HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Office 365. You need to automate Attack simulation training for users when a phishing campaign is detected in real-time. Which type of automation should you use. and which condition should you configure for the Attack simulation training? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. 
Payload automation with credential harvest fits here. Had something like this in a mock, and it was about using actual threat data for instant simulation triggers, not just scheduled stuff. Pretty sure that's the intention, but open to correction if anyone sees it differently.
This one's all about real phishing attacks detected as they happen, so it's payload automation with credential harvest. Randomized is just for regularly scheduled stuff, not instant reaction to threats Defender sees. I think that's spot on but wouldn't mind a second opinion if anyone's seen different.
Payload automation with credential harvest for sure. The key is real-time, since payload automation hooks right into actual detected phishing and automatically launches training based on that. Randomized would only work if you wanted periodic or ongoing simulations, not instant reaction to threats. I think this matches what's needed, but let me know if I've missed a nuance.
