Weekly blog series featuring real-world IT solutions, cloud security strategies, automation projects, and development tutorials to help professionals build resilient, scalable environments.
In the world of Infrastructure Engineering, we often say that “Complexity is the enemy of reliability.” Whether we are managing an M365 environment or a distributed network of remote nodes, the goal is always the same: High Availability (HA).
As a Senior Engineer, I view system resilience through three specific forensic lenses. Here is how we ensure “Uptime” when the environment becomes unpredictable.
1. The Heartbeat Protocol: Real-Time Telemetry
In a distributed system, you cannot manage what you cannot see. Implementing a “Heartbeat” or real-time location sharing for remote assets is the difference between proactive recovery and forensic failure analysis.
A consistent heartbeat ensures that the central controller knows exactly where the data (or the asset) is at all times. If a node goes silent—especially during a critical window like a 3:00 AM deployment—the system shouldn’t have to wait for a user to report a “down” status; the heartbeat failure should trigger the “Rescue Protocol” automatically.
2. Edge Hardening: Preparing for Environmental Extremes
We often focus on the software, but the physical “Base Layer” is where many systems fail. In engineering, we call this Environmental Hardening. Just as we provide thermal protection for outdoor hardware to prevent “cold-start” failures, we must ensure our digital assets have the proper “insulation.” In an enterprise context, this means:
Redundant Power: Ensuring “thermodynamic” stability for remote nodes.
Physical Security: Using high-fidelity interfaces to maintain signal integrity in noisy environments.
3. Resource Pooling: Eliminating Single Points of Failure
The most resilient systems utilize Resource Pooling. By creating a “Joint Account” of resources (storage, compute, or capital), we ensure that the system has immediate access to what it needs, even if one “administrator” is offline.
Moving from a single-owner architecture to a shared-resource model reduces latency and ensures that the mission (the application) continues to run without interruption. It is the ultimate safeguard against the “Government Thieves” of data—bottlenecks and probate-like locks.
Forensic Conclusion: True engineering isn’t about building a system that never fails; it’s about building a system that is sensible enough to recover when it does. As the late Bruce Lee said, “The stiffest tree is most easily cracked, while the bamboo or willow survives by bending with the wind.”
System Monitoring Made Simple for IT Admins & Security Pros
Sysmon (System Monitor) is part of Microsoft’s Sysinternals Suite, and it gives you deep visibility into process creation, network connections, file changes, and system activity. For threat detection, forensics, and baselining, Sysmon is one of the most powerful free tools you can deploy.
In this guide, I’ll walk through the step-by-step process of installing Sysmon cleanly on a Windows 11 machine, loading a hardened configuration, enabling the event log, and validating that everything is working.
This is the exact method I used on my laptop — clean, repeatable, and production-ready.
1. Prerequisites
Before you start:
Log in as a user with Local Administrator rights.
Open PowerShell as Administrator.
You’ll be using a mixture of PowerShell commands and Event Viewer, so make sure you have admin elevation.
2. Download Sysinternals Suite
Microsoft distributes Sysmon inside the Sysinternals Suite ZIP.
Download Sysinternals Suite from Microsoft’s official site.
Right-click Sysmon → Operational → Add to Favorites.
9. Updating the Sysmon Config Later
If you want to modify or replace the config:
cd C:\Sysinternals
.\Sysmon64.exe -c C:\Scripts\Sysmon\sysmonconfig.xml
You should see:
Configuration updated.
No reinstall required.
10. Uninstall Sysmon (if needed)
cd C:\Sysinternals
.\Sysmon64.exe -u force
This removes:
Sysmon64 service
SysmonDrv driver
Registry entries
Event manifest
Conclusion
Once installed, Sysmon becomes a powerful source of system telemetry for:
Threat hunting
Malware investigation
Lateral movement detection
Process monitoring
Incident response
Forensic analysis
With a hardened config, Sysmon gives deep visibility with minimal overhead — making it an essential component of any Windows security stack.
If you’re deploying Sysmon across multiple endpoints (like we do at work), you can automate it using Intune, GPO, or a custom PowerShell deployment package.
A fiery sky closing the day, almost as if heaven was offering its own hymn. The temple stood steady, unchanged, reminding me to praise Him not only in blessings received, but in blessings still forming.
Excerpt
A Thanksgiving weekend temple visit, four evening photos, quiet worship, and a lesson about gratitude that opened my heart in a new way.
Intro
Last night at the Syracuse Utah Temple, I watched the sky turn from warm sunset to cold moonrise. Christmas lights glowed on the temple grounds, and a waxing gibbous moon appeared just as I finished my proxy endowment session. It reminded me of something simple but powerful: joy is meant to be expressed. And worship, especially through music, is one of the clearest ways to do it.
Notes from Elder Cook and Elder Soares
Giving voice to our joy is just as important as seeking comfort in sorrow. Elder Quentin L Cook taught that lives full of praise, music, and thanksgiving are uniquely blessed. Moroni described worship this way: Preaching, exhorting, prayer, supplication, and singing — all led by the Spirit. Elder Ulisses Soares reminded us to tune our hearts to the Lord through sincere singing of sacred hymns. Singing is the one form of worship where the entire congregation participates. It is unity in real time.
Perspective
Last night I thought about the way music lifts the soul. A hymn is not just melody. It is prayer with a pulse. When we sing, we do not stand alone. Heaven joins us. I felt that inside the endowment room and again as I took photos outside: worship is not something we check off. It is something we become.
Practice (today, not someday)
Today I will worship with music. I will lift my voice, even quietly, in hymn-singing. I will let the words settle into my mind and soften my heart. I will give thanks in song, not just in thought.
Final Reflection
Tonight a single scripture opened in a new way for me: D&C 59:21. The Lord did not say to thank Him for all things. He said to acknowledge His hand “in” all things.
There is a difference. For is gratitude for what God has already done. In is gratitude for what God is about to do.
“For” looks back. “In” looks forward. For celebrates what arrived. In trusts what is still forming.
Being thankful for blessings is remembering. Being thankful in blessings is faith — the kind that walks forward without seeing the whole path. Last night I learned that gratitude is not only a reaction to the past. It is trust in the present. It is the courage to say, even before the blessing is visible, I know God is working in this.
Pocket I’m Keeping
Gratitude is not only looking back at what God has done. It is looking forward with faith at what He is shaping next.
What I Hear Now (direct quotes)
Moroni 6:6 Their meetings were conducted after the manner of the workings of the Spirit. Elder Cook Lives full of praise, music, and thanksgiving are uniquely blessed. Elder Soares Tune your heart to the Lord through sincere singing.
Whether it’s PowerShell, VMware, or supporting the team, I give my best because people depend on what happens behind this screen.
Introduction
Email is still the heart of business communication, and it’s also the easiest door for attackers to exploit. This is my real-world approach to securing Exchange Online: how I protect messages, enforce policies, retain critical data, and keep unwanted activity out of the environment. These are the tools I use every day — quiet, behind-the-scenes work that keeps an entire organization safe.
Messaging Policies and Mail Protection
What
Mail flow rules control how messages enter, exit, and move inside the company. They prevent risky behavior, secure sensitive data, and keep communication structured.
Why
Without strict policies, users can accidentally leak information, forward confidential data, or bypass compliance rules.
How
Mail Flow Rules I Maintain
• Prevent auto-forwarding outside the company • Block forwarding to personal Gmail/Yahoo • Restrict sensitive keywords (finance, HR, payroll) • Add disclaimers for external recipients • Enforce rules for shared mailboxes
This is my Exchange Online security toolkit — the messaging controls, retention systems, compliance protections, and routing safeguards I use every day. These tools protect users, leadership, legal teams, and the entire organization from silent risks that hide inside email traffic.
Real security isn’t loud. It’s consistent, careful, and invisible — until the moment it saves the business.
One of my favorite seasons of my life. Serving the city, keeping critical systems alive, and learning the foundations that shaped who I am as an engineer today. Every console screen taught me something new and every problem strengthened my desire to help others through technology.
My Essential IT Troubleshooting Guide
In every company I have worked for, the tools that saved the day were not fancy dashboards but simple commands and fundamentals I could trust. This is my personal troubleshooting arsenal, written so even a non technical reader can follow the logic behind what I do.
Each section answers three things • What it is • Why it matters • How I use it in real life
Name Resolution Basics
A record
What • A record is a phone book entry that says “this name belongs to this IP address.”
Why • Users remember names better than numbers. If the A record is wrong or missing, they land in the wrong place or nowhere.
How I use it • When a site is not loading, I ping the name and check if the IP address matches what we expect. • If it does not, I fix the A record in DNS and wait for it to replicate.
CNAME
What • A CNAME is a nickname that points one name to another name.
Why • It lets you move services without breaking users. The public name stays the same while the target changes behind the scenes.
How I use it • For services like autodiscover or app portals, I often see CNAMEs that point to Microsoft or another provider. • When something breaks after a cutover, CNAMEs are one of the first things I verify.
DNS
What • DNS is the global phone book that turns names into IP addresses.
Why • If DNS fails, everything feels broken. Browsers, Outlook, file shares, all of them depend on DNS.
How I use it • I run nslookup name.company.com to see which DNS server is answering and what IP it returns. • If users in one site can reach something and other users cannot, I compare DNS answers between locations.
Hosts file
What • The hosts file is a tiny local phone book on the computer.
Why • It overrides DNS for that machine. One bad line can send traffic to the wrong place.
How I use it • Location on Windows
C:\Windows\System32\drivers\etc\hosts
• I open it with Notepad as administrator. • If someone hard coded a testing IP and forgot about it, I comment it out or remove it, then flush DNS.
Flush cache
ipconfig /flushdns
Nbtstat and TCP IP
What • Nbtstat is an older tool for NetBIOS name resolution. • Hard coded TCP IP means a manual IP instead of DHCP.
Why • Nbtstat helps when legacy name lookups act strange. • Hard coded IPs can cause conflicts or make VLAN changes painful.
How I use it • nbtstat -n to see local NetBIOS names. • nbtstat -c to see the name cache. • When I find static IPs on client machines, I document them and move them to DHCP reservations so the network is easier to manage.
Network control panel shortcut
I still use this every week
From Run
ncp.cpl
It opens the Network Connections window so I can quickly check adapters, enable or disable, or look at IPv4 settings.
DHCP Essentials
What • DHCP hands out IP addresses, gateways and DNS to clients.
Why • If DHCP fails, users cannot get on the network or suddenly have duplicate addresses.
Best practices • Use at least two DHCP servers where possible. • Define scopes with correct gateway and DNS. • Use reservations for printers and key servers.
Commands I use on clients
ipconfig /release ipconfig /renew
If a user can reach the internet but not internal resources, I check that DNS from DHCP is internal and not a public resolver.
MX, Autodiscover and Mail Flow
MX record
What • MX tells the world which server receives mail for your domain.
Why • If MX points to the wrong place or has a low priority backup you forgot, email can vanish or queue.
How I use it • I use MXToolbox to check MX records and verify that they point to Exchange Online or the correct email gateway.
Autodiscover
What • Autodiscover tells Outlook where to find the mailbox and settings.
Why • A broken autodiscover record means constant password prompts or profile creation failures.
How I use it • I verify the Autodiscover CNAME or SRV record. • I test with Outlook connectivity tools or Test-OutlookConnectivity when available.
Hunting spam engines and bad SMTP
Where malware hides • In browser extensions • In Outlook add ins • In unknown services or scheduled tasks that send mail through SMTP
How I clean it without reimaging • Check Outlook add ins and disable anything suspicious. • Run msconfig and Task Manager to review startup items and tasks. • Review SMTP logs on the server to see which host is sending unexpected traffic.
Certificates and SSL in Hybrid Environments
Internal web apps depend on trusted certificates so browsers know the site is safe. When an SSL expires, internal apps stop working and Chrome or Edge will show warnings.
Why we create new SSLs • Internal web apps must be trusted. • Intranet portals and legacy apps often stop working when an internal CA certificate expires. • External issued certs from DigiCert or GoDaddy are trusted by browsers.
Where I keep it • C:\Certs or another controlled folder • Never leave certificates scattered in Downloads
Core servers • I open Task Manager with Ctrl Shift Esc • File, Run, then mmc • Add the Certificates snap in and import there Or I import directly with PowerShell.
Machine Trust Relationship Problems
When Windows says “the trust relationship between this workstation and the primary domain failed,” the computer account and the domain no longer agree.
On a traditional domain • Disable LAN and WiFi • Log in using cached credentials • Reset the local admin password if needed • Disjoin from the domain and put it in a workgroup • Reboot • Join it back to the domain
For Azure AD joined devices
Check status
dsregcmd /status
If broken
dsregcmd /leave
Then re join from Settings under Access work or school.
RDP Session Cleanup
Sometimes users cannot remote into their office desktop because a stale session is still connected.
After that, they can reconnect without rebooting the server.
Active Directory Tools
ADSIEdit
What • A low level editor for Active Directory objects.
Why • Last resort for fixing broken attributes or lingering records when normal tools cannot reach them.
How I use it • Only with full backups and a clear change plan. • I use it to clean up orphaned objects or legacy settings left behind.
Event Viewer
What • The black box recorder of Windows.
Why • Every blue screen, login failure, replication problem and service crash leaves a trace here.
How I use it • eventvwr.msc • I focus on System and Directory Service logs on domain controllers, and Application logs on servers hosting apps.
FSMO Roles
What • Flexible Single Master Operations are special AD roles for schema, naming, PDC, RID and infrastructure.
Why • These make sure there is one source of truth for sensitive changes.
Best practice • Know exactly which DC holds each role. • Protect those DCs like crown jewels.
If a FSMO owner is gone forever • You can seize the role to a healthy DC using ntdsutil. • After seizing you never bring the old DC back online.
This is rare but every senior engineer should know the process in theory.
AD and Entra ID Health
On premise AD health
dcdiag repadmin /replsummary repadmin /showrepl
I always confirm • DNS is correct • SYSVOL is in sync • Time is correct and within a few minutes across all DCs
Entra ID health
Connect-MgGraph Get-MgUser Get-MgDirectoryAudit
I check • Sign in logs for failures • Conditional Access for blocked locations • Device compliance for machines that suddenly appear non compliant
AD controls computers and users on site. Entra controls cloud identity and device trust. In a hybrid world, both must be healthy.
Azure and Terraform
Azure CLI read only commands
az login az account show az group list az vm list az storage account list
These tell me what exists without changing anything.
Terraform for infrastructure as code • Initialize the directory terraform init • Format terraform fmt • Validate terraform validate • Plan terraform plan
Nothing changes until terraform apply is run. For interviews, being comfortable with init, plan and validate already shows good understanding.
Microsoft 365 Services
Group Policy
Purpose • Central control of security and settings for on premise joined machines.
How I create it gpmc.msc • New GPO • Edit with the settings I want • Link to the correct OU
Universal Print
What • Cloud based printing that removes the need for classic print servers.
Why • Easier management for hybrid and remote users.
I register printers in Universal Print and assign permissions based on groups, so users can get printers automatically.
SharePoint Online
Steps I follow • Go to Microsoft 365 admin center • Open SharePoint admin • Create a new site • Assign owners and members • Set sharing and retention policies
This becomes the central place for team documents and intranet content.
OneDrive and Data Migration
OneDrive • Sync client installed on machines • Known Folder Move for Desktop, Documents and Pictures • Version history to protect from mistakes and ransomware
Migrating data • I prefer SharePoint Migration Tool or Mover. • I clean old data first so I do not carry garbage into the cloud. • I communicate to users what will move and what will not.
Why This Arsenal Matters
These are the tools I have relied on in city government, banks, energy drinks, and manufacturing. They are not fancy, but they work.
Every time I help a user reconnect, restore a service, or clean up a broken configuration, I am really doing three things
• Protecting the company and its data • Supporting my teammates so they are not alone in the fire • Honoring the gift God gave me to understand and fix complex systems
This arsenal is how I serve. Whether I am helping a small office or a multi site enterprise, the pattern is the same ask good questions, run the right checks, fix the root cause, and leave clear notes so the next engineer can see the path.
Introduction Infrastructure as Code is not optional anymore. Terraform gives you a declarative way to build, modify, and destroy cloud resources cleanly. This tutorial shows exactly how to install Terraform, create your first configuration, and connect it to Azure without affecting your company’s production environment. I used these steps to rebuild my own skills after leaving California and stepping into Utah’s quiet season of learning.
Step 1 Install Terraform using Winget
Open PowerShell as admin
Run the installer winget install HashiCorp.Terraform –source winget
Restart your PowerShell window
Verify the installation terraform -version
You should see something like Terraform v1.14.0
Step 2 Create your Terraform workspace
Create a folder mkdir C:\terraform\test1
Go inside the folder cd C:\terraform\test1
Create a new file New-Item main.tf -ItemType File
Leave the file empty for now. Terraform just needs to see that a configuration file exists.
Step 3 Write your first Terraform configuration
Open main.tf and paste this:
provider “azurerm” { features {} }
Nothing created yet. This is read only.
The goal is to connect Terraform to Azure safely.
Save the file.
Step 4 Initialize Terraform
Run terraform init
This downloads the AzureRM provider and sets up your working directory.
You should see Terraform has been successfully initialized
Step 5 Install the Azure CLI
Terraform connects to Azure using your Azure CLI login. Install it with:
winget install Microsoft.AzureCLI
Verify it az –version
Step 6 Log into Azure
Run az login
A browser opens. Select your Azure account.
Important note If you see Martin’s Azure subscription, stop here and do not run terraform apply. Terraform plan is safe because it does not make changes.
Step 7 Check your Azure subscription
az account show
This confirms who you are logged in as and which subscription Terraform will use.
Step 8 Run your first Terraform plan
terraform plan
This reads your main.tf and checks for any required changes. Since your config is empty, the output will say: No changes. Infrastructure is up to date.
Step 9 Useful Azure CLI commands for Cloud Engineers
Check all resource groups az group list -o table
Check all VMs az vm list -o table
Check storage accounts az storage account list -o table
Check virtual networks az network vnet list -o table
Check VM status az vm get-instance-view –name VMNAME –resource-group RGNAME –query instanceView.statuses[1].displayStatus
Check Azure AD users az ad user list –filter “accountEnabled eq true” -o table
Check your role assignments az role assignment list –assignee <your UPN> -o table
These commands show LC that you are comfortable with both Terraform and Azure CLI.
Step 10 Can Terraform check Defender?
Terraform itself does not “check” Defender, but you can manage Defender settings as resources.
Since we did not deploy anything, no cleanup is required.
If you later create real resources, destroy them with terraform destroy
Final thoughts Terraform is one of the most powerful tools in cloud engineering. Once you know how to initialize it, authenticate with Azure, and run plans, you are already ahead of many engineers who feel overwhelmed by IaC. LC will immediately see that you are not just an Exchange guy or a VMware guy. You are becoming a modern DevOps cloud engineer who can manage infrastructure in code.
Terraform for M365 and Azure — Infrastructure-as-Code Made Simple
Introduction
Terraform is one of the most powerful tools for managing cloud environments because it lets you declare what you want and Azure builds it. No guessing. No clicking. No forgetting what you changed.
Even if M365 doesn’t support Terraform natively for all workloads, you can still automate Azure AD, Conditional Access, Groups, SPNs, Networking, Key Vault, and App Registrations through the Microsoft Graph provider.
I used IaC principles while supporting Church systems — Terraform makes environments repeatable, auditable, and consistent.
1. Installing Terraform
choco install terraform
2. Azure Login Block
provider "azurerm" {
features {}
}
provider "azuread" {
}
Elder Dieter F. Uchtdorf — October 2025 General Conference
Where effort meets grace, discipleship blooms
Excerpt
“Trust the Savior and engage, patiently and diligently, in doing your part with all your heart.”
Intro
Life moves fast — technology, deadlines, expectations, and noise. Elder Uchtdorf’s message reminded me to slow down, trust the Savior, and stay consistent in the small habits that shape who I am. It’s not about speed. It’s about direction. And the quiet discipline behind every disciple’s journey.
Notes from Elder Uchtdorf
Trust the Savior completely and give Him your steady daily effort. Discipleship requires practice. Skills fade without continued effort. Greatness grows from repetition, humility, and patience. The Lord magnifies even small efforts when offered with heart.
Perspective (direct quotes)
“Getting good at anything… takes consistent self-discipline and practice.” Whether flying, rowing, sowing, learning, or becoming — practice never stops.
“Trust the Savior and engage… in doing your part with all your heart.” He doesn’t ask perfection — just faith in motion.
Practice — Today, Not Someday
My Discipline in IT Technology evolves every day. You don’t master it once — you study daily. I use Microsoft Learn, Udemy, and YouTube Premium, and I blog because writing helps me lock in what I learn. This is my stewardship: my part in staying sharp.
My Discipline in Photography Photography isn’t just technical settings. It’s learning to read the light, study it, and anticipate it. Capturing it is an act of patience and discipline — just like discipleship.
My Discipline in Health My body is my engine. If I don’t stay fit, how can I keep up with the never-ending pace of IT? Health keeps my mind focused. My discipline keeps me grounded.
My RFC Trio Just like SPF, DKIM, and DMARC work as a trio — strengthening trust and protecting identity — my three disciplines work together:
Mind (IT) Creativity (Photography) Body (Health)
One supports the other. One anchors the next. And that’s how discipleship grows: line upon line, habit upon habit.
Final Reflection
Discipline is not punishment. It’s devotion — devotion to the future you, and trust in a God who sees more in you than you see in yourself. “Doing your part” isn’t dramatic or loud. It’s small steady steps that build spiritual muscle.
Pocket I’m Keeping
“Trust the Savior… and engage diligently in doing your part.” Not perfectly. Not instantly. Just faithfully.
What I Hear Now (direct quotes)
Consistency is strength. “Keep practicing.” “I will make your small offering enough.” “Do your part — I will do Mine.”
A Technical History Through the Tools, Upgrades, and Real-World Administration That Shaped Modern Email
Email administration today looks nothing like it did in the mid-1990s. What began as a system of flat files and small IS databases has evolved into a globally distributed, cloud-secure service powered by modern authentication, forensic automation, and layered identity protections.
This article covers the full evolution — from Exchange 5.0 → 5.5 → 2000 → 2003 → 2007 → 2010 → 2013 → 2016 → Hybrid → Exchange Online — through the practical tools and real operational practices that defined each era.
It also highlights legacy repair tools (ISINTEG, ESEUTIL), the emergence of PowerShell, and modern security controls such as DKIM, DMARC, and real-time EXO policies.
1. Exchange 5.0 — The GroupWise Era & The Limits of Early Messaging
When Exchange 5.0 existed, Novell GroupWise was still considered the enterprise email standard. Capacity was limited and reliability required constant hands-on administration.
Key Characteristics
Basic directory service
Small private and public folder stores
No Active Directory yet
No PowerShell
16GB database ceiling
Frequent corruptions under heavy load
Real Tools Used
🔧 ISINTEG — Logical Database Repair
Example usage:
ISINTEG -pri -fix -test alltests
🔧 ESEUTIL — Physical Database Repair
Soft recovery:
ESEUTIL /r E00 /l "E:\logs" /d "E:\mdbdata"
Hard recovery:
ESEUTIL /p "E:\mdbdata\priv.edb"
Defrag/whitespace removal:
ESEUTIL /d "E:\mdbdata\priv.edb"
White space mattered because the database could never exceed the size limit, and defrags were essential to survive weekly growth.
2. Exchange 5.5 — The First True Enterprise Version
Exchange 5.5 replaced GroupWise in many organizations because it solved the two biggest weaknesses:
Major Improvements
Larger database limits
Internet Mail Connector (IMC) matured
Directory replication across sites
Better MAPI stability
More predictable backups
This was the version where large organizations first began to trust Exchange for hundreds or thousands of users.
Database limitations still required:
Regular whitespace removal
Offline defrags
ISINTEG repairs
3. Exchange 2000 / 2003 — Active Directory Arrives
The introduction of Active Directory changed everything.
Last-generation threats require immediate defensive controls. These are sanitized versions of the two emergency scripts used to block impersonation attacks:
🛑 Kill Switch Transport Rule (Blocks All External Sender Impersonation)
DKIM (DomainKeys Identified Mail) is one of the most effective ways to verify that an email truly came from your organization. But many companies misunderstand one crucial truth:
DKIM is only as strong as the protection of its private key.
If attackers obtain your DKIM private key, they can sign email that appears cryptographically legitimate — even if it comes from a malicious server. This is why key length, rotation, and protection matter just as much as turning DKIM “on.”
Section 1 — What DKIM Actually Does
DKIM works by attaching a digital signature to every outbound message. It ensures:
The message hasn’t been altered
The sender is authorized
The domain identity can be verified
The core elements are:
1️⃣ DKIM Selector (s=)
Identifies which key is used. Example: s=mail2025;
2️⃣ DKIM Domain (d=)
The domain signing the message. Example: d=example-corp-secure.com;
3️⃣ Public Key (Published in DNS)
Stored in a TXT record: mail2025._domainkey.example-corp-secure.com
4️⃣ Private Key (kept hidden on the mail server)
This is the key attackers target. It signs every outbound message.
Section 2 — Why Private Keys Must Be 2048-bit Minimum
Attackers today can break 1024-bit DKIM keys.
Cloud computing
GPU farms
Distributed cracking
This is why Microsoft and major ESPs recommend 2048-bit keys.
Weak DKIM = forged trust.
Section 3 — Why You Must Rotate DKIM Keys Regularly
Even a strong key becomes weaker over time:
Keys leak
Keys get copied
Keys get exposed in old backups
Misconfigured systems reuse keys
Bad actors gather DNS data for months
Weekly or monthly rotation is considered best practice in regulated industries like banking.
Rotation protects your domain even if an attacker manages to obtain an older key.
Section 4 — How an Attacker Exploits DKIM
If the private key is stolen:
They can sign malware
They can sign phishing
They bypass SPF failures
They pass DKIM alignment
They pass DMARC alignment
Email goes straight to inbox
This is why DKIM alone is not enough.
Section 5 — Why DKIM Matters
Prevents email tampering
Builds domain trust
Enables DMARC “reject” mode
Protects your brand
Reduces false positives
Ensures message integrity
But DKIM is only strong if the private key is protected and rotated.
Conclusion
Most executives think DKIM is “set it and forget it.” But email security today requires:
Strong 2048-bit DKIM keys
Regular rotation
Tight private key protection
Monitoring through Proofpoint and EOP
DMARC enforcement
This is not optional anymore — especially for banks.
DMARC (Domain-based Message Authentication, Reporting & Conformance) is the control system that tells receiving email servers what to do when a message fails SPF or DKIM. Without DMARC, attackers can spoof your domain freely.
Section 1 — What DMARC Does
DMARC:
Protects your domain from spoofing
Defines how mail servers should handle failures
Provides visibility into fraud attempts
Supports brand protection
Enables full enforcement (“p=reject”)
Section 2 — DMARC Tags and Their Meaning
1️⃣ v=DMARC1
Protocol version. Always DMARC1.
2️⃣ p= (Policy)
Tells receiving servers what to do:
p=none → Monitor only
p=quarantine → Send failures to spam
p=reject → Block failures entirely (best practice for banks)
3️⃣ rua= (Aggregate Reports)
Where daily XML reports are delivered. Example: rua=mailto:[email protected]
adkim=s and aspf=s enforce strict alignment — critical for banks and regulated industries.
Section 4 — Why DMARC Matters
Blocks domain impersonation
Reduces malware/phishing impact
Protects customers from fraud
Shields executives from spoofing
Enables brand trust
Essential for financial institutions
Conclusion
A strong DMARC policy (“reject”) is one of the strongest defenses against email spoofing — but only when SPF and DKIM are configured properly and regularly monitored.
Microsoft Purview is Microsoft’s compliance, audit, and eDiscovery platform for Microsoft 365. It provides GUI-driven tools for administrators to perform searches, create holds, review data, and respond to legal and compliance requirements.
But here’s the reality that senior M365 engineers know:
Purview is powerful, but it is not complete. It has strict limits, throttles, and boundaries designed for safety and performance — not deep forensic analysis.
This is why serious investigations always end up in PowerShell, where engineers can bypass GUI limitations, perform deeper searches, and collect evidence with precision.
Section 1 — What Purview Is (in plain English)
Purview provides:
Content search
eDiscovery (Standard & Premium)
Litigation holds
Audit logs
Labeling and retention
Insider risk scanning
Communication compliance
It is designed for:
Legal teams
Compliance officers
HR investigations
Corporate governance
High-level reporting
And for these purposes, Purview works very well.
Section 2 — The Hidden Limitations of Purview
Here are the real limits engineers face:
1. Sending & Rate Limits
Purview actions follow the same throttling limits as Exchange Online. You cannot pull unlimited messages instantly.
2. eDiscovery Query Limits
Each Purview search query is limited to: 10,000 characters This is a major limitation for complex filters.
3. Maximum Export Sizes
Large exports (multiple gigabytes) often fail or time out. This is why forensic engineers break searches into chunks.
4. Maximum Holds Per Mailbox
A mailbox can only have: 25 holds total More than 25 affects performance, indexing, and mailbox health.
Indexing dependency (if an item isn’t indexed, Purview can’t see it)
7. Purview is not real-time
It depends on indexing engines. Indexing delays = missing results.
8. Purview cannot reveal everything
For true forensics you often need:
Message trace logs
Transport logs
Historical mailbox snapshots
DeletedItems and RecoverableItems subfolders
Soft delete and hard delete content
Hidden folders
Unindexed items
Purview cannot provide all of that.
Section 3 — Why PowerShell is Superior for True Forensics
When Microsoft engineers or financial institutions perform real investigations, they do not rely on Purview alone. They rely on PowerShell because PowerShell can do what Purview cannot.
1. Access Every Folder (Including Hidden Ones)
PowerShell can query:
Inbox
Sent
DeletedItems
RecoverableItems
Purges
Versions
Subfolders not visible in Outlook
Unindexed items
Purview can’t.
2. No GUI query limit
There is no 10,000-character query restriction in PowerShell.
Pattern searches can be huge, detailed, and layered.
3. Deep Header and Message Metadata Extraction
PowerShell can extract:
X-MS-Exchange-Organization-AuthAs
X-MS-Exchange-CrossTenant-*
Original client IP
Authentication results
Message submission type
Connector source
Spam confidence level (SCL)
Envelope sender
Message ID tracking
Purview provides only summarized metadata.
4. Instant, Real-Time Search
PowerShell does not wait for indexing. You can search unindexed items directly.
This is critical in security incidents.
5. Mailbox Timeline Reconstruction
With PowerShell you can reconstruct:
When the message was received
When it was moved
If rules redirected it
If a compromised mailbox forwarded it
If the user deleted it
If it was purged
Purview cannot reconstruct movement history.
6. PowerShell is scripting + automation
You can automate:
Large case collections
Exports
Multi-mailbox searches
Pattern scans
Complex filters
Timeline reconstruction
Purview cannot automate eDiscovery at the same level.
Section 4 — When to Use Purview vs PowerShell
Use Purview for:
Legal holds
HR requests
Basic content searches
Governance
Compliance reporting
Policy enforcement
Use PowerShell for:
Security incidents
Ransomware investigations
BEC (Business Email Compromise)
External spoofing investigations
Compromised mailbox analysis
Hidden folder discovery
Deep metadata extraction
Multi-mailbox timeline reconstruction
Most senior email engineers agree:
Purview is the “legal view.” PowerShell is the “truth view.”
Conclusion
Purview is an essential tool for compliance and legal workflows — but it is not a forensic engine. Its GUI limits, throttles, and reliance on indexing mean that it can never replace the precision, speed, and depth of PowerShell.
This is why real investigations — especially in financial institutions and regulated organizations — always rely on PowerShell for final answers.
In modern cloud environments, threats don’t wait for meetings, approvals, or planning sessions. Sometimes an attack hits so fast that your only advantage is instinct, experience, and the ability to act immediately.
Last month, I experienced exactly that — a coordinated impersonation attempt from multiple bad actors in Europe using public cloud hosting (GCP) as their relay. They created their own connectors and attempted to impersonate internal executives and accounting contacts.
The attack bypassed standard controls because:
They used legitimate cloud IP ranges
They generated perfect SPF/DKIM passes
Their mail flow looked “clean” until you read the headers
They used crafted envelope senders + forged display names
The only way to stop them instantly — before users were tricked — was to drop two transport rules at highest priority using PowerShell. These acted as “circuit breakers” until perimeter firewall rules could be deployed.
Below is the exact PowerShell approach, redacted and rewritten for general use.
🚨 Reflex Script #1 — Emergency “Kill Switch” Rule
Purpose: If attackers are impersonating an internal address like [email protected], this rule blocks any external sender who uses that address in the envelope from or header from.
In every organization — commercial, government, or religious — there are individuals whose roles require an extra layer of protection. These may include executives, legal teams, board members, or other high-visibility leaders. Their mailboxes must be shielded from noise, protected from internal misuse, and hardened against external threats.
This blog shares how I implemented a VIP Exchange Protection Model in one of the most globally distributed environments I’ve ever worked in. All sensitive details are removed — but the principles and methods remain the same.
Why VIP Mailboxes Need Extra Protection
VIP users face unique risks:
1. They are targets for impersonation
Attackers attempt to spoof high-level leaders to gain authority over employees.
2. They receive a high volume of inbound email attempts
Even legitimate internal senders may unintentionally overwhelm their inboxes.
3. They must focus on mission-critical responsibilities
Unfiltered communication equals distraction and risk.
4. Their mailboxes contain sensitive or privileged information
Unauthorized access can lead to catastrophic consequences.
The goal of the VIP model is simple:
Only authorized individuals should be able to see, email, or discover these mailboxes.
My VIP Protection Model (Redacted & Generalized)
Below is the exact approach I used, without exposing private organizational information.
1. Hide VIP Mailboxes From the Global Address List (GAL)
This prevents the general population from seeing their email addresses.
Email is built on trust — and the original SMTP protocol (from 1982) was never designed with modern threat actors in mind. Attackers now exploit loose RFC rules, misconfigured servers, and public DNS to spoof legitimate senders and bypass basic filtering.
This blog explains how spoofing actually works, why SPF/DKIM alone are not enough, and why DMARC alignment + Proofpoint is essential for stopping real-world business email compromise (BEC) attacks.
1. Email Spoofing 101 — Why SMTP Allows It
SMTP does not validate who the sender truly is. An attacker can control:
a) The SMTP Envelope (“MAIL FROM”)
Used for return-path, bounce messages, and SPF checks.
b) The Email Header (“From:”)
What the human sees in Outlook, Gmail, iPhone Mail.
Both can be forged. That means an attacker can send:
This returns the DKIM public key, which attackers use to craft more believable spoofing attempts (not to break DKIM, but to mimic structure).
Example: Retrieving SPF Records
nslookup -type=txt victim-of-spoofing.com
Result:
"v=spf1 include:_spf.example-email.net -all"
Attackers now know:
what legitimate sending systems you use
how strict your SPF policy is
which vendors to impersonate
SPF & DKIM are public, and attackers rely on that.
4. Why SPF and DKIM Alone Are Not Enough
SPF checks the envelope (MAIL FROM). DKIM checks the message integrity.
But both fail in these common scenarios:
SPF Fails When:
A scammer spoofs only the header From
Email is forwarded
Attackers use free SMTP servers with permissive policies
DKIM Fails When:
Sender uses a domain with no DKIM at all
Attackers spoof domains they do own
Emails pass through weak relays
This is why companies get spoofed even with “perfect” SPF/DKIM.
5. DMARC Alignment — The Real Line of Defense
DMARC requires:
✔ SPF Alignment
Envelope domain must match header From domain.
✔ DKIM Alignment
DKIM signature domain must match the header From.
If neither aligns, DMARC instructs receivers to:
none — monitor only
quarantine — send to spam
reject — block outright
Reject is where spoofing finally dies.
6. Two Ways Attackers Deliver Spoofed Email
This is critical for interview-level mastery:
1️⃣ Using Their Own SMTP Server
Attackers set up a server where:
they control all DNS
they can configure any RFC behavior
they can impersonate any domain
This allows highly believable spoofing.
2️⃣ Using Vulnerable Third-Party SMTP Servers
Attackers often search for:
misconfigured mail relays
open SMTP relays
free spoofing services
Both methods work unless DMARC reject + Proofpoint is in place.
7. Why Proofpoint Completes the Protection
Even with DMARC reject, attackers still spoof:
VIP names (“Display Name Spoofing”)
Lookalike domains (e.g., companny-secure.com)
Legitimate cloud providers that DMARC trusts
OAuth-compromised accounts (EAC)
Proofpoint adds:
Identity threat intelligence
Imposter protection (BEC Defense)
Lookalike domain analysis
Behavioral anomaly detection
URL rewriting + sandboxing
Real-time classification
Without Proofpoint, DMARC is only half of the defense.
Conclusion
Attackers rely on the weaknesses of SMTP’s original design, public DNS records, and domains they control. That’s why spoofing is still one of the most common and dangerous forms of cyberattack worldwide.
The only way to fully protect executives, employees, and customers is:
BEC (Business Email Compromise) and EAC (Email Account Compromise) are the two most financially damaging email-based attacks today. They bypass traditional spam filters, they target humans—not firewalls—and they abuse trust instead of malware.
Microsoft 365 alone cannot fully protect against these attacks. That’s why organizations use Proofpoint, DMARC alignment, and strict authentication controls—to verify identity, stop impostors, and prevent fraudulent requests from reaching inboxes.
This blog explains:
How BEC works
How EAC happens
What attackers exploit
Why RFC email standards make impersonation easy
How Proofpoint + EAC controls shut these attacks down
Perfect material for any advanced interview panel.
What Is Business Email Compromise (BEC)?
BEC is when attackers pretend to be:
your CEO,
your CFO,
your HR director,
a vendor,
or someone with financial authority
…with the goal of manipulating employees into:
wiring money
changing direct deposit info
sending W-2s
releasing confidential documents
approving purchases
🔸 The key point:
BEC uses identity deception, not malware. No attachments. No links. Just social engineering in a clean email.
Attackers see your exact SPF/DKIM configuration. They spoof accordingly.
This is why relying on RFC standards alone is not enough.
How Proofpoint Stops BEC and EAC
1. Identity Protection
Proofpoint checks:
display name anomalies
domain lookalikes
impossible travel
VIP impersonation attempts
internal vs external identity mapping
“Reply-To mismatch”
“Header vs Envelope mismatch”
Microsoft EOP can do part of this, Proofpoint does it with far more accuracy.
2. Vendor Fraud Protection
Proofpoint fingerprints:
vendor sending behavior
previous conversation style
writing style
IP reputation
If a vendor mailbox is compromised, Proofpoint detects the “change in sending personality.”
This is one of the strongest EAC protections in the industry.
3. DMARC Enforcement + Lookalike Domain Defense
Proofpoint enforces:
Domain alignment
Display name behavior
Header-from authentication
Cross-identity matching
Lookalike domains” examples (generic only):
company-secure.com
companny.com
c0mpany-support.com
company-mailservice.com
These would pass traditional email filters.
4. URL and Payload Isolation
Even if links look clean, Proofpoint re-writes and detonates them.
Although BEC rarely has links, EAC-based phishing almost always does.
5. Machine Learning on Human Behavior
Proofpoint analyzes:
who talks to whom
frequency
direction
urgency phrases
tone manipulation
If the CEO normally never emails accounting at 10:30 PM on a Friday — the message gets flagged.
Real-World Example (Anonymized)
A vendor’s mailbox was compromised. The attacker replied inside an existing thread asking to update bank account numbers.
Microsoft EOP didn’t block it — it came from a legitimate vendor domain.
Proofpoint flagged:
anomalous IP
unusual writing style
“conversation thread hijacking detected”
vendor identity risk score
Proofpoint blocked the message before it reached the user’s mailbox.
This is exactly why companies invest in Proofpoint.
Conclusion
BEC and EAC are no longer “IT problems.” They are financial crimes, costing billions worldwide.
Microsoft 365 gives strong baseline protection, but attackers today use identity manipulation, social engineering, and thread hijacking that bypass traditional signals.
Exchange Online throttling policies exist for one core reason — to keep the Microsoft 365 ecosystem healthy, stable, and resistant to abuse. Throttling protects the service from:
Excessive load
Misconfigured applications
Compromised accounts sending thousands of emails
Bulk operations that can degrade tenant performance
It’s not a punishment. It’s Microsoft’s way of guaranteeing fairness across millions of tenants.
But in real production environments — especially at the enterprise, hybrid, or application-integration level — default throttling limits can sometimes block legitimate business-critical operations. And when that happens, you must know:
Why throttling exists
How to detect throttling
When it’s justified to modify limits
How to request changes with Microsoft support
This is one of the topics principal-level interviewers love because it shows deep operational understanding.
Why Throttling Exists in Exchange Online
Microsoft enforces throttling to prevent:
1. Service Abuse
A single compromised account can send 10,000+ spam emails within minutes. Throttling slows these bursts so EOP can react and block the session.
2. Tenant Misconfigurations
Common misconfigurations that trigger throttling:
Line-of-business apps sending too many messages too quickly
Applications reusing connections improperly
Legacy services using Basic Auth patterns
Scripts or PowerShell modules pulling data too fast
3. System Stability
If every tenant could push unlimited requests, the shared service collapses. Throttling ensures:
CPU fairness
Bandwidth fairness
Queue stability
Storage and transport efficiency
How to Detect Throttling Events
You will usually see:
📌 Error Examples
Server Busy
Backoff due to throttling policy
TooManyConcurrentConnections
Exceeded message submission rate limit
SendAsDenied triggered by backlog saturation
📌 Where You See These
Exchange message trace
Transport logs
Application logs
SMTP client logs
EOP reports
PowerShell scripts returning "ProcessingStopped"
📌 Behavioral Symptoms
Messages stuck in Outbox
Applications retrying endlessly
High SMTP queue latency
Inconsistent delivery within seconds-to-minutes range
When It Is Appropriate to Modify Exchange Online Throttling
This is key. You never change throttling “because someone wants faster emails.” You change throttling for business justification only, such as:
3. Automated Services Needing High Burst Throughput
Scenarios where default throttling causes issues:
Finance systems sending thousands of statements
HR systems sending open enrollment packets
Email marketing systems using authenticated SMTP
Daily reporting engines generating PDFs for hundreds of users
How to Justify Throttling Changes to Microsoft Support
This is where senior-level experience shows.
Microsoft will not modify throttling unless you prove:
1. Operational Need
Explain what system is being blocked.
2. Business Impact
Show examples:
Delayed invoices
Delayed purchase orders
Delayed system alerts
Delayed manufacturing workflows
3. Technical Evidence
Provide logs showing:
Backoff errors
Submission rate failures
EWS throttling hits
Application retry loops
4. Confirmation That It’s Not Spam
Show the account is app credentialed, not user-driven.
5. You Have Already Tuned the Application
Microsoft wants evidence that:
Retry logic exists
Connection reuse is efficient
Burst sending is controlled
If justified, Microsoft raises throttling for:
Specific service accounts only (Never the whole tenant.)
They may change:
Recipient rate limits
Message burst limits
EWS or Graph concurrency
PowerShell session limits
Common Interview Question: “Why Not Remove Throttling Entirely?”
Perfect answer:
“Because throttling is part of Microsoft’s multi-tenant stability and security model. Without it, one tenant’s misconfiguration or compromised account could degrade the entire service. Changes should be scoped, justified, temporary, and monitored.”
PowerShell: Checking Throttling Policy Assigned to a Mailbox
