10.) Select a Phish Landing Page. This is a page that the attacked user will land on should they have their credentials successfully harvested. There are options to use Microsoft’s landing pages, or a custom URL. Once done, select Next

11.) Set whether Notifications are to go out and select Next

12.) Finally, set the launch details for when the simulation will go out, and select Next

13.) Review the simulation and then select Submit

14.) Simulation has been launched. This will initially show as scheduled within the AST page

15.) Now let’s log in as a user which is being attacked – Adam Deltinger. The message has shown up

16.) Clicking on the link takes us to what looks like a Microsoft 365 login page

17.) Adam enters his credentials and Boom. He’s been Phished

FAQ
This was an enjoyable introduction to Attack Simulation Training with Teams. There is more fun to be had, more payloads to create and more sims to launch. this is has the ability to be a useful tool for hardening security posture as well as educating users.

Q.) Can this be used with Teams?
A.) It doesn’t look like it at the time of writing. It only appears to do 1:1 private chat messages to users within your own tenant. Groups can be configured on the sim itself but it doesn’t go to the shared mailbox underlying the team (and therefore doesn’t show in the team), only to users who are a part of that group. It also does not support private group chat at the current time.

Q.) Can this be used with Guests?
A.) No, it is explicit about that when choosing users

Q.) How do you get the Microsoft login page as shown within this blog?
A.) I spent a while working this out, that looks to be defined by the brand. Choose Microsoft.