Author: jetnmariano

Terraform for M365 & Azure (With Real Examples)

Title:

Terraform for M365 and Azure — Infrastructure-as-Code Made Simple

Introduction

Terraform is one of the most powerful tools for managing cloud environments because it lets you declare what you want and Azure builds it. No guessing. No clicking. No forgetting what you changed.

Even if M365 doesn’t support Terraform natively for all workloads, you can still automate Azure AD, Conditional Access, Groups, SPNs, Networking, Key Vault, and App Registrations through the Microsoft Graph provider.

I used IaC principles while supporting Church systems — Terraform makes environments repeatable, auditable, and consistent.

1. Installing Terraform

choco install terraform

2. Azure Login Block

provider "azurerm" {
  features {}
}

provider "azuread" {
}

3. Creating an Azure Resource Group

resource "azurerm_resource_group" "rg1" {
  name     = "M365AutomationRG"
  location = "WestUS2"
}

4. Creating an Azure AD Group

resource "azuread_group" "security_group" {
  display_name     = "M365-Automation-Admins"
  security_enabled = true
}

5. Creating an App Registration + Secret

resource "azuread_application" "app" {
  display_name = "Terraform-Automation-App"
}

resource "azuread_service_principal" "sp" {
  application_id = azuread_application.app.application_id
}

resource "azuread_application_password" "sp_secret" {
  application_object_id = azuread_application.app.id
  display_name          = "secret1"
}

6. Conditional Access via Terraform (Yes, possible!)

Uses the Microsoft Graph Terraform provider.

resource "msgraph_conditional_access_policy" "block_non_us" {
  display_name = "Block Non-US IP"
  state        = "enabled"

  conditions {
    users {
      include_users = ["all"]
    }
    locations {
      include_locations = ["All"]
      exclude_locations = ["US"]
    }
  }

  grant_controls {
    operator         = "OR"
    built_in_controls = ["block"]
  }
}

7. Create an M365 Group (Unified Group)

resource "msgraph_group" "m365_group" {
  display_name     = "Engineering Team"
  mail_nickname    = "engineering"
  security_enabled = false
  mail_enabled     = true
  group_type       = ["Unified"]
}

8. Create Azure Key Vault

resource "azurerm_key_vault" "kv" {
  name                = "m365-keyvault-prod"
  location            = azurerm_resource_group.rg1.location
  resource_group_name = azurerm_resource_group.rg1.name
  tenant_id           = data.azuread_client_config.current.tenant_id
  sku_name            = "standard"
}

Conclusion

Terraform is the “blueprint” of modern cloud administration.
Clicking creates inconsistencies — IaC creates reliable, repeatable deployments.

November 25, 2025

CIS Hardening Standards in M365 (With Examples)
Title:

CIS for Microsoft 365 — Practical Hardening You Can Apply Today

Introduction

CIS (Center for Internet Security) publishes best-practice security baselines. In M365, CIS basically means:
- Hardening Azure AD
- Enforcing access control
- Strengthening authentication
- Improving logging
- Locking down Exchange, SharePoint, and Teams
- Using Conditional Access correctly
- Reducing attack surface
Below is the real-world version, not the theoretical one.

1. Require MFA (CIS Level 1 Control)

CIS Recommendation: MFA for all accounts.

How to apply:
Use Conditional Access:
- Include: All users
- Exclude: Break-glass admin
- Require MFA
- State: On
2. Disable Legacy Authentication

CIS Control: Block Basic Auth.

Azure Example:
CA Policy → Block legacy protocols
Exchange → Disable POP/IMAP/SMTP AUTH

3. Passwordless Authentication

CIS: Prefer passwordless.

Implementation:
Enable:
- Windows Hello
- Authenticator App
- FIDO2 keys
4. Limit Global Admin Roles

CIS: Admin roles must be minimized.

How to do it:
Assign:
- GA = 2 accounts
- Use PIM (Privileged Identity Management)
- Require MFA + justification
5. Require Compliant Devices

CIS: Block unmanaged devices.

Apply with Conditional Access:
Grant → Require device to be:
- Compliant
- Hybrid joined
- Or require approved apps
6. Exchange Online Protections

CIS: Anti-phishing, anti-malware, safe links, safe attachments.

7. Audit Logging

CIS: Must be enabled.

Check:
```
Get-AdminAuditLogConfig
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
```
8. Session Control

Use Conditional Access → Session Limits
- 8 hour max
- Force reauthentication
Conclusion

CIS is not complicated.
It’s just applying security baselines consistently using tools already built into M365:
- Conditional Access
- Defender
- PIM
- MFA
- Logging
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 25, 2025
Email Retention in M365 (Best Practices)
Email Retention in Microsoft 365 — How to Keep What Matters

Introduction

Email retention ensures messages are kept for the correct amount of time for:
- business
- legal
- compliance
- industry regulations
Monster, PIMCO, the Church, and Martin all used different retention needs.

Retention Policy Basics

Retention can:
- Delete after X years
- Keep and then delete
- Keep forever
- Auto-apply by keyword or location
Example Retention Policies

1. Keep 7 Years, Then Delete
```
New-RetentionCompliancePolicy -Name "7 Years Email"
New-RetentionComplianceRule -Name "7YearEmailRule" -Policy "7 Years Email" -RetentionDuration 2555 -RetentionAction Delete
```
2. Keep Forever

GUI:
Compliance → Data Lifecycle → Retention → Forever

3. Auto-Apply to Executives
```
New-RetentionComplianceRule -Name "ExecRetention" -Policy "ExecForever" -UserGroupFilter "JobTitle -eq 'Executive'"
```
Best Practices
- Always include shared mailboxes
- Use Labels for sensitive groups
- Never auto-delete without approval
- Align with CIS security
- Document your retention plan
Conclusion

Good retention protects the company — and the user.
It ensures you keep what matters and nothing more.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 25, 2025
MARKED IN TIME — “DO YOUR PART” (MIT8)

Elder Dieter F. Uchtdorf — October 2025 General Conference

Where effort meets grace, discipleship blooms

Excerpt

“Trust the Savior and engage, patiently and diligently, in doing your part with all your heart.”

Intro

Life moves fast — technology, deadlines, expectations, and noise. Elder Uchtdorf’s message reminded me to slow down, trust the Savior, and stay consistent in the small habits that shape who I am. It’s not about speed. It’s about direction. And the quiet discipline behind every disciple’s journey.

Notes from Elder Uchtdorf

Trust the Savior completely and give Him your steady daily effort.
Discipleship requires practice.
Skills fade without continued effort.
Greatness grows from repetition, humility, and patience.
The Lord magnifies even small efforts when offered with heart.

Perspective (direct quotes)

“Getting good at anything… takes consistent self-discipline and practice.”
Whether flying, rowing, sowing, learning, or becoming — practice never stops.

“Trust the Savior and engage… in doing your part with all your heart.”
He doesn’t ask perfection — just faith in motion.

Practice — Today, Not Someday

My Discipline in IT
Technology evolves every day. You don’t master it once — you study daily. I use Microsoft Learn, Udemy, and YouTube Premium, and I blog because writing helps me lock in what I learn. This is my stewardship: my part in staying sharp.

My Discipline in Photography
Photography isn’t just technical settings. It’s learning to read the light, study it, and anticipate it. Capturing it is an act of patience and discipline — just like discipleship.

My Discipline in Health
My body is my engine. If I don’t stay fit, how can I keep up with the never-ending pace of IT? Health keeps my mind focused. My discipline keeps me grounded.

My RFC Trio
Just like SPF, DKIM, and DMARC work as a trio — strengthening trust and protecting identity — my three disciplines work together:

Mind (IT)
Creativity (Photography)
Body (Health)

One supports the other. One anchors the next. And that’s how discipleship grows: line upon line, habit upon habit.

Final Reflection

Discipline is not punishment. It’s devotion — devotion to the future you, and trust in a God who sees more in you than you see in yourself. “Doing your part” isn’t dramatic or loud. It’s small steady steps that build spiritual muscle.

Pocket I’m Keeping

“Trust the Savior… and engage diligently in doing your part.”
Not perfectly.
Not instantly.
Just faithfully.

What I Hear Now (direct quotes)

Consistency is strength.
“Keep practicing.”
“I will make your small offering enough.”
“Do your part — I will do Mine.”

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

November 25, 2025
The Evolution of Microsoft Exchange: From 5.0 to Exchange Online (EXO)
A Technical History Through the Tools, Upgrades, and Real-World Administration That Shaped Modern Email

Email administration today looks nothing like it did in the mid-1990s. What began as a system of flat files and small IS databases has evolved into a globally distributed, cloud-secure service powered by modern authentication, forensic automation, and layered identity protections.

This article covers the full evolution — from Exchange 5.0 → 5.5 → 2000 → 2003 → 2007 → 2010 → 2013 → 2016 → Hybrid → Exchange Online — through the practical tools and real operational practices that defined each era.

It also highlights legacy repair tools (ISINTEG, ESEUTIL), the emergence of PowerShell, and modern security controls such as DKIM, DMARC, and real-time EXO policies.

1. Exchange 5.0 — The GroupWise Era & The Limits of Early Messaging

When Exchange 5.0 existed, Novell GroupWise was still considered the enterprise email standard. Capacity was limited and reliability required constant hands-on administration.

Key Characteristics
- Basic directory service
- Small private and public folder stores
- No Active Directory yet
- No PowerShell
- 16GB database ceiling
- Frequent corruptions under heavy load
Real Tools Used

🔧 ISINTEG — Logical Database Repair

Example usage:
```
ISINTEG -pri -fix -test alltests
```
🔧 ESEUTIL — Physical Database Repair

Soft recovery:
```
ESEUTIL /r E00 /l "E:\logs" /d "E:\mdbdata"
```
Hard recovery:
```
ESEUTIL /p "E:\mdbdata\priv.edb"
```
Defrag/whitespace removal:
```
ESEUTIL /d "E:\mdbdata\priv.edb"
```
White space mattered because the database could never exceed the size limit, and defrags were essential to survive weekly growth.

2. Exchange 5.5 — The First True Enterprise Version

Exchange 5.5 replaced GroupWise in many organizations because it solved the two biggest weaknesses:

Major Improvements
- Larger database limits
- Internet Mail Connector (IMC) matured
- Directory replication across sites
- Better MAPI stability
- More predictable backups
This was the version where large organizations first began to trust Exchange for hundreds or thousands of users.

Database limitations still required:
- Regular whitespace removal
- Offline defrags
- ISINTEG repairs
3. Exchange 2000 / 2003 — Active Directory Arrives

The introduction of Active Directory changed everything.

Now Possible
- Kerberos authentication
- Unified Global Address List
- Recipient policies
- Improved SMTP stack
- Better routing groups
Tools of the Era
- ESEUTIL still required
- ISINTEG for logical repair
- Streaming file (.STM) management
- COM+ based transport pipeline
Disaster recovery still required:
- Hard repairs
- Log replays
- Offline maintenance windows
4. Exchange 2007 — PowerShell Revolutionizes Email Administration

Exchange 2007 was the turning point. This version introduced:

Major Innovations
- PowerShell (EMS)
- Role-based server architecture
- Database Availability Groups (DAGs begin later)
- Transport rules
- Modern SMTP pipeline
Example PowerShell Operations

Bulk mailbox creation
```
Import-Csv users.csv | % {
  New-Mailbox -UserPrincipalName $_.UPN -Name $_.Name -Alias $_.Alias
}
```
Transport rule creation
```
New-TransportRule -Name "Block EXE" -AttachmentExtensionMatchesWords ".exe" -RejectMessageReason "Executable blocked"
```
Database health
```
Get-MailboxDatabaseCopyStatus *
```
PowerShell replaced ISINTEG as the primary troubleshooting interface.

5. Exchange 2010 / 2013 — High Availability & Hybrid Era

These versions supported:
- DAGs with multiple copies
- Outlook Anywhere (RPC over HTTPS)
- Cross-forest migrations
- Massive mailboxes (50GB+)
- First large-scale hybrid deployments
Database Whitespace Management

Modern approach:
```
Get-MailboxDatabase -Status | ft Name,AvailableNewMailboxSpace
```
To reclaim all space:
1. Create new database
2. Move mailboxes
3. Remove old database
4. Mount clean database
Multi-region examples
- Databases per region (NA/APAC/EMEA)
- Public folder migrations
- CAS/Hub/MBX role separation
6. On-Prem to Cloud Migrations — AWS WorkMail, Exchange 2010, Hybrid, EXO

Organizations with large global footprints began migrating:

Migration Examples
- From AWS WorkMail → Exchange 2013 HA → EXO
- From Exchange 2010 datacenters → Hybrid → EXO
- From Exchange 2013 → EXO using HCW and staged cutover
Challenges Solved by EXO
- No more ESEUTIL
- No more ISINTEG
- No more DAG patching
- No more weekend downtimes
- Automatic redundancy
- Modern authentication
- Better malware scanning
7. Exchange Online — The Modern Cloud Era

Today, administrators rely on:
- Exchange Online PowerShell v3
- Graph API
- Defender for O365
- Purview eDiscovery
- Modern connectors
- DKIM / DMARC enforcement
- Real-time spam intelligence
- Modern auth for SMTP
How to Rotate DKIM 2048-bit Keys

Admin Center → Security → Email Authentication → DKIM → Rotate Keys

Verify in PowerShell
```
Get-DkimSigningConfig | fl Domain,Selector1CNAME,Selector2CNAME
```
Keys should be:
- 2048-bit
- Rotated regularly
- Protected from unauthorized access
**8. Real-World Security Hardening in EXO

(Including the Kill-Switch Scripts)**

Last-generation threats require immediate defensive controls.
These are sanitized versions of the two emergency scripts used to block impersonation attacks:

🛑 Kill Switch Transport Rule (Blocks All External Sender Impersonation)
```
New-TransportRule -Name "KILL-SWITCH" `
-FromScope NotInOrganization `
-SentToScope InOrganization `
-SetHeaderName "X-Blocked" `
-SetHeaderValue "EmergencyBlock" `
-StopRuleProcessing $true `
-Enabled $true `
-Mode Enforce
```
🛑 Block-All Impersonation Rule
```
New-TransportRule -Name "BLOCK-IMPERSONATION" `
-HeaderMatchesMessageHeader "From" `
-HeaderMatchesPatterns ".*@yourdomain\.com" `
-SentToScope InOrganization `
-FromScope NotInOrganization `
-RejectMessageReasonText "External sender attempted domain impersonation" `
-StopRuleProcessing $true
```
After the event is over, disable:
```
Disable-TransportRule "KILL-SWITCH"
Disable-TransportRule "BLOCK-IMPERSONATION"
```
9. Why Exchange Online Beats Every On-Prem Version

No More:
- Database corruption
- ESEUTIL repair weekends
- ISINTEG logical rebuilds
- Streaming file failures
- Whitespace management
- RPC failures
- CAS array dependency
Instead You Get:
- Multi-region HA
- Continuous patching
- DKIM / DMARC alignment
- Modern authentication
- Real-time message trace
- Defender Safe Links/Safe Attachments
- Purview forensic tools
- 24/7 cloud threat intelligence
10. Summary

This blog ties together:
- The original on-prem tools (ISINTEG, ESEUTIL)
- The arrival of AD
- The PowerShell revolution
- The hybrid era
- The modern cloud security stack
- DKIM rotation
- EXO forensic investigation
- Emergency transport rule defense
It shows why the move from Exchange 5.0 to EXO was inevitable — every stage improved reliability, scalability, administration, and security.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 24, 2025
DKIM Security: How Signing and Key Rotation Stop Email Spoofing
Introduction

DKIM (DomainKeys Identified Mail) is one of the most effective ways to verify that an email truly came from your organization. But many companies misunderstand one crucial truth:

DKIM is only as strong as the protection of its private key.

If attackers obtain your DKIM private key, they can sign email that appears cryptographically legitimate — even if it comes from a malicious server. This is why key length, rotation, and protection matter just as much as turning DKIM “on.”

Section 1 — What DKIM Actually Does

DKIM works by attaching a digital signature to every outbound message.
It ensures:
- The message hasn’t been altered
- The sender is authorized
- The domain identity can be verified
The core elements are:

1️⃣ DKIM Selector (s=)

Identifies which key is used.
Example:
s=mail2025;

2️⃣ DKIM Domain (d=)

The domain signing the message.
Example:
d=example-corp-secure.com;

3️⃣ Public Key (Published in DNS)

Stored in a TXT record:
mail2025._domainkey.example-corp-secure.com

4️⃣ Private Key (kept hidden on the mail server)

This is the key attackers target.
It signs every outbound message.

Section 2 — Why Private Keys Must Be 2048-bit Minimum

Attackers today can break 1024-bit DKIM keys.
- Cloud computing
- GPU farms
- Distributed cracking
This is why Microsoft and major ESPs recommend 2048-bit keys.

Weak DKIM = forged trust.

Section 3 — Why You Must Rotate DKIM Keys Regularly

Even a strong key becomes weaker over time:
- Keys leak
- Keys get copied
- Keys get exposed in old backups
- Misconfigured systems reuse keys
- Bad actors gather DNS data for months
Weekly or monthly rotation is considered best practice in regulated industries like banking.

Rotation protects your domain even if an attacker manages to obtain an older key.

Section 4 — How an Attacker Exploits DKIM

If the private key is stolen:
- They can sign malware
- They can sign phishing
- They bypass SPF failures
- They pass DKIM alignment
- They pass DMARC alignment
- Email goes straight to inbox
This is why DKIM alone is not enough.

Section 5 — Why DKIM Matters
- Prevents email tampering
- Builds domain trust
- Enables DMARC “reject” mode
- Protects your brand
- Reduces false positives
- Ensures message integrity
But DKIM is only strong if the private key is protected and rotated.

Conclusion

Most executives think DKIM is “set it and forget it.”
But email security today requires:
- Strong 2048-bit DKIM keys
- Regular rotation
- Tight private key protection
- Monitoring through Proofpoint and EOP
- DMARC enforcement
This is not optional anymore — especially for banks.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 23, 2025
DMARC (Domain-based Message Authentication, Reporting & Conformance)
Introduction

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the control system that tells receiving email servers what to do when a message fails SPF or DKIM. Without DMARC, attackers can spoof your domain freely.

Section 1 — What DMARC Does

DMARC:
- Protects your domain from spoofing
- Defines how mail servers should handle failures
- Provides visibility into fraud attempts
- Supports brand protection
- Enables full enforcement (“p=reject”)
Section 2 — DMARC Tags and Their Meaning

1️⃣ v=DMARC1

Protocol version. Always DMARC1.

2️⃣ p= (Policy)

Tells receiving servers what to do:
- p=none → Monitor only
- p=quarantine → Send failures to spam
- p=reject → Block failures entirely (best practice for banks)
3️⃣ rua= (Aggregate Reports)

Where daily XML reports are delivered.
Example:
rua=mailto:[email protected]

4️⃣ ruf= (Forensic Reports)

Receives detailed failure samples (PII-sensitive).
Example:
ruf=mailto:[email protected]

5️⃣ fo= (Failure Options)

Controls what triggers forensic reporting.
Common:
fo=1 → Send forensic report on any SPF/DKIM failure.

Section 3 — Example of a DMARC Record
```
v=DMARC1;
p=reject;
rua=mailto:[email protected];
ruf=mailto:[email protected];
fo=1;
adkim=s;
aspf=s;
```
adkim=s and aspf=s enforce strict alignment — critical for banks and regulated industries.

Section 4 — Why DMARC Matters
- Blocks domain impersonation
- Reduces malware/phishing impact
- Protects customers from fraud
- Shields executives from spoofing
- Enables brand trust
- Essential for financial institutions
Conclusion

A strong DMARC policy (“reject”) is one of the strongest defenses against email spoofing — but only when SPF and DKIM are configured properly and regularly monitored.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 23, 2025
Why PowerShell Still Beats Purview for Real Forensics: Speed, Depth, and No UI Limits
Introduction

Microsoft Purview is Microsoft’s compliance, audit, and eDiscovery platform for Microsoft 365. It provides GUI-driven tools for administrators to perform searches, create holds, review data, and respond to legal and compliance requirements.

But here’s the reality that senior M365 engineers know:

Purview is powerful, but it is not complete.
It has strict limits, throttles, and boundaries designed for safety and performance — not deep forensic analysis.

This is why serious investigations always end up in PowerShell, where engineers can bypass GUI limitations, perform deeper searches, and collect evidence with precision.

Section 1 — What Purview Is (in plain English)

Purview provides:
- Content search
- eDiscovery (Standard & Premium)
- Litigation holds
- Audit logs
- Labeling and retention
- Insider risk scanning
- Communication compliance
It is designed for:
- Legal teams
- Compliance officers
- HR investigations
- Corporate governance
- High-level reporting
And for these purposes, Purview works very well.

Section 2 — The Hidden Limitations of Purview

Here are the real limits engineers face:

1. Sending & Rate Limits

Purview actions follow the same throttling limits as Exchange Online.
You cannot pull unlimited messages instantly.

2. eDiscovery Query Limits

Each Purview search query is limited to:
10,000 characters
This is a major limitation for complex filters.

3. Maximum Export Sizes

Large exports (multiple gigabytes) often fail or time out.
This is why forensic engineers break searches into chunks.

4. Maximum Holds Per Mailbox

A mailbox can only have:
25 holds total
More than 25 affects performance, indexing, and mailbox health.

5. External Recipient Limits

Purview cannot override existing mailbox restrictions.

6. Tenant-Wide Limits

Even Premium eDiscovery has:
- Search concurrency limits
- Workflow throttling
- Processing delays
- Indexing dependency (if an item isn’t indexed, Purview can’t see it)
7. Purview is not real-time

It depends on indexing engines.
Indexing delays = missing results.

8. Purview cannot reveal everything

For true forensics you often need:
- Message trace logs
- Transport logs
- Historical mailbox snapshots
- DeletedItems and RecoverableItems subfolders
- Soft delete and hard delete content
- Hidden folders
- Unindexed items
Purview cannot provide all of that.

Section 3 — Why PowerShell is Superior for True Forensics

When Microsoft engineers or financial institutions perform real investigations, they do not rely on Purview alone. They rely on PowerShell because PowerShell can do what Purview cannot.

1. Access Every Folder (Including Hidden Ones)

PowerShell can query:
- Inbox
- Sent
- DeletedItems
- RecoverableItems
- Purges
- Versions
- Subfolders not visible in Outlook
- Unindexed items
Purview can’t.

2. No GUI query limit

There is no 10,000-character query restriction in PowerShell.

Pattern searches can be huge, detailed, and layered.

3. Deep Header and Message Metadata Extraction

PowerShell can extract:
- X-MS-Exchange-Organization-AuthAs
- X-MS-Exchange-CrossTenant-*
- Original client IP
- Authentication results
- Message submission type
- Connector source
- Spam confidence level (SCL)
- Envelope sender
- Message ID tracking
Purview provides only summarized metadata.

4. Instant, Real-Time Search

PowerShell does not wait for indexing.
You can search unindexed items directly.

This is critical in security incidents.

5. Mailbox Timeline Reconstruction

With PowerShell you can reconstruct:
- When the message was received
- When it was moved
- If rules redirected it
- If a compromised mailbox forwarded it
- If the user deleted it
- If it was purged
Purview cannot reconstruct movement history.

6. PowerShell is scripting + automation

You can automate:
- Large case collections
- Exports
- Multi-mailbox searches
- Pattern scans
- Complex filters
- Timeline reconstruction
Purview cannot automate eDiscovery at the same level.

Section 4 — When to Use Purview vs PowerShell

Use Purview for:
- Legal holds
- HR requests
- Basic content searches
- Governance
- Compliance reporting
- Policy enforcement
Use PowerShell for:
- Security incidents
- Ransomware investigations
- BEC (Business Email Compromise)
- External spoofing investigations
- Compromised mailbox analysis
- Hidden folder discovery
- Deep metadata extraction
- Multi-mailbox timeline reconstruction
Most senior email engineers agree:

Purview is the “legal view.”
PowerShell is the “truth view.”

Conclusion

Purview is an essential tool for compliance and legal workflows — but it is not a forensic engine.
Its GUI limits, throttles, and reliance on indexing mean that it can never replace the precision, speed, and depth of PowerShell.

This is why real investigations — especially in financial institutions and regulated organizations — always rely on PowerShell for final answers.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 23, 2025
Quick “Reflexes” Using PowerShell to Block Bad Actors: Emergency Transport Rules + Layer 3/7 Firewall Controls
In modern cloud environments, threats don’t wait for meetings, approvals, or planning sessions.
Sometimes an attack hits so fast that your only advantage is instinct, experience, and the ability to act immediately.

Last month, I experienced exactly that — a coordinated impersonation attempt from multiple bad actors in Europe using public cloud hosting (GCP) as their relay. They created their own connectors and attempted to impersonate internal executives and accounting contacts.

The attack bypassed standard controls because:
- They used legitimate cloud IP ranges
- They generated perfect SPF/DKIM passes
- Their mail flow looked “clean” until you read the headers
- They used crafted envelope senders + forged display names
The only way to stop them instantly — before users were tricked — was to drop two transport rules at highest priority using PowerShell.
These acted as “circuit breakers” until perimeter firewall rules could be deployed.

Below is the exact PowerShell approach, redacted and rewritten for general use.

🚨 Reflex Script #1 — Emergency “Kill Switch” Rule

Purpose: If attackers are impersonating an internal address like [email protected], this rule blocks any external sender who uses that address in the envelope from or header from.
```
# Connect to Exchange Online
Connect-ExchangeOnline

# Create emergency kill-switch rule
New-TransportRule -Name "KILL SWITCH: Block external spoofing of noreply" `
-FromScope External `
-HeaderContainsMessageHeader "From" `
-HeaderContainsWords "noreply@" `
-SetSCL 9 `
-StopRuleProcessing $true `
-Priority 0
```
What this rule does instantly:
- Stops external senders pretending to be noreply@
- Sets SCL=9 so the message is quarantined or rejected (depending on policy)
- Stops evaluation of all other rules — making it hit within milliseconds
🚨 Reflex Script #2 — Block ALL External Senders Using a Protected Address

Attackers often rotate payloads or try other internal addresses.
This second rule blocks all attempts — even if they change tactics.
```
New-TransportRule -Name "BLOCK ALL External From Protected Address" `
-FromScope External `
-SenderAddressMatchesPatterns "noreply@", "billing@", "alerts@" `
-SetSCL 9 `
-StopRuleProcessing $true `
-Priority 1
```
You can modify the patterns depending on the address being abused.

🛡️ Why This Worked Instantly

These scripts bypass the UI delay and:
- Apply before EOP content filters
- Hit prior to Safe Links/Safe Attachments
- Trigger even if messages pass SPF/DKIM/DMARC
- Intercept mail before it reaches the user’s mailbox
- Provide time to analyze, trace, and escalate
This is why reflex PowerShell is critical for senior-level engineers — the GUI is too slow during live attacks.

🔐 Permanent Fix: Layer 3 / Layer 7 Firewall Enforcement

Once the immediate threat was stopped with PowerShell, the permanent fix required:

Layer 3 (IP-based blocklists)

Blocking:
- Abused GCP IP ranges
- Known threat actor networks
- Anonymous compute nodes
Layer 7 (Application-layer filtering)

Policies included:
- Block SMTP traffic from unknown hosts
- Block unauthorized connector-based submissions
- Strict URL filtering for phishing redirectors
- Geo-blocking regions with no business presence
Once these firewall measures were active, the PowerShell Kill Switch rules were safely disabled to avoid unnecessary mail flow impact.

💡 Lessons Learned
1. Bad actors are fast — you must be faster.
2. Transport rules + PowerShell are your instant “circuit breakers.”
3. SPF/DKIM/DMARC are not enough when attackers leverage cloud infrastructure.
4. Layer 3 and Layer 7 controls create the “permanent seal.”
5. Instant response + longer-term architecture = real protection.
This is the type of real-world, battle-tested example that hiring panels want to hear.
Not theory — lived experience.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 23, 2025
How I Protected VIP Mailboxes in Exchange: My Experience Creating Shielded, Hidden, and Restricted Email Objects
Intro

In every organization — commercial, government, or religious — there are individuals whose roles require an extra layer of protection. These may include executives, legal teams, board members, or other high-visibility leaders. Their mailboxes must be shielded from noise, protected from internal misuse, and hardened against external threats.

This blog shares how I implemented a VIP Exchange Protection Model in one of the most globally distributed environments I’ve ever worked in.
All sensitive details are removed — but the principles and methods remain the same.

Why VIP Mailboxes Need Extra Protection

VIP users face unique risks:

1. They are targets for impersonation

Attackers attempt to spoof high-level leaders to gain authority over employees.

2. They receive a high volume of inbound email attempts

Even legitimate internal senders may unintentionally overwhelm their inboxes.

3. They must focus on mission-critical responsibilities

Unfiltered communication equals distraction and risk.

4. Their mailboxes contain sensitive or privileged information

Unauthorized access can lead to catastrophic consequences.

The goal of the VIP model is simple:

Only authorized individuals should be able to see, email, or discover these mailboxes.

My VIP Protection Model (Redacted & Generalized)

Below is the exact approach I used, without exposing private organizational information.

1. Hide VIP Mailboxes From the Global Address List (GAL)

This prevents the general population from seeing their email addresses.
```
Set-Mailbox "VIP Mailbox" -HiddenFromAddressListsEnabled $true
```
This ensures the mailbox exists — but only administrators know where it is.

2. Restrict Who Can Email VIPs (Allow Lists Only)

Instead of blocking all users, I inverted the model:

Only a hand-selected, approved list of senders can email VIPs.

I used:
- Transport Rules
- Moderation
- Recipient Restrictions
Example allow-list logic:
```
Set-Mailbox "VIP Mailbox" -AcceptMessagesOnlyFrom @("Assistant1","Assistant2","SecurityOffice")
```
If anyone outside this list tried to email the VIP:
- The message was blocked,
- Logged,
- And optionally forwarded to a monitored mailbox for review.
3. Prevent External Email Delivery Entirely

For VIP mailboxes that should never receive external messages:
```
Set-Mailbox "VIP Mailbox" -RequireSenderAuthenticationEnabled $true
```
This enforces authenticated internal senders only.

No anonymous sender.
No spoofed external mail.
No leakage.

4. Apply Enhanced Anti-Impersonation

This included:
- DMARC alignment enforcement
- Anti-spoofing engines (such as ATP / Defender)
- Display name protection (“VIP Name Protection”)
- Proofpoint Impostor Protection (in environments where I managed Proofpoint)
I ensured VIP names could not be spoofed internally or externally.

5. Enable Strict Audit Logging

For VIP mailboxes:
- Every access
- Every folder action
- Every send
- Every delegate assignment
…was logged and reviewed.
```
Set-Mailbox "VIP Mailbox" -AuditEnabled $true
```
This protected the VIP and the organization.

6. Controlled Delegation

VIP mailboxes should not have multiple delegates or dynamic permission assignments.

Only essential individuals were allowed:
- Executive assistants
- Chiefs of staff
- Security-approved personnel
Least privilege.
Zero trust.
No exceptions.

7. Role-Based Access Control (RBAC) For Admins

Even administrators require controlled boundaries.

I created RBAC roles to ensure:
- Only specific admins could view or manage VIP mailboxes
- No accidental changes
- No unauthorized mailbox access
This is premium-level Exchange governance.

The Result

By combining:
- Hidden GAL entries
- Sender allow-lists
- External blocking
- Anti-impersonation intelligence
- Transport rules
- Controlled delegation
- RBAC
- Audit trails
…I built a VIP Exchange Protection Framework that:
- Reduced risk
- Eliminated unwanted emails
- Protected sensitive correspondence
- Honored the mission of the organization
- Allowed leaders to focus on their responsibilities
- Created a safer communication ecosystem
This experience became one of the defining technical and spiritual stewardship assignments of my career.

Final Reflection

Protecting VIP mailboxes goes beyond technology — it’s stewardship, trust, and responsibility.

When you guard a mailbox, you are guarding:
- time,
- focus,
- privacy,
- and the ability of leaders to do their work without distraction.
Implementing this model taught me:

Security is an act of service — not just configuration.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 22, 2025
Email Spoofing Explained: How Attackers Do It and How DMARC Blocks Them
Introduction

Email is built on trust — and the original SMTP protocol (from 1982) was never designed with modern threat actors in mind. Attackers now exploit loose RFC rules, misconfigured servers, and public DNS to spoof legitimate senders and bypass basic filtering.

This blog explains how spoofing actually works, why SPF/DKIM alone are not enough, and why DMARC alignment + Proofpoint is essential for stopping real-world business email compromise (BEC) attacks.

1. Email Spoofing 101 — Why SMTP Allows It

SMTP does not validate who the sender truly is.
An attacker can control:

a) The SMTP Envelope (“MAIL FROM”)

Used for return-path, bounce messages, and SPF checks.

b) The Email Header (“From:”)

What the human sees in Outlook, Gmail, iPhone Mail.

Both can be forged.
That means an attacker can send:
```
MAIL FROM: <[email protected]>
From: Jane Doe <[email protected]>
```
…even though they do not own that domain.

2. Step-by-Step: How Attackers Use SMTP to Forge Email

(Everything below uses neutral demonstration domains to avoid referencing any real organization.)
```
S: 220 mail.fake-sender.net SMTP Ready
C: HELO mail.fake-sender.net
S: 250 Hello
C: MAIL FROM:<[email protected]>
S: 250 OK
C: RCPT TO:<[email protected]>
S: 250 Accepted
C: DATA
S: 354 Start mail input
C: Subject: Urgent – Please Review
C: From: [email protected]
C: To: [email protected]

Hi Bob,
Please review this document:
https://malicious-link-example.net/file

Thanks,
Jane
C: .
S: 250 Message accepted
C: QUIT
S: 221 Goodbye
```
Important:
This is exactly how attackers craft spoofed email — the same RFC-compliant commands a normal email client uses.

3. How Attackers “Harvest” SPF and DKIM Using DNS

Attackers don’t guess your DNS settings.
They simply query them publicly, like anyone else on the internet.

Example: Retrieving DKIM Keys
```
nslookup -type=txt selector1._domainkey.victim-of-spoofing.com
```
This returns the DKIM public key, which attackers use to craft more believable spoofing attempts (not to break DKIM, but to mimic structure).

Example: Retrieving SPF Records
```
nslookup -type=txt victim-of-spoofing.com
```
Result:
```
"v=spf1 include:_spf.example-email.net -all"
```
Attackers now know:
- what legitimate sending systems you use
- how strict your SPF policy is
- which vendors to impersonate
SPF & DKIM are public, and attackers rely on that.

4. Why SPF and DKIM Alone Are Not Enough

SPF checks the envelope (MAIL FROM).
DKIM checks the message integrity.

But both fail in these common scenarios:

SPF Fails When:
- A scammer spoofs only the header From
- Email is forwarded
- Attackers use free SMTP servers with permissive policies
DKIM Fails When:
- Sender uses a domain with no DKIM at all
- Attackers spoof domains they do own
- Emails pass through weak relays
This is why companies get spoofed even with “perfect” SPF/DKIM.

5. DMARC Alignment — The Real Line of Defense

DMARC requires:

✔ SPF Alignment

Envelope domain must match header From domain.

✔ DKIM Alignment

DKIM signature domain must match the header From.

If neither aligns, DMARC instructs receivers to:
- none — monitor only
- quarantine — send to spam
- reject — block outright
Reject is where spoofing finally dies.

6. Two Ways Attackers Deliver Spoofed Email

This is critical for interview-level mastery:

1️⃣ Using Their Own SMTP Server

Attackers set up a server where:
- they control all DNS
- they can configure any RFC behavior
- they can impersonate any domain
This allows highly believable spoofing.

2️⃣ Using Vulnerable Third-Party SMTP Servers

Attackers often search for:
- misconfigured mail relays
- open SMTP relays
- free spoofing services
Both methods work unless DMARC reject + Proofpoint is in place.

7. Why Proofpoint Completes the Protection

Even with DMARC reject, attackers still spoof:
- VIP names (“Display Name Spoofing”)
- Lookalike domains (e.g., companny-secure.com)
- Legitimate cloud providers that DMARC trusts
- OAuth-compromised accounts (EAC)
Proofpoint adds:
- Identity threat intelligence
- Imposter protection (BEC Defense)
- Lookalike domain analysis
- Behavioral anomaly detection
- URL rewriting + sandboxing
- Real-time classification
Without Proofpoint, DMARC is only half of the defense.

Conclusion

Attackers rely on the weaknesses of SMTP’s original design, public DNS records, and domains they control. That’s why spoofing is still one of the most common and dangerous forms of cyberattack worldwide.

The only way to fully protect executives, employees, and customers is:

✔ SPF
✔ DKIM
✔ DMARC (reject)
✔ PLUS Proofpoint’s identity + behavioral controls

This is the combination that stops real-world BEC/EAC attacks.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 22, 2025
How BEC (Business Email Compromise) and EAC (Email Account Compromise) Work, and How Proofpoint + EAC Controls Stop Them
Introduction

BEC (Business Email Compromise) and EAC (Email Account Compromise) are the two most financially damaging email-based attacks today.
They bypass traditional spam filters, they target humans—not firewalls—and they abuse trust instead of malware.

Microsoft 365 alone cannot fully protect against these attacks.
That’s why organizations use Proofpoint, DMARC alignment, and strict authentication controls—to verify identity, stop impostors, and prevent fraudulent requests from reaching inboxes.

This blog explains:
- How BEC works
- How EAC happens
- What attackers exploit
- Why RFC email standards make impersonation easy
- How Proofpoint + EAC controls shut these attacks down
Perfect material for any advanced interview panel.

What Is Business Email Compromise (BEC)?

BEC is when attackers pretend to be:
- your CEO,
- your CFO,
- your HR director,
- a vendor,
- or someone with financial authority
…with the goal of manipulating employees into:
- wiring money
- changing direct deposit info
- sending W-2s
- releasing confidential documents
- approving purchases
🔸 The key point:

BEC uses identity deception, not malware.
No attachments.
No links.
Just social engineering in a clean email.

How BEC Works (Step-By-Step)

1. Reconnaissance

Attackers scrape:
- LinkedIn
- Company directory leaks
- Press releases
- Vendor invoices
- Social media
They map who communicates with whom.

2. Identity Impersonation

They spoof:
- Display names
- Envelope sender
- Reply-To address
- SPF-valid lookalike domains
Example:
[email protected] →
[email protected]

3. Thread Hijacking

They do this by compromising a vendor mailbox and replying inside an existing email chain.

4. Social Engineering

The attacker sends a “clean” request:
- “Are you available?”
- “I need this wire sent ASAP.”
- “Can you update this banking information?”
5. Financial Fraud

Once the attacker has the employee’s trust — the money is gone.

What Is Email Account Compromise (EAC)?

EAC is when the attacker actually logs in to a real mailbox.

Not spoofing.
Not faking.
Real access.

How they gain access:
- MFA fatigue
- Password reuse
- Legacy protocol with no MFA
- OAuth token theft
- Malware stealing credentials
- Phishing pages identical to Microsoft login
Once inside, attackers:
- Set up hidden forwarding rules
- Delete MFA alerts
- Change mailbox rules
- Hijack vendor threads
- Sit silently and wait for financial conversations
EAC is dangerous because the attacker uses your real domain, your real mailbox reputation, your real account.

This is why simply having SPF, DKIM, and DMARC does not stop EAC.

Why Proofpoint Is Needed (Beyond RFC Email Standards)

RFC email standards allow spoofing by design.

Attackers can:
- abuse SMTP commands
- spoof the “MAIL FROM”
- spoof the “From:” header
- use free SMTP servers
- harvest SPF/DKIM values via nslookup
- build near-perfect domain clones
Example:
```
nslookup -type=txt _dmarc.victim-domain.com
nslookup -type=txt selector._domainkey.victim-domain.com
```
Attackers see your exact SPF/DKIM configuration.
They spoof accordingly.

This is why relying on RFC standards alone is not enough.

How Proofpoint Stops BEC and EAC

1. Identity Protection

Proofpoint checks:
- display name anomalies
- domain lookalikes
- impossible travel
- VIP impersonation attempts
- internal vs external identity mapping
- “Reply-To mismatch”
- “Header vs Envelope mismatch”
Microsoft EOP can do part of this,
Proofpoint does it with far more accuracy.

2. Vendor Fraud Protection

Proofpoint fingerprints:
- vendor sending behavior
- previous conversation style
- writing style
- IP reputation
If a vendor mailbox is compromised, Proofpoint detects the “change in sending personality.”

This is one of the strongest EAC protections in the industry.

3. DMARC Enforcement + Lookalike Domain Defense

Proofpoint enforces:
- Domain alignment
- Display name behavior
- Header-from authentication
- Cross-identity matching
Lookalike domains” examples (generic only):
- company-secure.com
- companny.com
- c0mpany-support.com
- company-mailservice.com
These would pass traditional email filters.

4. URL and Payload Isolation

Even if links look clean, Proofpoint re-writes and detonates them.

Although BEC rarely has links, EAC-based phishing almost always does.

5. Machine Learning on Human Behavior

Proofpoint analyzes:
- who talks to whom
- frequency
- direction
- urgency phrases
- tone manipulation
If the CEO normally never emails accounting at 10:30 PM on a Friday — the message gets flagged.

Real-World Example (Anonymized)

A vendor’s mailbox was compromised.
The attacker replied inside an existing thread asking to update bank account numbers.

Microsoft EOP didn’t block it — it came from a legitimate vendor domain.

Proofpoint flagged:
- anomalous IP
- unusual writing style
- “conversation thread hijacking detected”
- vendor identity risk score
Proofpoint blocked the message before it reached the user’s mailbox.

This is exactly why companies invest in Proofpoint.

Conclusion

BEC and EAC are no longer “IT problems.”
They are financial crimes, costing billions worldwide.

Microsoft 365 gives strong baseline protection,
but attackers today use identity manipulation, social engineering, and thread hijacking that bypass traditional signals.

Proofpoint closes those gaps with:
- identity defense
- behavioral AI
- vendor fraud detection
- DMARC enforcement
- mailbox compromise detection
- impersonation protection
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 22, 2025
Exchange Online Throttling Policies: Why They Exist, When to Modify Them, and How to Justify Changes
Introduction

Exchange Online throttling policies exist for one core reason — to keep the Microsoft 365 ecosystem healthy, stable, and resistant to abuse.
Throttling protects the service from:
- Excessive load
- Misconfigured applications
- Compromised accounts sending thousands of emails
- Bulk operations that can degrade tenant performance
It’s not a punishment.
It’s Microsoft’s way of guaranteeing fairness across millions of tenants.

But in real production environments — especially at the enterprise, hybrid, or application-integration level — default throttling limits can sometimes block legitimate business-critical operations.
And when that happens, you must know:
1. Why throttling exists
2. How to detect throttling
3. When it’s justified to modify limits
4. How to request changes with Microsoft support
This is one of the topics principal-level interviewers love because it shows deep operational understanding.

Why Throttling Exists in Exchange Online

Microsoft enforces throttling to prevent:

1. Service Abuse

A single compromised account can send 10,000+ spam emails within minutes.
Throttling slows these bursts so EOP can react and block the session.

2. Tenant Misconfigurations

Common misconfigurations that trigger throttling:
- Line-of-business apps sending too many messages too quickly
- Applications reusing connections improperly
- Legacy services using Basic Auth patterns
- Scripts or PowerShell modules pulling data too fast
3. System Stability

If every tenant could push unlimited requests, the shared service collapses.
Throttling ensures:
- CPU fairness
- Bandwidth fairness
- Queue stability
- Storage and transport efficiency
How to Detect Throttling Events

You will usually see:

📌 Error Examples
- Server Busy
- Backoff due to throttling policy
- TooManyConcurrentConnections
- Exceeded message submission rate limit
- SendAsDenied triggered by backlog saturation
📌 Where You See These
- Exchange message trace
- Transport logs
- Application logs
- SMTP client logs
- EOP reports
- PowerShell scripts returning "ProcessingStopped"
📌 Behavioral Symptoms
- Messages stuck in Outbox
- Applications retrying endlessly
- High SMTP queue latency
- Inconsistent delivery within seconds-to-minutes range
When It Is Appropriate to Modify Exchange Online Throttling

This is key.
You never change throttling “because someone wants faster emails.”
You change throttling for business justification only, such as:

1. Application Mailbox Accounts

These accounts often need higher:
- MaxSendRate
- RecipientRateLimit
- MessageRateLimit
Examples:
- ERP systems
- CRM systems
- Manufacturing systems (Backflush, MES, D365)
- Monitoring systems
- Ticketing systems (ServiceNow, Jira, Zendesk)
2. Hybrid Exchange Servers

Hybrid servers may require adjusted:
- PowerShell concurrency
- EWS limits
- MRS (Mailbox Replication Service) migration speeds
Especially during:
- Large cutovers
- Fast-track migrations
- Bulk mailbox moves
3. Automated Services Needing High Burst Throughput

Scenarios where default throttling causes issues:
- Finance systems sending thousands of statements
- HR systems sending open enrollment packets
- Email marketing systems using authenticated SMTP
- Daily reporting engines generating PDFs for hundreds of users
How to Justify Throttling Changes to Microsoft Support

This is where senior-level experience shows.

Microsoft will not modify throttling unless you prove:

1. Operational Need

Explain what system is being blocked.

2. Business Impact

Show examples:
- Delayed invoices
- Delayed purchase orders
- Delayed system alerts
- Delayed manufacturing workflows
3. Technical Evidence

Provide logs showing:
- Backoff errors
- Submission rate failures
- EWS throttling hits
- Application retry loops
4. Confirmation That It’s Not Spam

Show the account is app credentialed, not user-driven.

5. You Have Already Tuned the Application

Microsoft wants evidence that:
- Retry logic exists
- Connection reuse is efficient
- Burst sending is controlled
If justified, Microsoft raises throttling for:

Specific service accounts only
(Never the whole tenant.)

They may change:
- Recipient rate limits
- Message burst limits
- EWS or Graph concurrency
- PowerShell session limits
Common Interview Question: “Why Not Remove Throttling Entirely?”

Perfect answer:

“Because throttling is part of Microsoft’s multi-tenant stability and security model.
Without it, one tenant’s misconfiguration or compromised account could degrade the entire service.
Changes should be scoped, justified, temporary, and monitored.”

PowerShell: Checking Throttling Policy Assigned to a Mailbox

Get-ThrottlingPolicyAssociation -Identity [email protected]

PowerShell: View Existing Throttling Policies

Get-ThrottlingPolicy | fl Name,MessageRateLimit,RecipientRateLimit

PowerShell: Create a Dedicated Policy for an App Mailbox

Set-ThrottlingPolicyAssociation -Identity [email protected] -ThrottlingPolicy AppMailboxPolicy

Conclusion

Throttling is not the enemy.
It’s a guardrail.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 22, 2025
Why RFC Email Standards Are Not Enough: A Real Look at Modern Email Security
🛡 How Email Spoofing REALLY Works (With a Safer Example)

Even though RFC standards gave us SPF, DKIM, and DMARC, the core SMTP protocol is still trust-based. That means attackers can abuse the protocol whenever a mail server is misconfigured or doesn’t enforce authentication.

SMTP actually has two places where the “sender” can be declared:
1. MAIL FROM (SMTP envelope)
2. From: (message header inside DATA)
Both of these can be forged.

Here is a safe, fictional example showing what a spoofing attack looks like when the attacker controls their own SMTP server. NONE of this uses real domains or copyrighted examples.

Example: Attacker Spoofing a CEO Email (Fictional Domain)

S: 220 mail.hacker-smtp.test Ready
C: HELO mail.hacker-smtp.test
S: 250 Hello
C: MAIL FROM:[email protected]
S: 250 Ok
C: RCPT TO:[email protected]
S: 250 Accepted
C: DATA
S: 354 End data with .
C: Subject: Immediate Action Required
C: From: [email protected]
C: To: [email protected]
C:
C: Hi Bob,
C: Please review this file urgently:
C: https://malicious-link.test
C:
C: Thanks,
C: Jane
C: .
S: 250 Message accepted
C: QUIT
S: 221 Closing connection

What happened here?
- The attacker never touched the real domain’s server.
- No SPF, DKIM, or DMARC was involved.
- They simply declared themselves as [email protected].
- The receiving system, if unprotected, trusts the SMTP envelope + header.
This is why:
- Email security must be enforced on the RECEIVING side.
- SPF/DKIM/DMARC without an email security gateway (ProofPoint, Barracuda, Cisco, etc.) is NOT enough.
🛡 Why SPF and DKIM Alone Can Be Faked

Attackers don’t guess your DNS records—
They retrieve them using public DNS queries.

Example: How Hackers Pull Your DKIM Public Key

nslookup -type=txt selector1._domainkey.yourdomain.com

Example: How Hackers Retrieve Your SPF Policy

nslookup -type=txt yourdomain.com

Your actual records are public by design.

Attackers do not break DKIM or SPF—
they simply copy what’s public and send email from a server you do not control.

This leads to the two main spoofing paths:

Two Ways Attackers Deliver Spoofed Email

1. Using Their Own SMTP Server
- Full control
- Can impersonate envelope sender and header
- Can ignore security standards
- Can replay your SPF/DKIM values
- Can build reputation over time
2. Using Someone Else’s SMTP Server
- Open relay servers
- Misconfigured mail servers
- Free public spoofing tools (many exist)
- Requires no authentication
- Still bypasses SPF/DKIM because enforcement happens at the receiver
🧩 Why You STILL Need ProofPoint or an SEG
- RFC standards are voluntary
- SPF/DKIM/DMARC are not enforcement engines
- They only give a pass/fail signal
- Your mail flow only becomes safe when paired with:
1. ProofPoint BEC + EAC protection
2. Malicious payload scanning
3. Impostor Detection™
4. Header anomaly detection
5. Authentication-layer reputation scoring
6. Threat intelligence for known bad SMTP sources
No SPF/DKIM/DMARC setting—no matter how perfect—
can stop a spoof that comes from an SMTP server across the world.

Only a receiving enforcement engine can.

Over the years I have worked with high end filtering solutions in multiple large enterprise environments. The dashboards have changed but their purpose has stayed the same.

Their goal is to strengthen the RFC standards that are not strong enough on their own.

Here are the RFCs that define the foundation of email authentication:
- SPF — RFC 7208
- DKIM — RFC 6376
- DMARC — RFC 7489
These standards are important but incomplete. Even with perfect configuration you can still get spoofing attempts, executive impersonation, phishing, and vendor fraud. The RFC by itself cannot stop the modern threat landscape.

Below is a clear breakdown of why.

Defense Wins Championships and Email Security Works the Same Way

In basketball you cannot win with offense alone. You win when you have strong defense and efficient offense working together.

Email follows the same pattern.

SPF is offense
DKIM is offense
DMARC is offense

They validate. They authenticate. They enforce the rule book.

But attackers do not care about the rule book.
They bypass these RFC standards every day.

This is why you need a real defense layer.

This is where filtering tools like Proofpoint or Barracuda add the protection the protocols cannot provide.

Why SPF, DKIM, and DMARC Are Not Enough

Even when perfectly configured these protocols only protect part of the message.

SPF

Checks the MAIL FROM envelope.
Attackers spoof the visible Header From instead.

DKIM

Signs the headers.
Attackers send unsigned mail from lookalike domains.

DMARC

Requires alignment.
Attackers bypass alignment through friendly name tricks and unicode abuse.

This is why even major companies with mature security still deal with spoofing.

The RFCs do not cover every modern attack vector.

What Third Party Filtering Tools Actually Do

Filtering solutions provide the defense layer that SPF, DKIM, and DMARC cannot offer.

They detect:
- impersonation
- behavior anomalies
- malicious intent
- lookalike domains
- CEO fraud
- malicious URLs
- dangerous attachments
- unknown senders
- unusual source locations
- suspicious API behavior
- threat reputation changes
They analyze behavior rather than relying only on protocol alignment.

Without this layer your domain becomes an easy target.

What Happens When Security Is Too Tight

When filters are over configured these are the problems you will see:
- executive emails going to junk
- vendors trapped in quarantine
- delayed messages
- business interruptions
- unhappy management
- slow communication
- loss of confidence in IT
Security must be layered not suffocating.

The Five Layers of Modern Email Security

This approach is what works in every large enterprise environment.

1. User Training

Teach users how spoofing works.
Show them friendly name manipulation.
Awareness reduces risk.

2. Proper Microsoft 365 Configuration

Connectors. Accepted domains. Transport rules.
Everything must be configured correctly.

3. SPF, DKIM, and DMARC

The RFC standards still matter.
Alignment must be correct.

4. Third Party Filtering Solutions

Proofpoint. Barracuda. Mimecast.
They provide what the RFC cannot.

5. APM Monitoring

Dynatrace. Splunk. AppDynamics.
These tools detect environmental issues that affect mail flow.

APM identifies:
- abnormal MAIL FROM attempts
- spikes in DKIM failures
- SMTP conversation problems
- delays before Proofpoint
- anomalies at the DNS level
This gives early warning before a threat becomes a major issue.

Final Thought

Email is the number one attack surface in every company.
The truth is simple.

You get what you pay for.

If you go cheap your domain becomes a soft target.
You will deal with spoofing
You will deal with ransomware
You will deal with compromised accounts
You will deal with vendor fraud

If you invest in complete layered defense your organization becomes a bad target.

This is how modern email security works today.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 21, 2025
MIT8 – Divine Love – President Russell M. Nelson
Where the sun breaks through, grace follows. Even in heavy days, God still sends light

Excerpt

Divine love is perfect and infinite—but never detached from law, covenant, or personal responsibility. President Nelson teaches that God’s love lifts us, but it also leads us.

Intro

There are many ideas in the world about love—“unconditional love,” “love accepts everything,” “love is all that matters.” But President Russell M. Nelson gently corrects this. Divine love is deeper, higher, and holier than the world’s definition. It is love that lifts, but also directs. Love that embraces, but also invites repentance, covenant keeping, and discipleship.

Notes From the Speaker

President Nelson teaches:
- Divine love is perfect—complete and free of selfishness.
- Divine love is infinite—extending to all who ever lived or will live.
- Divine love is enduring—God keeps covenant and mercy “to a thousand generations.”
- Divine love is universal—He sends rain on the just and unjust, and invites all to come unto Him.
But he also clarifies something rarely discussed:

“While divine love can be called perfect, infinite, enduring, and universal, it cannot correctly be characterized as unconditional.”

Not unconditional—in the worldly sense.

Divine love includes law.
Divine love invites us to rise.
Divine love calls us home through covenant.

Perspective (Direct Quotes)

“God so loved the world, that he gave his only begotten Son.”

“The Lord keepeth covenant and mercy with them that love him and keep his commandments.”

“He denieth none that come unto him.”

Divine love is not passive.
It moves.
It sacrifices.
It teaches.
It commands.

And it changes us.

Practice (Today, Not Someday)
- Love God by keeping commandments.
- Love others in ways that lift them toward Christ, not just toward comfort.
- Pray with real intent, trusting that His love is shaping you—not indulging you.
- Stand firm when the world pushes to redefine love into permission.
- Anchor your identity in God’s love, not the world’s applause.
Final Reflection

Divine love is not a soft pillow—it is a guiding compass.
It doesn’t remove the need for obedience; it empowers it.
It doesn’t eliminate consequences; it helps us grow through them.
It does not excuse sin; it rescues us from sin.

President Nelson’s message reminds me that God’s love is best understood not when everything feels easy, but when we recognize that His love shapes us into something greater than we could ever create alone.

Pocket I’m Keeping

God’s love is infinite, but His blessings are predicated on my willingness to keep commandments and walk the covenant path. His love always points me toward the next step.

What I Hear Now (Direct Quotes)

“Divine love cannot be correctly characterized as unconditional.”

“He inviteth all to come unto him.”

“The Father and the Son are one—in purpose and love.”

Link to the Talk

Divine Love — Russell M. Nelson (2003)
November 19, 2025
MIT8 – Love and Law – President Dallin H. Oaks
Balanced Rock, Arches National Park — a place where the wind is strong, the foundation is narrow, and the rock stands only because the base holds firm. A reminder that in discipleship, love and law work the same way.

Excerpt

We cannot choose one and ignore the other. In the Lord’s plan, love and law stand together. They do not compete. They complete each other.

Intro — Where the Path Narrows, the Balance Appears

The walk toward Balanced Rock reminded me that the gospel path often asks us to hold two eternal truths at the same time. Love on one side. Law on the other. And somewhere in the middle is the place where disciples learn to stand steady. President Oaks teaches that real discipleship is not one-sided. It is “loving” and “lawful” at the same time.

As I stood in front of that massive rock balanced on a narrow pedestal, I felt it — the weight, the tension, and the steadiness that only God can create. The same steadiness He tries to build within us.

Notes From President Oaks
- God’s love is perfect, eternal, and unchanging.
- But His love does not override His laws.
- Salvation comes through the Atonement, but exaltation comes through obedience.
- True love never asks us to ignore commandments.
- Real charity is anchored in truth, not permissiveness.
- “The love of God does not supersede His laws and His commandments.”
Perspective — The Rock and the Law

We often hear the world say, “Love is all that matters.”
But President Oaks reminds us that love without law becomes drift, and law without love becomes harshness.

Balanced Rock became a symbol of that message for me.
The top looks impossible, almost defying gravity. Yet it stands. Why? Because the foundation beneath it holds firm.

Love lifts.
Law steadies.
And together, they create a foundation strong enough for eternity.

Sometimes we want everything to be easy. Sometimes we want the Lord to remove the tension. But President Oaks teaches that growth happens in that tension — the balancing, the choosing, the returning, the trying again.

Practice (Today, Not Someday)
- When I feel pulled by emotion, I anchor myself in the commandments.
- When I feel weighed down by commandments, I remind myself of God’s love.
- When someone hurts me, I choose charity instead of judgment.
- When life feels unsteady, I remember that balance is part of discipleship.
  Today, I practice holding both — loving deeply while obeying faithfully.
Final Reflection

The Lord’s path is not a straight line. It is a balance.
Not the balance the world teaches, but the balance the Lord shapes within us — a heart full of charity and a life aligned with His laws.

Standing there under Balanced Rock, I remembered something simple and quiet:
Discipleship isn’t about choosing between love and law. It’s about learning to walk with both.

Pocket I’m Keeping

“When we understand both love and law, we grow closer to the Savior whose life embodied both perfectly.”

What I Hear Now (Direct Quotes)
- “The love of God does not supersede His laws.”
- “Because of His love, He cannot change the commandments.”
- “Real love for the Lord is shown through obedience.”
- “The gospel is a message of love, but it is also a message of law.”
Link to the Talk

https://www.churchofjesuschrist.org/study/general-conference/2009/10/love-and-law

Photo Caption (BTS)

Balanced Rock, Arches National Park. A place where the wind is strong, the foundation is narrow, and the rock stands only because its base holds firm. A reminder that in discipleship, love and law work the same way.
November 18, 2025
MIT8 – If It’s to Be, It’s Up to Me — and God’s Timing
Milky Way rising behind Delicate Arch in Moab, Utah, photographed by Jet Mariano. A visual reminder of faith, effort, and timing.

Excerpt
If it’s to be, it’s up to me — but only when my feet move in faith and God’s timing directs the path. Today, through hymns, impressions, and a memory of Delicate Arch under the Milky Way, I was reminded that blessings unfold when effort meets revelation.

Intro: The Path Is Action + Timing
This morning I woke up peacefully with a single impression:
“If it’s to be, it’s up to me.”

That sentence framed my entire Sabbath. Each hymn, each thought, each scripture, even the Sunday School lesson seemed orchestrated around one doctrine I’ve lived for decades:

Faith is a principle of action — but blessings come in God’s timing.

I’ve worked since I was 12 years old and didn’t enter the IT world until age 37. Nothing was wasted. Every phase prepared me for the next. Today reminded me again: God’s plan is not passive, but it’s not instant either. It is effort + grace. Movement + revelation. Timing + trust.

Notes From Elder Dale G. Renlund
Elder Renlund teaches in Abound with Blessings:

“Most blessings that God desires to give us require action on our part—action based on our faith in Jesus Christ. Faith in the Savior is a principle of action and of power.”

He adds:

“Faith in Christ requires ongoing action for the blaze to continue. Small actions fuel our ability to walk along the covenant path… But oxygen flows only if we figuratively keep moving our feet.”

His examples are profound:
- Make the bow before the revelation comes
- Build the tools before the instructions arrive
- Bake the cake before the miracle of flour appears
Faith requires movement.
But miracles require God’s timing.

Perspective — Elder Christofferson’s Vending Machine Warning
Elder D. Todd Christofferson adds the perfect balance:

“We ought not to think of God’s plan as a cosmic vending machine where we (1) select a desired blessing, (2) insert the required sum of good works, and (3) the order is promptly delivered.”

It does not work that way.

Blessings are not:
- purchased,
- demanded,
- or dispensed on schedule.
As I wrote in last night’s Predicated blog:

“Blessings from heaven are neither earned by frenetically accruing ‘good deed coupons’ nor by helplessly waiting to see if we win the blessing lottery. No.”

True faith is not transactional — it is transformational.

Practice (Today, Not Someday): The Delicate Arch Lesson
My photograph of the Milky Way rising behind Delicate Arch is a visual sermon about faith and action.

The hike is 3 miles round trip, with over 600 feet of elevation climb. During summer, the Milky Way rises behind the arch for only a brief window. If I waited for perfect conditions or perfect timing, I would miss it.

So I climbed early.
Walked in the dark.
Prepared my gear.
Positioned myself.
And waited for heaven to align.

Only then did the Milky Way rise — after I moved my feet.

Some blessings don’t appear until we climb.
Some revelation doesn’t rise until we prepare.
Some miracles don’t unfold until we act in faith.

That hike is my life:
from working at 12,
to breakthroughs at 37,
to every step since.
Effort + timing.
Action + grace.
Faith + patience.

Final Reflection
“If it’s to be, it’s up to me” is not self-reliance without God.
It’s my action combined with His timing.
My discipline combined with His direction.
My relentless faith combined with His perfect plan.

Today reminded me that the Lord isn’t a vending machine dispensing blessings on demand. He’s a Father who blesses according to eternal purpose. Sometimes He asks me to climb in the dark. Sometimes He asks me to wait. But He always keeps His promises.

Pocket I’m Keeping
Move my feet — and trust His timing.
Climb faithfully — and let Him reveal the Milky Way.

What I Hear Now (Direct Quotes)
“Faith in the Savior is a principle of action and of power.” — Elder Renlund
“Blessings require movement — oxygen flows only if you keep your feet moving.”
“God is not a cosmic vending machine.” — Elder Christofferson
“Make the bow before the revelation comes.”

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 16, 2025
Marked in Time — “Pedicated”

The scripture that framed my entire night:

“There is a law, irrevocably decreed in heaven before the foundations of this world, upon which all blessings are predicated—
And when we obtain any blessing from God, it is by obedience to that law upon which it is predicated.”(D&C 130:20-21)

Salt Lake Temple • Long Exposure • f/11 • ISO 64 • 15s • 14–24mm on a spider tripod
A night when stillness spoke louder than motion.

Excerpt

Blessings are predicated on law — but not in the way a vending machine dispenses what we demand. They arrive through becoming, trusting, and walking with God in His timing.

Intro

The word predicated has been echoing in my mind since my time in the temple today. It comes from Doctrine and Covenants 130, where the Lord teaches that every blessing is tied to a law. Not earned, not purchased, not demanded — but predicated. As I reflected on the week’s experiences, the people I’ve tried to help, and my own quiet questions, this truth settled deeply: God’s timing shapes God’s blessings.

Notes from the Temple & Talks

As I sat with the scriptures open, the Spirit reminded me that obedience is not a transaction but a relationship. Elder Dale G. Renlund explains:

“Blessings from heaven are neither earned by frenetically accruing ‘good deed coupons’ nor by helplessly waiting to see if we win the blessing lottery.… Blessings are never earned, but faith-inspired actions on our part, both initial and ongoing, are essential.”

Those words matched what I’ve lived this week — acting where I can, helping who I can, trusting that small efforts still move heaven’s work forward.

Elder D. Todd Christofferson warns against the temptation to expect blessings on our timeline:

“Some misunderstand the promises of God to mean that obedience to Him yields specific outcomes on a fixed schedule.… We ought not to think of God’s plan as a cosmic vending machine… where the order is promptly delivered.”

This is not how God works — and yet, He always works.

Perspective (Direct Quotes)

D&C 130:20–21 teaches:
“There is a law, irrevocably decreed in heaven before the foundations of this world, upon which all blessings are predicated… And when we obtain any blessing from God, it is by obedience to that law upon which it is predicated.”

Elder Renlund adds:
“The truth is much more nuanced but more appropriate for the relationship between a loving Heavenly Father and His potential heirs.”

Elder Christofferson clarifies:
“…not every blessing predicated on obedience to law is shaped, designed, and timed according to our expectations.”

Practice (Today, Not Someday)

Today I will trust the process.
I will obey not to earn, but to become.
I will keep acting in faith, helping where I can, and letting the Lord handle the timing of what I cannot control.
I will let small acts of discipleship be enough — because they are.

Final Reflection

Elder Christofferson offers a truth that speaks to moments of uncertainty, impatience, or pleading:

“So, in the midst of this refiner’s fire, rather than get angry with God, get close to God. Call upon the Father in the name of the Son. Walk with Them in the Spirit, day by day. Allow Them over time to manifest Their fidelity to you. Come truly to know Them and truly to know yourself. Let God prevail.”

This is the heart of predicated.
Blessings unfold as we walk with Him — not as we demand from Him.
They arrive in due time, in His way, shaped by His love and our readiness.

Pocket I’m Keeping

Obedience prepares me, trust steadies me, and God’s timing refines me.

What I Hear Now

“Let God prevail.”
“Blessings are never earned, but faith-inspired action is essential.”
“Not every blessing comes according to our expectations.”

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

November 16, 2025
Where the Light Learns to Let Go

The sky opened for a moment and the light answered back.

The wheel glowed in violet as dusk settled over Santa Monica, and a single strike of lightning cut through the horizon like a quiet reminder that beauty and power can share the same frame. Some nights arrive without warning, and all you can do is stand still and let the moment write its own story.

When the day surrendered, the sky burned one last time.

The sun dropped behind the pier like a slow farewell, turning the whole horizon into fire. The wheel stood still against it, a quiet witness to the ending of another day. Some places remind you that even the most ordinary moments can shine when the light chooses to pass through them.

When the night finally claimed the pier, the colors refused to die.

The wheel spun in its own quiet galaxy, throwing violet and blue across the water like it was painting the ocean awake. The last light of sunset slipped under the horizon, but the pier kept glowing as if to say: even when the day ends, there is still something worth staying for.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

November 14, 2025
MIT8 – “If You Can Dream It, You Can Do It”

Sleeping Beauty Castle at Night — Reflections of Patience and Light

Sleeping Beauty Castle, Disneyland — long exposure, reflection pond perfectly still under holiday lights.
© Jet Mariano bottom right

Excerpt
Dreams are born in imagination, but they come to life through patience. This photo reminds me that what seems impossible is often just waiting for stillness — the moment when faith, timing, and light all come together.

Intro
At Disneyland, I stood before Sleeping Beauty’s Castle surrounded by soft laughter, bright music, and winter lights. I had dreamed of this shot for years — the castle glowing like ice, perfectly mirrored in the reflection pond.

The challenge wasn’t the camera. It was patience. I waited for the crowd to thin and for the water to still. When the noise finally faded, I clicked the shutter. Thirty seconds of silence turned imagination into reality.

Notes from the Scene
📍 Disneyland, Anaheim, California
Tripod. Manual mode. I pointed my camera using the LCD screen toward the brightest light on the castle to achieve perfect focus. Once the image looked sharp, I turned my Nikon 14-24mm 2.8G lens from AF to M and my camera to full manual. This prevents the lens from “hunting” in the dark — a trick learned through countless nights of trial.

After years of practice, I trusted the settings: 30-second shutter, f/11, ISO 2400. The result was this reflection — not luck, but learning.

Perspective
Walt Disney once said, “If you can dream it, you can do it.”
That line carries truth beyond photography. In every art, in every calling, we are dreamers learning to wait for our moment of light.

The dreamer in us sees what could be. The doer in us practices until it becomes real. And sometimes, all we need is faith that stillness will come.

Practice
If you want to capture your dream, prepare your heart and your craft before the light arrives. Keep learning, keep refining, and when the world quiets — act.

Final Reflection
Dreams don’t come to the impatient. They come to those who wait, who watch, who trust their settings.
The castle may belong to Disneyland, but the reflection — that belongs to every dreamer who believes.

Pocket I’m Keeping
Dreams start in the heart, but patience brings them into focus. ✨

Photo Caption (BTS)
📸 Sleeping Beauty Castle, Disneyland — long exposure, reflection pond perfectly still under holiday lights.
© Jet Mariano bottom right

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.

November 12, 2025

Author: jetnmariano

Title:

Introduction

1. Installing Terraform

2. Azure Login Block

3. Creating an Azure Resource Group

4. Creating an Azure AD Group

5. Creating an App Registration + Secret

6. Conditional Access via Terraform (Yes, possible!)

7. Create an M365 Group (Unified Group)

8. Create Azure Key Vault

Conclusion

Title:

Introduction

1. Require MFA (CIS Level 1 Control)

2. Disable Legacy Authentication

3. Passwordless Authentication

4. Limit Global Admin Roles

5. Require Compliant Devices

6. Exchange Online Protections

7. Audit Logging

8. Session Control

Conclusion

Introduction

Retention Policy Basics

Example Retention Policies

1. Keep 7 Years, Then Delete

2. Keep Forever

3. Auto-Apply to Executives

Best Practices

Conclusion

Excerpt

Intro

Notes from Elder Uchtdorf

Perspective (direct quotes)

Practice — Today, Not Someday

Final Reflection

Pocket I’m Keeping

What I Hear Now (direct quotes)

1. Exchange 5.0 — The GroupWise Era & The Limits of Early Messaging

Key Characteristics

Real Tools Used

🔧 ISINTEG — Logical Database Repair

🔧 ESEUTIL — Physical Database Repair

2. Exchange 5.5 — The First True Enterprise Version

Major Improvements

3. Exchange 2000 / 2003 — Active Directory Arrives

Now Possible

Tools of the Era

4. Exchange 2007 — PowerShell Revolutionizes Email Administration

Major Innovations

Example PowerShell Operations

5. Exchange 2010 / 2013 — High Availability & Hybrid Era

Database Whitespace Management

Multi-region examples

6. On-Prem to Cloud Migrations — AWS WorkMail, Exchange 2010, Hybrid, EXO

Migration Examples

Challenges Solved by EXO

7. Exchange Online — The Modern Cloud Era

How to Rotate DKIM 2048-bit Keys

Verify in PowerShell

**8. Real-World Security Hardening in EXO

🛑 Kill Switch Transport Rule (Blocks All External Sender Impersonation)

🛑 Block-All Impersonation Rule

9. Why Exchange Online Beats Every On-Prem Version

No More:

Instead You Get:

10. Summary

Introduction

Section 1 — What DKIM Actually Does

1️⃣ DKIM Selector (s=)

2️⃣ DKIM Domain (d=)

3️⃣ Public Key (Published in DNS)

4️⃣ Private Key (kept hidden on the mail server)

Section 2 — Why Private Keys Must Be 2048-bit Minimum

Section 3 — Why You Must Rotate DKIM Keys Regularly

Section 4 — How an Attacker Exploits DKIM

Section 5 — Why DKIM Matters

Conclusion

Introduction