Microsoft Defender for Office 365: Refinement to user activity tracking in Attack Simulation and Training

[Introduction:]

We’re refining how user activity is recorded during simulations in Microsoft Defender for Office 365’s Attack Simulation and Training - a feature that enables admins to run realistic phishing simulations and assign targeted training to improve user awareness. This update improves consistency and clarity in simulation reporting, helping admins better understand user engagement with minimal impact to existing workflows.

[When this will happen:]

General Availability (Worldwide):  Rollout begins mid-November 2025 and completes by late November 2025.

General Availability (GCC, GCC High, DoD):  Rollout begins late November 2025 and completes by mid-December 2025.

[How this affects your organization:]

Who is affected: Admins managing Attack Simulation and Training in Microsoft Defender for Office 365 across all environments (Worldwide, GCC, GCC High, DoD).

What will happen:

• User interaction signals (such as compromise, report, read, delete, reply, forward, out-of-office, attachment opened) will be captured consistently until the simulation concludes.
• Training-related events (such as training completed or in progress) will continue to be reflected in simulation reporting even after the simulation ends, up to the training due date.
• Simulation data recording starts a few minutes after the simulation is launched and after users begin interacting with the simulation messages. There's no fixed start time. Events are still captured after the simulation ends.
• No changes to simulation scheduling or training delivery. Existing admin policies and workflows remain unchanged.
• No prerequisites are required for this update; it will apply automatically to all tenants using Attack Simulation and Training.
• Any metrics or existing reports that were captured and stored before this change will continue to persist based on our standard retention period. This change will only impact tracking of user activity going forward (post-change).
• There is no change to our standard retention policies.  

Example:

If a simulation ends on November 25, 2025, at 11:00 AM PST, user interaction signals after this time will not be included in the simulation report. However, if a user completes training on November 26, that completion will still be reflected in the report.

Screenshot - Simulation reporting interface:

[What you can do to prepare:]

No action is required.

Admins may wish to inform simulation owners of this refinement to ensure alignment with internal reporting expectations.

Learn more:

• [to be updated closer to rollout] Attack simulation training deployment considerations and FAQ - Microsoft Defender for Office 365 | Microsoft Learn
• Insights and reports for Attack simulation training - Microsoft Defender for Office 365 | Microsoft Defender | Microsoft Learn
• Reporting issues - Attack simulation training deployment considerations and FAQ - Microsoft Defender for Office 365 | Microsoft Defender | Microsoft Learn

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.