Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Attack Simulator - deleted or reported to help desk

Occasional Contributor

Within M365 Defender Attack Simulator are there ways (PowerShell/graph) to see user activity like email deleted associated with a particular simulation? 


If users report the email via a ticketing system or other method outside of the Outlook Add-in, can we mark those as reported in some way? 

1 Reply



As far as I am aware there has been no movement beyond the November statement saying no commandlets are available for the simulator:


Simulated attacks do not appear to go through the normal delivery process (try an ordinary EXO message trace - there's nothing) so do not be surprised if some audit processes appear to fail.


As an MDO customer, definitely encourage the use of the Report Message add-in for Outlook. It will take the load off your service desk in simulated campaigns as well as improving ZAP times for real threats.


The problem with the add-in is that it handles the user statement "this mail is bad" rather that the user question "is this mail bad?" If your simulation is any good, you will get users calling in. You need to record those queries as part of your response rate (which you must measure) and prepare your service desk to answer without exposing the simulation.


I do my post-campaign reports off-tenancy in Excel. A commandlet to simply dump the results of a simulation direct to CSV would save some of the drudgery; we can hope.