This article contains information on integrating Microsoft Attack Simulation data into Mimecast's Human Risk Management platform, enhancing risk analysis and mitigation by leveraging simulation insights to address human-centric cybersecurity challenges.
Overview
The integration between Microsoft Attack Simulation and Mimecast’s Human Risk Platform represents a significant advancement in organizational cybersecurity. By ingesting user interaction data from Microsoft’s simulated phishing campaigns, Mimecast’s platform can update user risk scores in real-time, enabling security teams to:
- Monitor user behavior during phishing simulations.
- Identify high-risk users based on their actions (e.g., clicking links, submitting credentials).
- Deploy targeted training to address specific vulnerabilities.
- Enhance overall security posture by proactively addressing human risk factors.
This integration can be accessed from the Human Risk Command Center, which is available to all Mimecast Email Security - MX customers.
How it works
Mimecast pulls phishing simulation campaigns from /v1.0/security/attackSimulation/simulations, filtered by campaign launch date, and retrieves each user's performance from /v1.0/security/attackSimulation/simulations/{id}/report/simulationUsers. Interaction events - including email delivery, link clicks, credential submission, and phishing reports - are scored against each user's simulated phishing behavior.
Considerations
Before implementing the integration, organizations should be aware of several important factors:
- Data Scope: Only events generated after activation are ingested. Historical data is not imported, ensuring existing user risk scores remain unaffected.
- Accessibility: Available to all Mimecast Email Security - MX customers using the Human Risk Command Center, not limited to Mimecast Engage users.
- Deployment Time: Configuration can be completed within minutes, but it may take up to 24 hours for new phishing-related scores to appear in the Human Risk Command Center Dashboard.
- Regional Support: Separate Azure applications are created for different regions (e.g., US, UK, DE, AU) to comply with data residency requirements.
These considerations help ensure a smooth Onboarding process and maintain data integrity.
Prerequisites
Successful deployment of the integration requires meeting specific licensing, technical, and administrative prerequisites:
- Mimecast Licensing: Access to Mimecast Engage or the Human Risk Command Center.
-
Microsoft Licensing: This Human Risk Management (HRM) integration requires access to Attack Simulation Training, a feature of Microsoft Defender for Office Plan 2. This is included with the following licenses:
- Microsoft 365 E5.
- Microsoft 365 E3 with Microsoft Defender for Office Plan 2 add-on.
-
Microsoft 365 Small Business Premium with Defender Suite add-on
Please see the Microsoft Defender for Office 365 service description for more information.
-
Technical Setup: Registration of an application in Microsoft Entra ID (Azure AD) with the
AttackSimulation.Read.Allpermissions granted via admin consent. - API Access: The organization’s Microsoft tenant must be configured to allow API access for the integration.
Ensuring these prerequisites are met is essential for a seamless integration experience.
Permissions
The integration requires specific administrative roles within Mimecast and Microsoft environments to ensure secure and controlled access:
-
Mimecast
- Global Sys Admin
- Sys Admin - SD Full
- Super Administrator
- Full Administrator
- Basic Administrator
- Partner Administrator
- Custom roles with Integrations Marketplace Read/Write permissions
-
Microsoft
- Admin consent for the
AttackSimulation.Read.Allpermissions in Microsoft Entra ID (Azure AD).
- Admin consent for the
Only authorized personnel with these roles can configure, edit, or delete the integration, maintaining operational integrity and security.
Integration Configuration
The integration and configuration process is designed to be straightforward and secure. Below is a step-by-step summary:
- Log in to our Mimecast Administrator Console.
- Navigate to Integrations | Integrations Hub.
- Click Configure New on the Microsoft Attack Simulation tile.
- Fill in the Details:
- Application Name.
- Description.
- After filling in the details, click Authorize.
When starting the authorization flow for Microsoft Attack Simulation, you will be redirected to an authorization pop-up. Please complete the authorization flow to allow Mimecast to access Microsoft Attack Simulation.
- Log in or select the user account you wish to use.
- Click Accept on the Microsoft Permissions requested pop-up.
- You will receive a pop-up message confirming the Success of the integration.
- Once the integration is successful, refresh and the status will change to Connected.
- While on the Mimecast Administrator Console, Navigate to Human Risk Command Center | Dashboard
- The newly integrated will appear under Human Risk Behaviors as Simulated Phishing.
- Click the drop-down to expand Simulated Phishing under Human Risk Behaviors.
- Then, once expanded, click View Details.
- You can view a list of Events over time, individual performance, score breakdown, and the latest events for simulated phishing.
- Clicking on the Latest Events tab allows the administrator to view the Individual Risk Profile by clicking on one user under the individual list.
Comments
Please sign in to leave a comment.