Create Trusted Account on Exchange

Our E-Mail Threat Simulator module requires a test account for making and reporting the tests listed here. This document contains sample configurations for making possible security and reliability checks with this test account.
The test account will only receive email and will not be able to send mail to any internal or external email address except us. This is a safe configuration option that will prevent potential violations.

Create Test Account

Customers who use an Exchange email server must create a restricted email account. Customers who use Google Workspace, Microsoft 365, or other services may skip this step.
Use the Exchange Server PowerShell administrative interface to create a test account with the command below.
Organization administrator permissions are required to use the Exchange Management Shell.
New-Mailbox -UserPrincipalName “UserPrincipalName” -Alias “Mail Alias” -Name “Mailbox Account Name” -Database “Database Name” -OrganizationalUnit “” -ResetPasswordOnNextLogon $false –password (ConvertTo-SecureString -String “Password” -AsPlainText -Force)

Configure the Test Account

The following instructions explain how to appropriately configure the test account in order to perform safe and efficient evaluations

Limit Email Activity

To avoid sending emails to any internal or external email address other than [email protected], use the following configuration steps:
  • Login to https://ExchangeServer/ecp with organization administrator privileges.
  • Go to Mail Flow > Rules and use the plus sign to add and name a new rule.
  • In the “Apply this rule if” condition, select the option “the sender is” and add the test account.
  • In the “Do the following” action, select the option “Delete the message without notifying anyone.”
  • Click More Options to display the Exception field.
Please check that the sender address is “” and confirm from the platform.

Enable Mailbox Audit Logging for Test Account

The audit logs of mailboxes created on an Exchange server are closed by default. To log all the processes that occur, the test account mailbox audit log should be enabled with the following command:
Set-Mailbox -Identity “” -AuditEnabled $true
Set-Mailbox -Identity “ETS Test Account” -AuditEnabled $true
The following command also enables mailbox audit logs on all mailboxes:
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true
The mailbox audit log items to be recorded can also be edited with the command below.
Parameters can be activated for three different groups: mailbox owners, delegates, and administrators. The actions to be recorded can be specified according to the logon type and will be available in the mailbox audit log. If a complete record of the user’s actions is not required, , it may be preferable not to activate some items. Admin and delegate group event records can be activated and recorded on authorized account for a specific mailbox.
Set-Mailbox -Identity “ETS Test Account” –AuditAdmin Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create –AuditDelegate Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create -AuditEnabled $true
By adding this command to the user and mail account creation procedures, mailbox audit event records can be activated in each new mail account automatically or manually.

Activate Admin Audit Event Logs

The following command can be run once to enable Admin Audit logs.
Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogParameters * -AdminAuditLogCmdlets *
The following command will search the admin audit log:
Search-Admin AuditLog Search-Adminauditlog –cmdlets New-Sendconnector -startdate 04/20/2022 -enddate 5/5/2023
The following command will search for the parameters specified in Admin Audit Logs and mail the result to [email protected]
New-AdminAuditLogSearch -Name “Mailbox Quota Change Audit” -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota -StartDate 01/20/2017 -EndDate 05/05/2018 -StatusMailRecipients