Attack simulation training is a security program that sends employees realistic, simulated phishing attacks, then teaches them to recognize and report the real thing. Done well, it turns each simulation into a teachable moment that measurably lowers click rates and builds reporting habits. This guide explains how it works, compares Hoxhunt with Microsoft Defender for Office 365, and shows the results security teams can expect.
3.4 billion malicious emails are sent every day.
And Verizon’s 2025 Data Breach Investigations Report found that 60% of breaches involve the human element (Verizon DBIR, 2025).
Weighing up whether not to use Microsoft Defender for Office 365 for your attack simulation training?
Below, we'll cover all the information you need to make an informed decision - the mechanics of phishing simulations, realistic results you can expect to achieve and how to get maximum value whichever solution you choose.
What is attack simulation training?
Attack simulation training is a cybersecurity strategy that mimics phishing attacks to teach employees how to recognize and respond to cyber threats.
By simulating real-world attacks, organizations can measure employees' susceptibility to phishing, provide targeted education, and enhance their overall security posture.
Why do security teams use this kind of training?
Phishing attacks will usually target either your organization as a whole, or specific individuals (often C-level executives, directors, or managers).
Attackers will find and gather information on social media to create personalized phishing attacks.
And whilst some attackers are amateurs using more primitive methods, others are experts who will use sophisticated tactics to access your organization's sensitive information.
That sophistication is accelerating fast: Hoxhunt’s 2026 data shows AI-generated phishing surged roughly 14× at the end of 2025, jumping from under 5% to 56% of detected attacks in a single month (Hoxhunt Phishing Trends Report 2026). That matters for clone phishing specifically, because AI is what now lets attackers reproduce a legitimate email so convincingly that the cloned copy is almost impossible to tell from the original.
The gap between compliance-style training and behavior change is stark: quarterly security awareness training produces roughly a 10% reporting rate, while reporting above 20% is the mark of a behavior-change program and a mature security culture (Hoxhunt Phishing Trends Report 2026).
Sustained programs bend that curve: across the Hoxhunt training curve, the simulation failure rate falls threefold, from 20% at onboarding to 3.4% after a year (Hoxhunt Phishing Trends Report 2026).
You need simulations to create lasting behavior change
The data is clear: raising awareness alone just isn't effective.
This is why organizations use training campaigns that actually simulate malicious emails - so that employees get frequent practice dealing with realistic threats.
If you already have compliance-based training in place, you'll need to take this a step further to build a strong human firewall that can actually prevent and mitigate the impact of potential threats.
To change employee behavior in any measurable way, continuous practical training is needed.
No matter what filters you have in place, there will always be advanced email threats that manage to make their way to your employees' inboxes.
And without regular simulations and practice, employees won’t have the skills or confidence to catch them.
By simulating real threats in a controlled environment, you can give employees a feel for what different types of attacks look like in the wild... and start forming positive habits.
These habits aren't built overnight though.
So, at Hoxhunt we aim to send users at least 36 simulations a year (one every 10 days).
How does Microsoft's attack simulation training work?
- Create template: Design and validate the phishing template, ensuring all HTML formatting is correct.
- Technical test: Check that links work across all browsers (IE, Firefox, Chrome, Edge).
- First pilot test: Send the simulation to a small test group (up to 5 users) to verify functionality.
- Landing page: Develop and review an English version of the landing page with the corporate communications team.
- Translate page: Localize the landing page into all necessary languages.
- Standard response: Using Microsoft Power Apps, create automated replies for users who report phishing successfully.
- Second pilot test: Resend the simulation to the test group, confirming every element works correctly.
- Group recipients: Create Office 365 sub-groups of up to 500 users, as Microsoft limits simulations per group.
- Notify service desk and IT: Communicate launch details to support teams for any user inquiries.
- Launch campaign: Initiate the phishing campaign for all employees.
- Collect feedback: Gather recipient feedback and Net Promoter Score (NPS).
- Monitor and report: Track results for one week and report findings.
- Review feedback: Analyze employee responses to improve future simulations.
- Retrospective: Document lessons learned and insights from the campaign.

Drawbacks of using Microsoft Defender for attack simulation training
- Limited scenario variety: While it includes basic phishing simulations, Defender lacks advanced, evolving threats like vishing, whaling, or clone phishing, which are essential for thorough employee training.
- Customization constraints: Defender’s templates offer limited customization options, which can lead to repetitive training experiences and may not cover specific threats tailored to different organizational roles.
- Complex setup and management: Many users report a steeper learning curve and setup complexity, which can demand additional IT resources, especially outside the Office 365 ecosystem.
- Standardized automation: While Defender offers automation for campaigns, it lacks adaptive learning. This means scenarios won't dynamically adjust to employee performance levels.
- Basic reporting: Defender provides email reporting, but it may require significant manual effort to interpret insights.
Hoxhunt vs Microsoft Defender for Office 365
*All insights below are based on real customer reviews.
Ease of use
Hoxhunt
- Easy, intuitive interface accessible to all employee skill levels
- Minimal technical setup and IT support required
- Strong customer support for troubleshooting and setup assistance
- Designed for scalability, making it suitable for companies of varying sizes
Microsoft
- Works well within Office 365 environment but setup can be complex for new users
- Requires technical expertise for optimal configuration
- Interface may be less intuitive for users unfamiliar with Defender’s ecosystem
- Initial learning curve for non-technical staff may slow implementation
Variety of simulations
Hoxhunt
- Extensive range of phishing scenarios, regularly updated to reflect current trends
- Scenario diversity helps reduce simulation fatigue and maintain employee engagement
- Tiered simulations cater to employees with different skill levels, from beginner to advanced
- Realistic, personalized simulations that mimic real-life attack tactics
Microsoft
- Offers a solid range of basic and intermediate phishing templates
- Limited scenario customization options and less frequent updates compared to Hoxhunt
- Templates address a broad range of industries but may lack specificity for highly targeted sectors
- Simulation variety might not fully represent the latest attack vectors
Automation
Hoxhunt
- AI-driven automation tailors simulation difficulty, frequency, and timing to individual user performance
- Automated follow-ups and reminders increase engagement without manual intervention
- Allows administrators to focus on strategy instead of manually managing the tool
- Adaptive learning technology personalizes experience without heavy administrative load
Microsoft
- Basic automation features enable scheduling and template selection
- Requires some configuration, with limited template adaptability
- Automation is effective but lacks the advanced, personalized approach of Hoxhunt
- Can become repetitive without adaptive learning, potentially lowering engagement over time
Realism of simulations
Hoxhunt
- Scenarios closely resemble real-world phishing tactics, including complex, high-stakes simulations
- Designed to be challenging, prompting users to critically analyze each email
- Uses realistic design elements (e.g., branding, grammar, etc.) to enhance credibility
- Frequently updated with real-world cases to maintain relevance
Microsoft
- Effective realism but sometimes lacks the depth and engagement of Hoxhunt’s simulations
- Templates are realistic but may not keep up with emerging attack styles as rapidly
- Design is credible but may lack the creative variety found in competitor tools
- Suited for general phishing scenarios but could be less challenging for advanced users
Reporting
Hoxhunt
- Comprehensive, detailed insights into user performance and simulation success rates
- Data visualization tools make it easy to interpret trends at a glance
- Tracks user behavior improvements over time, providing actionable feedback
- Exportable reports that allow for further analysis and team-wide reviews
Microsoft
- Integrated email reporting with Office 365, offering a centralized view of user performance
- Requires technical understanding to interpret data thoroughly
- Excellent integration with Microsoft environment, simplifying management for Office 365 administrators
- Lacks advanced, visualized insights compared to Hoxhunt, which may limit strategic analysis
Personalization & adaptive learning paths
Hoxhunt
- Uses AI to adjust phishing simulations to each user’s skill level and improvement rate
- Adaptive learning paths ensure simulations remain engaging and appropriately challenging
- Personalization fosters a sense of relevance, with scenarios suited to employee roles
- Allows customized learning paths for employees based on their progress
Microsoft
- Some customization available for user groups or specific departments
- Lacks fully adaptive learning, resulting in less tailored employee training
- Templates can be assigned to groups but don’t adjust dynamically based on individual progress
- Personalization requires manual input and lacks automated adaptive responses
| Hoxhunt | Microsoft Defender for Office 365 | |
|---|---|---|
| Personalized Learning | AI-driven, adapts simulations to individual skill levels for targeted training | Limited customization, lacks adaptive learning |
| Variety and Engagement | Frequently updated, varied simulations to mimic real-world attacks | Standardized templates, effective but less frequently updated |
| Behavioral Insights | Detailed insights on employee vulnerabilities, strong reporting tools | Good reporting within Office 365, but may require advanced knowledge to interpret |
| Integration | Works independently of other platforms, good for diverse environments, integrates with Outlook and Gmail | Integrates tightly within the Microsoft 365 ecosystem, suited for centralized environments |
| Automation | Automated reminders and adaptive simulation schedules | Standard automation with manual setup options |
| Ideal Use Cases | Organizations seeking highly adaptive, engaging, and personalized training | Microsoft-based organizations seeking a centralized, scalable solution |
What is adaptive phishing training? Why use this approach?
Adaptive phishing training is a dynamic approach that tailors training content based on an individual’s performance and behavior during simulations (this is how Hoxhunt works).
Instead of providing the same training to all users, adaptive phishing training adjusts the difficulty, frequency, and type of simulations based on how employees respond to previous attempts.
Employees can either be your greatest strength or your greatest weakness when it comes to cybersecurity...
And employees who aren't confident or motivated enough to spot and report attacks pose a significant risk to your organization.
So, if an employee is struggling to catch simulations, an adaptive phishing attack simulation tool will send them easier attacks to build up their skills.
Once they're consistently spotting attack simulations, you can then slowly increase the difficulty level.
This personalized approach helps address specific vulnerabilities within your organization by making sure every employee is receiving training relevent to their job role, location and skill-level.
Does this approach product results?
Well, here's how an adaptive training approach can impact outcomes 👇

Why make the switch to Hoxhunt?
If you are still weighing options, our guide to the best phishing simulation tools compares the wider market, and why most phishing simulations fail to reflect real attacks explains why simulation realism is the factor that decides whether training changes behavior.
To measurably reduce human risk levels, your phishing training must focus on behavior change.
But how do you get employees to absorb learning materials?
And how can you actually engage them with practical simulations?
Hoxhunt training simulates real phishing attacks and delivers interactive, bite-sized trainings that employees genuinely enjoy.
And Companies that contain breaches in less than 30 days save more than $1 million compared to those that took more than 30 days.
Hoxhunt uses continuous engagement to increase reporting rates to 60-75% and failure rates down to a sustained 2%.
Here are some of the outcomes you can expect from using Hoxhunt's award-winning phishing simulation training:
- 20x lower failure rates
- 90%+ engagement rates
- 75%+ detect rates

What kind of attacks can you simulate using Hoxhunt?
Spear phishing
- How it works: Targeted attacks personalized based on recipient roles.
- Hoxhunt simulation: Offers custom role-based scenarios, replicating real-world spear phishing attempts with personalized URLs and fake login pages.
Whaling
- How it works: Whaling phishing targets executives with messages that appear as communication from trusted colleagues or partners.
- Hoxhunt simulation: Tailored for executives, with credible-looking simulated phishing emails and landing pages to replicate requests for financial or sensitive information.
Vishing (Voice Phishing)
- How it works: Attackers impersonate IT or executives in voice calls to extract sensitive information.
- Hoxhunt simulation: Includes simulated deepfake attacks with voice prompts to make vishing training realistic and engaging.
Smishing (SMS Phishing)
- How it works: Text messages sent to targets with phishing links or requests for information.
- Hoxhunt simulation: Delivers smishing scenarios, training users to recognize suspicious simulated phishing messages.
Clone phishing
- How it works: Clone phishing replicates legitimate emails, replacing links or attachments with malicious content.
- Hoxhunt simulation: Enables cloning of familiar emails with slight modifications, testing employees on attention to detail and recognition of subtle differences.
Pop-up phishing
- How it works: Fake website pop-ups mimic security alerts or notifications.
- Hoxhunt simulation: Simulates realistic pop-ups while browsing to train employees on recognizing fake prompts versus legitimate site notifications.
Credential harvesting
- How it works: Credential harvesting directs users to fake login pages designed to capture credentials.
- Hoxhunt simulation: Simulates realistic login pages, educating users on identifying and avoiding credential phishing attempts.
Invoice fraud
- How it works: Invoice fraud attacks impersonate vendors or clients, sending fraudulent invoices for payment.
- Hoxhunt Simulation: Provides invoice fraud scenarios that mimic legitimate invoices, training employees on how to verify and handle suspicious payment requests.

How to maximize the impact of your training campaigns
Use a wide variety of simulations
You can use simulations to test employees on different types of actual threats.
If you run into issues with employees downloading malicious attachments, you can send out simulated phishing attacks with attachments.
Or if they're clicking malicious links you can add a URL to the vector.
We'd generally recommend combining different types of attacks to test every possible scenario.
Continuously practice simulations
Practice makes perfect...
Which is the why frequency of simulations matters.
The more practice employees have, the better they will be able to spot suspicious email content.
Yearly or quarterly tests aren’t sufficient to tangibly change employee behavior. According to our own data here at Hoxhunt, running tests at least a few times a month is the most effective.
Give constructive feedback to employees
However employees perform, you need to provide them with feedback (be sure to let them know it was a simulation).
Strong security cultures aren't built on punishment and criticism.
Always use positive reinforcement and reward systems in your feedback if you want to increase the overall motivation and engagement of employees.
Beware of missed simulations
When companies first begin with Hoxhunt, they'll usually have a failure rate of 25%, a success rate of 4%, and the rest are missed.
Which is a pretty significant unknown when it comes phishing risks.
Neglected phishing simulations are the single biggest unknown in human risk.
Missed phishing simulation is not a good thing.
And although most traditional failure-focused training programs frame this a s a positive, our data tells us that high miss rates predict higher risk of a breach.
Failure rate doesn't tell you anything about your unknown risk (your employee's ability to spot and respond to a phishing attack).
So, we'd strongly recommend that you track these metrics too:
- Miss rate: The phishing simulations that they neglect for whatever reason.
- Success rate: The simulated attacks that are correctly reported
- Real threat reporting: The number of real phishing attacks- per-user that get reported
- Engagement rate: the proportion of the organization who are enrolled and participating
Results you can expect from using attack simulation campaigns
Improve employee awareness and behavior
Attack simulation training raises employee awareness of phishing threats.
Over a sustained program, the share of employees who report a genuine phishing threat climbs from 13% to 71% across the training curve, with half reporting a real threat by six months (Hoxhunt Phishing Trends Report 2026).
Reduce the effectiveness of real-life phishing attacks
Phishing simulation training will reduce the risk of successful phishing attacks by identifying and addressing vulnerabilities in employee behavior.
Attackers are also moving beyond the inbox: the Hoxhunt Phishing Trends Report 2026 found that malicious calendar (.ics) invites fail at a 24% rate, about four times the norm, which is why modern attack simulation training has to cover more than email.
Research by the Aberdeen Group found that companies with attack simulation training in place experience a 50% decrease in successful phishing attacks (Aberdeen Group, 2023).
Strengthen your security culture
Effective training will build a culture of security awareness within your organization, where employees become active participants in defending against cyber threats.
Recency matters as much as culture: users trained within the last 30 days report phishing at about 21%, against a 5% base rate, a fourfold relative increase (Verizon Data Breach Investigations Report, 2025, cited in the Hoxhunt Phishing Trends Report 2026).
Stay compliant
Phishing simulation training helps organizations meet compliance requirements for security standards and regulations, such as GDPR and HIPAA.
Compliance-only training tends to stall at a standard baseline of roughly 10% success, 20% failure, and 70% miss rates, which is why regulators increasingly expect evidence of behavior change rather than course completion (Hoxhunt Phishing Trends Report 2026).
Current results: attack simulation at scale
Recent customers show what this looks like in production. In the US, Copart ran 202,992 completed phishing simulations across 963 unique variants and doubled its reporting rate from 24% to over 50%. In Europe, engineering consultancy Ramboll completed more than 100,000 simulations across 17,000 employees in 35 countries. The Avanade results below remain a useful Fortune 500 reference for the operational impact of automated response.
Hoxhunt case study: Avanade
Avanade is a global professional services company providing IT consulting and services focused on the Microsoft platform.
Industry: IT consulting
Headquarters: Seattle, WA and London, UK
Number of employees: 50,000+
The Challenge
Legacy security awareness training services were overly manual, did not integrate optimally with the Microsoft environment, and were not sufficiently lowering human risk.
The Results
- Resilience without resources: 5 FTEs of SOC analyst work saved per month with automated Response Platform
- Over 900 hours / month of SOC analysis saved
- Real threat reports up to tens of thousands per month
- Resilience ratio today is up 259% from baseline
- 98% reduction in false positives and incident escalations due to response platform
- Making sense of the threat feed and orchestrating Spam, legit email, threats, and incidents
- Over 50% reduction in spam reports
- Read full case study
Attack simulation training FAQ
How does attack simulation training work?
Simulations mimic real-world phishing tactics using custom payloads, phishing links, and simulated phishing messages.
They can include elements like malware attachments, drive-by URLs, and social engineering techniques.
Simulations are automated and can be customized to fit specific scenarios.
What are the benefits of simulation reports?
Simulation reports provide insights into user behavior, highlighting who clicked on phishing links or opened malicious attachments. This data helps refine training and improve security posture.
What happens after a simulation?
After a simulation, users who fell for the phishing attempt are often directed to integrated security awareness training, where they learn how to recognize and avoid such attacks in the future.
How often should simulations be conducted?
Simulation training should be conducted regularly to reinforce cybersecurity awareness and ensure employees would be able to identify and report genuine threats.
Many organizations conduct phishing simulations on a monthly or quarterly basis, but the frequency may vary depending on your risk profile and compliance requirements.
Generally speaking, the more frequent they are the better.
Sources
- Microsoft Defender for Office 365 Reviews, Gartner, 2023.
- Hoxhunt Reviews, Gartner, 2023.
- Phishing Statistics and Trends 2023, Mimecast.
- Why Security Training Isn’t Working, Forbes, 2021.
- Cost of a Data Breach Report, IBM, 2023.
- Value of Security Awareness Training, Aberdeen, 2023.
- Importance of Security Awareness Training, CybSafe, 2023.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt



