Answer: Microsoft Defender for Cloud Apps
Answer: Microsoft Defender for Office 365
Answer: Microsoft Defender for Identity
Answer: Microsoft Defender for SQL
Answer: BMicrosoft places Attack simulation training under the email and collaboration protection workloads of Microsoft Defender for Office 365 (MDO). The official product guidance describes it as a built-in capability that “lets you run realistic attack scenarios in your organization to identify vulnerable users and train users to recognize and report phishing and other social-engineering techniques.” Microsoft further notes that Attack simulation training “provides editable phishing payloads, credential-harvesting and attachment scenarios, landing pages, user training, and detailed reporting,” enabling security teams to measure compromise rates and improve user resilience over time. The service scope is explicit: “Attack simulation training is a feature of Microsoft Defender for Office 365 Plan 2,” and it is included in suites that contain MDO P2 such as Microsoft 365 E5 and Office 365 E5. In the Microsoft 365 Defender portal, you access it under Email & collaboration → Attack simulation training, where admins can create simulations, target groups, assign training, and review metrics like repeat offenders, resilience score, and simulation results. By design, this feature is not part of Microsoft Defender for Cloud Apps (cloud app security and CASB functions), not part of Microsoft Defender for Identity (on-prem AD identity threat detection), and not part of Defender for SQL. Therefore, the Microsoft SCI documentation aligns that the correct service hosting Attack simulation training is Microsoft Defender for Office 365 (Plan 2).
