The scenario requires automating Attack simulation training based on real phishing campaigns detected in real-time. Within Microsoft Defender for Office 365, the Payload automation feature is specifically designed for this purpose. It automatically collects payloads from actual, non-simulated phishing attacks that have been analyzed by Defender and determined to be a Credential Harvest (phish). This automation then uses these real-world payloads to create and launch targeted simulations, thereby training users based on the latest threats observed in the environment. The other automation types (Fixed, Randomized) are based on predefined schedules, not on real-time threat detection.

Source: Microsoft. (n.d.). Simulation automations in Attack simulation training. Microsoft Learn.

Reference: Retrieved October 21, 2025, from https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations

Citation (Payload automation): In the "Payload automation" section, the documentation states: "Payload automation... gathers real, non-simulated phish payloads that were reported by your users and are determined to be a phish or credential harvest (as determined by Defender for Office 365)... and feeds them back into the simulation to target your users." This passage explicitly links "Payload automation" with the "Credential Harvest" condition as the trigger.

Source: Microsoft. (n.d.). Get started with Attack simulation training. Microsoft Learn.

Reference: Retrieved October 21, 2025, from https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started

Citation (Automation Types): The "Simulation automations" section contrasts "Fixed simulation automation" (which "runs a simulation... on a fixed schedule") with "Payload automation," confirming the latter is the correct choice for a detection-based trigger rather than a schedule-based one.