Jet Mariano

Category: Uncategorized

  • Where the Light Learns to Let Go

    The sky opened for a moment and the light answered back.

    The wheel glowed in violet as dusk settled over Santa Monica, and a single strike of lightning cut through the horizon like a quiet reminder that beauty and power can share the same frame. Some nights arrive without warning, and all you can do is stand still and let the moment write its own story.

    When the day surrendered, the sky burned one last time.

    The sun dropped behind the pier like a slow farewell, turning the whole horizon into fire. The wheel stood still against it, a quiet witness to the ending of another day. Some places remind you that even the most ordinary moments can shine when the light chooses to pass through them.

    When the night finally claimed the pier, the colors refused to die.

    The wheel spun in its own quiet galaxy, throwing violet and blue across the water like it was painting the ocean awake. The last light of sunset slipped under the horizon, but the pier kept glowing as if to say: even when the day ends, there is still something worth staying for.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • How We Contained a Mail Spoofing Incident in Microsoft 365 (with Scripts)

    What happened

    We saw spoofed messages and rogue auto-forward rules spreading from a few mailboxes. Root cause looked like mailbox rules + legacy SMTP AUTH exposure, not a server breach.

    What we did (playbook)

    1. Containment (no downtime): remove mailbox forwarding, delete suspicious inbox rules, and disable SMTP AUTH per mailbox (modern Outlook/OWA unaffected).
    2. Tenant guardrail: block external auto-forward on the default remote domain.
    3. After-hours cleanup: revoke sessions, reset passwords (force change), review/remove any unwanted OAuth grants.
    4. Hardening: enforce MFA/Conditional Access and disable org-wide SMTP AUTH only if not needed by devices.
    5. Verification: run a quick status report across affected users.

    Grab the scripts (sanitized)

    These are generic, no tenant data, and read users from a CSV:

    • GitHub Repo: https://github.com/jetdev2731/m365-email-containment-scripts
      • 10-Exchange-Containment.ps1 — clears forwarding, deletes suspicious rules, disables SMTP AUTH per mailbox
      • 30-Tenant-Guardrails.ps1 — blocks external auto-forward on the “Default” remote domain
      • 20-Graph-RevokeAndReset.ps1 — revokes sessions, resets passwords (force change), exports OAuth grants for review
      • 40-Unblock-And-Resecure.ps1 — post-cleanup fresh reset + ensure sign-in enabled
      • 90-Status-Report.ps1 — quick compliance/status check
      • 00-Inputs.ps1 — loads users.csv (header UserPrincipalName), optional safety toggles

    How to run (summary)

    Set-ExecutionPolicy RemoteSigned -Scope Process -Force
cd .\scripts

.\10-Exchange-Containment.ps1 -OutputDir .\
.\30-Tenant-Guardrails.ps1

# After hours:
.\20-Graph-RevokeAndReset.ps1 -OutputDir .\

# Once endpoints are clean:
.\40-Unblock-And-Resecure.ps1

# Verify anytime:
.\90-Status-Report.ps1

    Lessons learned

    • Turn off legacy SMTP AUTH where possible.
    • Monitor and block external auto-forward org-wide.
    • Enforce MFA and Conditional Access for all M365 apps.
    • Regularly audit inbox rules and OAuth consents.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!