Share via

Microsoft Assigned Training Question

Matthew 20 Reputation points
2026-04-16T16:22:04.24+00:00

Hey there,

During a phishing campaign, it was discovered that end-users were marked as "compromised" when they forwarded the phishing campaign email to IT for inspection (The link to the "malicious" website was turned into a smart link from a raw url, which caused the end-user to "fail"). Is there a way that we can mark that person as a false positive and be able to auto complete the auto assigned training as they did not actually fail the campaign?

Microsoft 365 and Office | Microsoft 365 Defender | Other | Other

Answer accepted by question author

AI answer

2026-04-16T16:22:17.8533333+00:00

Attack simulation training in Microsoft Defender for Office 365 does not currently support editing individual users’ simulation outcomes (for example, changing a user from Compromised to Not compromised or explicitly flagging them as a false positive) or auto-completing their assigned training directly from the simulation report.

Key points from the available behavior and reporting model:

  • A user is marked Compromised based on specific actions tied to the simulation technique (for example, clicking the payload link or entering credentials), as defined in the reporting appendix.
  • Forwarding, replying, or deleting the message are tracked as Other actions signals, but there is no documented mechanism to override the resulting Compromised status once it has been recorded.
  • Training assignment is rule-based at simulation design time (for example, assign to All users, Clicked payload, or Compromised) and not per-user editable after the fact.

Operationally, the only supported options are:

  1. Use the simulation reports to identify these users and treat them as exceptions in internal metrics (for example, adjust reporting in exported data).
  2. If training is not desired for those users, handle that outside the product (for example, communicate that they can ignore the training, or track them as having “passed” in internal records).

There is no supported way in the documented features to:

  • Mark a specific user’s compromise as a false positive inside Attack simulation training, or
  • Programmatically or administratively auto-complete their assigned training from the Defender portal.

References:

AI-generated content may be incorrect. Read our transparency notes for more information.

Was this answer helpful?

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.