KEEPNET LABS > Blog > Creating A Trusted Account For E-mail Security Tests

Creating A Trusted Account For E-mail Security Tests

Keepnet Labs E-Mail Threat Simulator allows institutions to defend against major attack vectors. Large corporations, government agencies, and political organizations are the most common victims of cyber-attacks through e-mail. The more information an organization has, the higher the likelihood of exposure to attacks.

Creating A Trusted Account For E-mail Security Tests

Keepnet Labs E-Mail Threat Simulator allows institutions to defend against major attack vectors. Especially in recent years, it has been observed that the number of target-oriented attacks has increased significantly. Generally, it was determined that the targets of the attacks were large corporations, government agencies, and political organizations. The more information an organization has, the higher the likelihood of exposure to cyber-attacks.

Despite the widespread use of email filters, the majority of attacks are still coming through e-mail. The poor configuration or poor implementation of these products can lead to false assumptions that you are safe. Keepnet Labs allows you to test these assumptions, see your security situation, and take steps to improve the vulnerabilities resulting from the e-mail.

Creating a Trusted Account for E-mail Security Tests

Keepnet Labs E-Mail Threat Simulator module details require a test account for making and reporting the tests listed here. This document contains sample configurations for making possible security and reliability checks with this test account.

The test account will only receive an e-mail, and will not be able to send mail to any internal or external e-mail address except Keepnet  Labs. This is a safe configuration option that will prevent potential violations.

Creating a Test Account

The test account required for operations can be created with Exchange Powershell using the following command:

The Exchange Management Shell is started with a user who has Organization Administration permissions.

New-Mailbox -UserPrincipalName “UserPrincipalName” -Alias “Mail Alias” -Name “Mailbox Account Name” -Database “Database Name” -OrganizationalUnit “<Organizational Unit>”  -ResetPasswordOnNextLogon $false –password (ConvertTo-SecureString -String “Password” -AsPlainText -Force)

New-Mailbox -UserPrincipalName ets@yourdomain.com -Alias ets -Name ETS  -Database PERDB -OrganizationalUnit OU=SNR,DC=keepnet,DC=aws  -ResetPasswordOnNextLogon $false –password (ConvertTo-SecureString -String ‘StR0ngP@ssw0rd’ -AsPlainText -Force)

Restriction of the Authority of the Test Account

We can create a test account as a dummy user and make various restrictions in terms of using e-mail services. The following are examples of ways to restrict the ability to send and receive e-mail for a ştest account.

Restrict Email Address

To avoid sending emails to any internal or external e-mail address other than ets@keepnethood.com, you can apply the following configuration steps in order.

Login to https://ExchangeServer/ecp with Organization Admin authority. Go to Mail Flow> Rules and add a new rule from the plus sign. By giving the rule a name, the following rules apply:

In the “Apply this rule if” condition, “the sender is” is selected and added to the Test account.

In the “Do the following” action, the option “Delete the message without notifying anyone” is selected.

Click More Options to display the Exception field.

The “Except if” condition is activated by “The recipient> the address includes any of these words” and is saved by entering the “ets@keepnethood.com” address.

Enable Mailbox Audit Logging for Test Account

The mailboxes that are created on the Exchange server have audit logs closed by default. To log all the processes that are created through the test account, the mailbox audit log on the test account can be enabled with the following command:

Set-Mailbox -Identity “<Test Account>” -AuditEnabled $true

Set-Mailbox -Identity “ETS Test Account” -AuditEnabled $true

The following command also enables mailbox audit logs on all mailboxes:

Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true

Mailbox Audit logs to be recorded on the log can be edited with the following command. Here, different parameters are activated for 3 different groups. Since the records to be activated for the owner groups will record the user’s actions on his/her account, If not required, it may not be activated in order not to keep too many logs. Admin and Delegate group event records can be activated and recorded on the authorized account in that mailbox.

Set-Mailbox -Identity “ETS Test Account” –AuditAdmin Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create –AuditDelegate Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create -AuditEnabled $true

By adding this command to the user creation procedure and after each created mail account, mailbox audit event records can be activated in each new mail account that is created automatically or manually.

Activating Admin Audit Event Logs

The following command can be run once to enable Admin Audit logs:

Set-AdminAuditLogConfig -AdminAuditLogEnabled $true -AdminAuditLogParameters * -AdminAuditLogCmdlets *

With the following command search can be made  in the Admin Audit logs:

Search-AdminAuditLog

Search-Adminauditlog –cmdlets New-Sendconnector -startdate 04/20/2014 -enddate 5/5/2015

The following command will search for the parameters specified in Admin Audit Logs and mail the result to admin@yourdomain.com:

New-AdminAuditLogSearch -Name “Mailbox Quota Change Audit” -Cmdlets Set-Mailbox -Parameters UseDatabaseQuotaDefaults, ProhibitSendReceiveQuota, ProhibitSendQuota -StartDate 01/20/2017 -EndDate 05/05/2018 -StatusMailRecipients admin@yourdomain.com

Join
Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.