Jet Mariano

Tag: Email Security

  • The Evolution of Microsoft Exchange: From 5.0 to Exchange Online (EXO)

    A Technical History Through the Tools, Upgrades, and Real-World Administration That Shaped Modern Email

    Email administration today looks nothing like it did in the mid-1990s. What began as a system of flat files and small IS databases has evolved into a globally distributed, cloud-secure service powered by modern authentication, forensic automation, and layered identity protections.

    This article covers the full evolution — from Exchange 5.0 → 5.5 → 2000 → 2003 → 2007 → 2010 → 2013 → 2016 → Hybrid → Exchange Online — through the practical tools and real operational practices that defined each era.

    It also highlights legacy repair tools (ISINTEG, ESEUTIL), the emergence of PowerShell, and modern security controls such as DKIM, DMARC, and real-time EXO policies.

    1. Exchange 5.0 — The GroupWise Era & The Limits of Early Messaging

    When Exchange 5.0 existed, Novell GroupWise was still considered the enterprise email standard. Capacity was limited and reliability required constant hands-on administration.

    Key Characteristics

    • Basic directory service
    • Small private and public folder stores
    • No Active Directory yet
    • No PowerShell
    • 16GB database ceiling
    • Frequent corruptions under heavy load

    Real Tools Used

    🔧 ISINTEG — Logical Database Repair

    Example usage:

    ISINTEG -pri -fix -test alltests

    🔧 ESEUTIL — Physical Database Repair

    Soft recovery:

    ESEUTIL /r E00 /l "E:\logs" /d "E:\mdbdata"

    Hard recovery:

    ESEUTIL /p "E:\mdbdata\priv.edb"

    Defrag/whitespace removal:

    ESEUTIL /d "E:\mdbdata\priv.edb"

    White space mattered because the database could never exceed the size limit, and defrags were essential to survive weekly growth.

    2. Exchange 5.5 — The First True Enterprise Version

    Exchange 5.5 replaced GroupWise in many organizations because it solved the two biggest weaknesses:

    Major Improvements

    • Larger database limits
    • Internet Mail Connector (IMC) matured
    • Directory replication across sites
    • Better MAPI stability
    • More predictable backups

    This was the version where large organizations first began to trust Exchange for hundreds or thousands of users.

    Database limitations still required:

    • Regular whitespace removal
    • Offline defrags
    • ISINTEG repairs

    3. Exchange 2000 / 2003 — Active Directory Arrives

    The introduction of Active Directory changed everything.

    Now Possible

    • Kerberos authentication
    • Unified Global Address List
    • Recipient policies
    • Improved SMTP stack
    • Better routing groups

    Tools of the Era

    • ESEUTIL still required
    • ISINTEG for logical repair
    • Streaming file (.STM) management
    • COM+ based transport pipeline

    Disaster recovery still required:

    • Hard repairs
    • Log replays
    • Offline maintenance windows

    4. Exchange 2007 — PowerShell Revolutionizes Email Administration

    Exchange 2007 was the turning point. This version introduced:

    Major Innovations

    • PowerShell (EMS)
    • Role-based server architecture
    • Database Availability Groups (DAGs begin later)
    • Transport rules
    • Modern SMTP pipeline

    Example PowerShell Operations

    Bulk mailbox creation

    Import-Csv users.csv | % {
  New-Mailbox -UserPrincipalName $_.UPN -Name $_.Name -Alias $_.Alias
}

    Transport rule creation

    New-TransportRule -Name "Block EXE" -AttachmentExtensionMatchesWords ".exe" -RejectMessageReason "Executable blocked"

    Database health

    Get-MailboxDatabaseCopyStatus *

    PowerShell replaced ISINTEG as the primary troubleshooting interface.

    5. Exchange 2010 / 2013 — High Availability & Hybrid Era

    These versions supported:

    • DAGs with multiple copies
    • Outlook Anywhere (RPC over HTTPS)
    • Cross-forest migrations
    • Massive mailboxes (50GB+)
    • First large-scale hybrid deployments

    Database Whitespace Management

    Modern approach:

    Get-MailboxDatabase -Status | ft Name,AvailableNewMailboxSpace

    To reclaim all space:

    1. Create new database
    2. Move mailboxes
    3. Remove old database
    4. Mount clean database

    Multi-region examples

    • Databases per region (NA/APAC/EMEA)
    • Public folder migrations
    • CAS/Hub/MBX role separation

    6. On-Prem to Cloud Migrations — AWS WorkMail, Exchange 2010, Hybrid, EXO

    Organizations with large global footprints began migrating:

    Migration Examples

    • From AWS WorkMail → Exchange 2013 HA → EXO
    • From Exchange 2010 datacenters → Hybrid → EXO
    • From Exchange 2013 → EXO using HCW and staged cutover

    Challenges Solved by EXO

    • No more ESEUTIL
    • No more ISINTEG
    • No more DAG patching
    • No more weekend downtimes
    • Automatic redundancy
    • Modern authentication
    • Better malware scanning

    7. Exchange Online — The Modern Cloud Era

    Today, administrators rely on:

    • Exchange Online PowerShell v3
    • Graph API
    • Defender for O365
    • Purview eDiscovery
    • Modern connectors
    • DKIM / DMARC enforcement
    • Real-time spam intelligence
    • Modern auth for SMTP

    How to Rotate DKIM 2048-bit Keys

    Admin Center → Security → Email Authentication → DKIM → Rotate Keys

    Verify in PowerShell

    Get-DkimSigningConfig | fl Domain,Selector1CNAME,Selector2CNAME

    Keys should be:

    • 2048-bit
    • Rotated regularly
    • Protected from unauthorized access

    **8. Real-World Security Hardening in EXO

    (Including the Kill-Switch Scripts)**

    Last-generation threats require immediate defensive controls.
    These are sanitized versions of the two emergency scripts used to block impersonation attacks:

    🛑 Kill Switch Transport Rule (Blocks All External Sender Impersonation)

    New-TransportRule -Name "KILL-SWITCH" `
-FromScope NotInOrganization `
-SentToScope InOrganization `
-SetHeaderName "X-Blocked" `
-SetHeaderValue "EmergencyBlock" `
-StopRuleProcessing $true `
-Enabled $true `
-Mode Enforce

    🛑 Block-All Impersonation Rule

    New-TransportRule -Name "BLOCK-IMPERSONATION" `
-HeaderMatchesMessageHeader "From" `
-HeaderMatchesPatterns ".*@yourdomain\.com" `
-SentToScope InOrganization `
-FromScope NotInOrganization `
-RejectMessageReasonText "External sender attempted domain impersonation" `
-StopRuleProcessing $true

    After the event is over, disable:

    Disable-TransportRule "KILL-SWITCH"
Disable-TransportRule "BLOCK-IMPERSONATION"

    9. Why Exchange Online Beats Every On-Prem Version

    No More:

    • Database corruption
    • ESEUTIL repair weekends
    • ISINTEG logical rebuilds
    • Streaming file failures
    • Whitespace management
    • RPC failures
    • CAS array dependency

    Instead You Get:

    • Multi-region HA
    • Continuous patching
    • DKIM / DMARC alignment
    • Modern authentication
    • Real-time message trace
    • Defender Safe Links/Safe Attachments
    • Purview forensic tools
    • 24/7 cloud threat intelligence

    10. Summary

    This blog ties together:

    • The original on-prem tools (ISINTEG, ESEUTIL)
    • The arrival of AD
    • The PowerShell revolution
    • The hybrid era
    • The modern cloud security stack
    • DKIM rotation
    • EXO forensic investigation
    • Emergency transport rule defense

    It shows why the move from Exchange 5.0 to EXO was inevitable — every stage improved reliability, scalability, administration, and security.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • DKIM Security: How Signing and Key Rotation Stop Email Spoofing

    Introduction

    DKIM (DomainKeys Identified Mail) is one of the most effective ways to verify that an email truly came from your organization. But many companies misunderstand one crucial truth:

    DKIM is only as strong as the protection of its private key.

    If attackers obtain your DKIM private key, they can sign email that appears cryptographically legitimate — even if it comes from a malicious server. This is why key length, rotation, and protection matter just as much as turning DKIM “on.”

    Section 1 — What DKIM Actually Does

    DKIM works by attaching a digital signature to every outbound message.
    It ensures:

    • The message hasn’t been altered
    • The sender is authorized
    • The domain identity can be verified

    The core elements are:

    1️⃣ DKIM Selector (s=)

    Identifies which key is used.
    Example:
    s=mail2025;

    2️⃣ DKIM Domain (d=)

    The domain signing the message.
    Example:
    d=example-corp-secure.com;

    3️⃣ Public Key (Published in DNS)

    Stored in a TXT record:
    mail2025._domainkey.example-corp-secure.com

    4️⃣ Private Key (kept hidden on the mail server)

    This is the key attackers target.
    It signs every outbound message.

    Section 2 — Why Private Keys Must Be 2048-bit Minimum

    Attackers today can break 1024-bit DKIM keys.

    • Cloud computing
    • GPU farms
    • Distributed cracking

    This is why Microsoft and major ESPs recommend 2048-bit keys.

    Weak DKIM = forged trust.

    Section 3 — Why You Must Rotate DKIM Keys Regularly

    Even a strong key becomes weaker over time:

    • Keys leak
    • Keys get copied
    • Keys get exposed in old backups
    • Misconfigured systems reuse keys
    • Bad actors gather DNS data for months

    Weekly or monthly rotation is considered best practice in regulated industries like banking.

    Rotation protects your domain even if an attacker manages to obtain an older key.

    Section 4 — How an Attacker Exploits DKIM

    If the private key is stolen:

    • They can sign malware
    • They can sign phishing
    • They bypass SPF failures
    • They pass DKIM alignment
    • They pass DMARC alignment
    • Email goes straight to inbox

    This is why DKIM alone is not enough.

    Section 5 — Why DKIM Matters

    • Prevents email tampering
    • Builds domain trust
    • Enables DMARC “reject” mode
    • Protects your brand
    • Reduces false positives
    • Ensures message integrity

    But DKIM is only strong if the private key is protected and rotated.

    Conclusion

    Most executives think DKIM is “set it and forget it.”
    But email security today requires:

    • Strong 2048-bit DKIM keys
    • Regular rotation
    • Tight private key protection
    • Monitoring through Proofpoint and EOP
    • DMARC enforcement

    This is not optional anymore — especially for banks.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • DMARC (Domain-based Message Authentication, Reporting & Conformance)

    Introduction

    DMARC (Domain-based Message Authentication, Reporting & Conformance) is the control system that tells receiving email servers what to do when a message fails SPF or DKIM. Without DMARC, attackers can spoof your domain freely.

    Section 1 — What DMARC Does

    DMARC:

    • Protects your domain from spoofing
    • Defines how mail servers should handle failures
    • Provides visibility into fraud attempts
    • Supports brand protection
    • Enables full enforcement (“p=reject”)

    Section 2 — DMARC Tags and Their Meaning

    1️⃣ v=DMARC1

    Protocol version. Always DMARC1.

    2️⃣ p= (Policy)

    Tells receiving servers what to do:

    • p=none → Monitor only
    • p=quarantine → Send failures to spam
    • p=reject → Block failures entirely (best practice for banks)

    3️⃣ rua= (Aggregate Reports)

    Where daily XML reports are delivered.
    Example:
    rua=mailto:[email protected]

    4️⃣ ruf= (Forensic Reports)

    Receives detailed failure samples (PII-sensitive).
    Example:
    ruf=mailto:[email protected]

    5️⃣ fo= (Failure Options)

    Controls what triggers forensic reporting.
    Common:
    fo=1 → Send forensic report on any SPF/DKIM failure.

    Section 3 — Example of a DMARC Record

    v=DMARC1;
p=reject;
rua=mailto:[email protected];
ruf=mailto:[email protected];
fo=1;
adkim=s;
aspf=s;

    adkim=s and aspf=s enforce strict alignment — critical for banks and regulated industries.

    Section 4 — Why DMARC Matters

    • Blocks domain impersonation
    • Reduces malware/phishing impact
    • Protects customers from fraud
    • Shields executives from spoofing
    • Enables brand trust
    • Essential for financial institutions

    Conclusion

    A strong DMARC policy (“reject”) is one of the strongest defenses against email spoofing — but only when SPF and DKIM are configured properly and regularly monitored.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Quick “Reflexes” Using PowerShell to Block Bad Actors: Emergency Transport Rules + Layer 3/7 Firewall Controls

    In modern cloud environments, threats don’t wait for meetings, approvals, or planning sessions.
    Sometimes an attack hits so fast that your only advantage is instinct, experience, and the ability to act immediately.

    Last month, I experienced exactly that — a coordinated impersonation attempt from multiple bad actors in Europe using public cloud hosting (GCP) as their relay. They created their own connectors and attempted to impersonate internal executives and accounting contacts.

    The attack bypassed standard controls because:

    • They used legitimate cloud IP ranges
    • They generated perfect SPF/DKIM passes
    • Their mail flow looked “clean” until you read the headers
    • They used crafted envelope senders + forged display names

    The only way to stop them instantly — before users were tricked — was to drop two transport rules at highest priority using PowerShell.
    These acted as “circuit breakers” until perimeter firewall rules could be deployed.

    Below is the exact PowerShell approach, redacted and rewritten for general use.

    🚨 Reflex Script #1 — Emergency “Kill Switch” Rule

    Purpose: If attackers are impersonating an internal address like [email protected], this rule blocks any external sender who uses that address in the envelope from or header from.

    # Connect to Exchange Online
Connect-ExchangeOnline

# Create emergency kill-switch rule
New-TransportRule -Name "KILL SWITCH: Block external spoofing of noreply" `
-FromScope External `
-HeaderContainsMessageHeader "From" `
-HeaderContainsWords "noreply@" `
-SetSCL 9 `
-StopRuleProcessing $true `
-Priority 0

    What this rule does instantly:

    • Stops external senders pretending to be noreply@
    • Sets SCL=9 so the message is quarantined or rejected (depending on policy)
    • Stops evaluation of all other rules — making it hit within milliseconds

    🚨 Reflex Script #2 — Block ALL External Senders Using a Protected Address

    Attackers often rotate payloads or try other internal addresses.
    This second rule blocks all attempts — even if they change tactics.

    New-TransportRule -Name "BLOCK ALL External From Protected Address" `
-FromScope External `
-SenderAddressMatchesPatterns "noreply@", "billing@", "alerts@" `
-SetSCL 9 `
-StopRuleProcessing $true `
-Priority 1

    You can modify the patterns depending on the address being abused.

    🛡️ Why This Worked Instantly

    These scripts bypass the UI delay and:

    • Apply before EOP content filters
    • Hit prior to Safe Links/Safe Attachments
    • Trigger even if messages pass SPF/DKIM/DMARC
    • Intercept mail before it reaches the user’s mailbox
    • Provide time to analyze, trace, and escalate

    This is why reflex PowerShell is critical for senior-level engineers — the GUI is too slow during live attacks.

    🔐 Permanent Fix: Layer 3 / Layer 7 Firewall Enforcement

    Once the immediate threat was stopped with PowerShell, the permanent fix required:

    Layer 3 (IP-based blocklists)

    Blocking:

    • Abused GCP IP ranges
    • Known threat actor networks
    • Anonymous compute nodes

    Layer 7 (Application-layer filtering)

    Policies included:

    • Block SMTP traffic from unknown hosts
    • Block unauthorized connector-based submissions
    • Strict URL filtering for phishing redirectors
    • Geo-blocking regions with no business presence

    Once these firewall measures were active, the PowerShell Kill Switch rules were safely disabled to avoid unnecessary mail flow impact.

    💡 Lessons Learned

    1. Bad actors are fast — you must be faster.
    2. Transport rules + PowerShell are your instant “circuit breakers.”
    3. SPF/DKIM/DMARC are not enough when attackers leverage cloud infrastructure.
    4. Layer 3 and Layer 7 controls create the “permanent seal.”
    5. Instant response + longer-term architecture = real protection.

    This is the type of real-world, battle-tested example that hiring panels want to hear.
    Not theory — lived experience.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Email Spoofing Explained: How Attackers Do It and How DMARC Blocks Them

    Introduction

    Email is built on trust — and the original SMTP protocol (from 1982) was never designed with modern threat actors in mind. Attackers now exploit loose RFC rules, misconfigured servers, and public DNS to spoof legitimate senders and bypass basic filtering.

    This blog explains how spoofing actually works, why SPF/DKIM alone are not enough, and why DMARC alignment + Proofpoint is essential for stopping real-world business email compromise (BEC) attacks.

    1. Email Spoofing 101 — Why SMTP Allows It

    SMTP does not validate who the sender truly is.
    An attacker can control:

    a) The SMTP Envelope (“MAIL FROM”)

    Used for return-path, bounce messages, and SPF checks.

    b) The Email Header (“From:”)

    What the human sees in Outlook, Gmail, iPhone Mail.

    Both can be forged.
    That means an attacker can send:

    MAIL FROM: <[email protected]>
From: Jane Doe <[email protected]>

    …even though they do not own that domain.

    2. Step-by-Step: How Attackers Use SMTP to Forge Email

    (Everything below uses neutral demonstration domains to avoid referencing any real organization.)

    S: 220 mail.fake-sender.net SMTP Ready
C: HELO mail.fake-sender.net
S: 250 Hello
C: MAIL FROM:<[email protected]>
S: 250 OK
C: RCPT TO:<[email protected]>
S: 250 Accepted
C: DATA
S: 354 Start mail input
C: Subject: Urgent – Please Review
C: From: [email protected]
C: To: [email protected]

Hi Bob,
Please review this document:
https://malicious-link-example.net/file

Thanks,
Jane
C: .
S: 250 Message accepted
C: QUIT
S: 221 Goodbye

    Important:
    This is exactly how attackers craft spoofed email — the same RFC-compliant commands a normal email client uses.

    3. How Attackers “Harvest” SPF and DKIM Using DNS

    Attackers don’t guess your DNS settings.
    They simply query them publicly, like anyone else on the internet.

    Example: Retrieving DKIM Keys

    nslookup -type=txt selector1._domainkey.victim-of-spoofing.com

    This returns the DKIM public key, which attackers use to craft more believable spoofing attempts (not to break DKIM, but to mimic structure).

    Example: Retrieving SPF Records

    nslookup -type=txt victim-of-spoofing.com

    Result:

    "v=spf1 include:_spf.example-email.net -all"

    Attackers now know:

    • what legitimate sending systems you use
    • how strict your SPF policy is
    • which vendors to impersonate

    SPF & DKIM are public, and attackers rely on that.

    4. Why SPF and DKIM Alone Are Not Enough

    SPF checks the envelope (MAIL FROM).
    DKIM checks the message integrity.

    But both fail in these common scenarios:

    SPF Fails When:

    • A scammer spoofs only the header From
    • Email is forwarded
    • Attackers use free SMTP servers with permissive policies

    DKIM Fails When:

    • Sender uses a domain with no DKIM at all
    • Attackers spoof domains they do own
    • Emails pass through weak relays

    This is why companies get spoofed even with “perfect” SPF/DKIM.

    5. DMARC Alignment — The Real Line of Defense

    DMARC requires:

    ✔ SPF Alignment

    Envelope domain must match header From domain.

    ✔ DKIM Alignment

    DKIM signature domain must match the header From.

    If neither aligns, DMARC instructs receivers to:

    • none — monitor only
    • quarantine — send to spam
    • reject — block outright

    Reject is where spoofing finally dies.

    6. Two Ways Attackers Deliver Spoofed Email

    This is critical for interview-level mastery:

    1️⃣ Using Their Own SMTP Server

    Attackers set up a server where:

    • they control all DNS
    • they can configure any RFC behavior
    • they can impersonate any domain

    This allows highly believable spoofing.

    2️⃣ Using Vulnerable Third-Party SMTP Servers

    Attackers often search for:

    • misconfigured mail relays
    • open SMTP relays
    • free spoofing services

    Both methods work unless DMARC reject + Proofpoint is in place.

    7. Why Proofpoint Completes the Protection

    Even with DMARC reject, attackers still spoof:

    • VIP names (“Display Name Spoofing”)
    • Lookalike domains (e.g., companny-secure.com)
    • Legitimate cloud providers that DMARC trusts
    • OAuth-compromised accounts (EAC)

    Proofpoint adds:

    • Identity threat intelligence
    • Imposter protection (BEC Defense)
    • Lookalike domain analysis
    • Behavioral anomaly detection
    • URL rewriting + sandboxing
    • Real-time classification

    Without Proofpoint, DMARC is only half of the defense.

    Conclusion

    Attackers rely on the weaknesses of SMTP’s original design, public DNS records, and domains they control. That’s why spoofing is still one of the most common and dangerous forms of cyberattack worldwide.

    The only way to fully protect executives, employees, and customers is:

    ✔ SPF
    ✔ DKIM
    ✔ DMARC (reject)
    ✔ PLUS Proofpoint’s identity + behavioral controls

    This is the combination that stops real-world BEC/EAC attacks.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • How BEC (Business Email Compromise) and EAC (Email Account Compromise) Work, and How Proofpoint + EAC Controls Stop Them

    Introduction

    BEC (Business Email Compromise) and EAC (Email Account Compromise) are the two most financially damaging email-based attacks today.
    They bypass traditional spam filters, they target humans—not firewalls—and they abuse trust instead of malware.

    Microsoft 365 alone cannot fully protect against these attacks.
    That’s why organizations use Proofpoint, DMARC alignment, and strict authentication controls—to verify identity, stop impostors, and prevent fraudulent requests from reaching inboxes.

    This blog explains:

    • How BEC works
    • How EAC happens
    • What attackers exploit
    • Why RFC email standards make impersonation easy
    • How Proofpoint + EAC controls shut these attacks down

    Perfect material for any advanced interview panel.

    What Is Business Email Compromise (BEC)?

    BEC is when attackers pretend to be:

    • your CEO,
    • your CFO,
    • your HR director,
    • a vendor,
    • or someone with financial authority

    …with the goal of manipulating employees into:

    • wiring money
    • changing direct deposit info
    • sending W-2s
    • releasing confidential documents
    • approving purchases

    🔸 The key point:

    BEC uses identity deception, not malware.
    No attachments.
    No links.
    Just social engineering in a clean email.

    How BEC Works (Step-By-Step)

    1. Reconnaissance

    Attackers scrape:

    • LinkedIn
    • Company directory leaks
    • Press releases
    • Vendor invoices
    • Social media

    They map who communicates with whom.

    2. Identity Impersonation

    They spoof:

    • Display names
    • Envelope sender
    • Reply-To address
    • SPF-valid lookalike domains

    Example:
    [email protected]
    [email protected]

    3. Thread Hijacking

    They do this by compromising a vendor mailbox and replying inside an existing email chain.

    4. Social Engineering

    The attacker sends a “clean” request:

    • “Are you available?”
    • “I need this wire sent ASAP.”
    • “Can you update this banking information?”

    5. Financial Fraud

    Once the attacker has the employee’s trust — the money is gone.

    What Is Email Account Compromise (EAC)?

    EAC is when the attacker actually logs in to a real mailbox.

    Not spoofing.
    Not faking.
    Real access.

    How they gain access:

    • MFA fatigue
    • Password reuse
    • Legacy protocol with no MFA
    • OAuth token theft
    • Malware stealing credentials
    • Phishing pages identical to Microsoft login

    Once inside, attackers:

    • Set up hidden forwarding rules
    • Delete MFA alerts
    • Change mailbox rules
    • Hijack vendor threads
    • Sit silently and wait for financial conversations

    EAC is dangerous because the attacker uses your real domain, your real mailbox reputation, your real account.

    This is why simply having SPF, DKIM, and DMARC does not stop EAC.

    Why Proofpoint Is Needed (Beyond RFC Email Standards)

    RFC email standards allow spoofing by design.

    Attackers can:

    • abuse SMTP commands
    • spoof the “MAIL FROM”
    • spoof the “From:” header
    • use free SMTP servers
    • harvest SPF/DKIM values via nslookup
    • build near-perfect domain clones

    Example:

    nslookup -type=txt _dmarc.victim-domain.com
nslookup -type=txt selector._domainkey.victim-domain.com

    Attackers see your exact SPF/DKIM configuration.
    They spoof accordingly.

    This is why relying on RFC standards alone is not enough.

    How Proofpoint Stops BEC and EAC

    1. Identity Protection

    Proofpoint checks:

    • display name anomalies
    • domain lookalikes
    • impossible travel
    • VIP impersonation attempts
    • internal vs external identity mapping
    • “Reply-To mismatch”
    • “Header vs Envelope mismatch”

    Microsoft EOP can do part of this,
    Proofpoint does it with far more accuracy.

    2. Vendor Fraud Protection

    Proofpoint fingerprints:

    • vendor sending behavior
    • previous conversation style
    • writing style
    • IP reputation

    If a vendor mailbox is compromised, Proofpoint detects the “change in sending personality.”

    This is one of the strongest EAC protections in the industry.

    3. DMARC Enforcement + Lookalike Domain Defense

    Proofpoint enforces:

    • Domain alignment
    • Display name behavior
    • Header-from authentication
    • Cross-identity matching

    Lookalike domains” examples (generic only):

    • company-secure.com
    • companny.com
    • c0mpany-support.com
    • company-mailservice.com

    These would pass traditional email filters.

    4. URL and Payload Isolation

    Even if links look clean, Proofpoint re-writes and detonates them.

    Although BEC rarely has links, EAC-based phishing almost always does.

    5. Machine Learning on Human Behavior

    Proofpoint analyzes:

    • who talks to whom
    • frequency
    • direction
    • urgency phrases
    • tone manipulation

    If the CEO normally never emails accounting at 10:30 PM on a Friday — the message gets flagged.

    Real-World Example (Anonymized)

    A vendor’s mailbox was compromised.
    The attacker replied inside an existing thread asking to update bank account numbers.

    Microsoft EOP didn’t block it — it came from a legitimate vendor domain.

    Proofpoint flagged:

    • anomalous IP
    • unusual writing style
    • “conversation thread hijacking detected”
    • vendor identity risk score

    Proofpoint blocked the message before it reached the user’s mailbox.

    This is exactly why companies invest in Proofpoint.

    Conclusion

    BEC and EAC are no longer “IT problems.”
    They are financial crimes, costing billions worldwide.

    Microsoft 365 gives strong baseline protection,
    but attackers today use identity manipulation, social engineering, and thread hijacking that bypass traditional signals.

    Proofpoint closes those gaps with:

    • identity defense
    • behavioral AI
    • vendor fraud detection
    • DMARC enforcement
    • mailbox compromise detection
    • impersonation protection

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Why RFC Email Standards Are Not Enough: A Real Look at Modern Email Security

    🛡 How Email Spoofing REALLY Works (With a Safer Example)

    Even though RFC standards gave us SPF, DKIM, and DMARC, the core SMTP protocol is still trust-based. That means attackers can abuse the protocol whenever a mail server is misconfigured or doesn’t enforce authentication.

    SMTP actually has two places where the “sender” can be declared:

    1. MAIL FROM (SMTP envelope)
    2. From: (message header inside DATA)

    Both of these can be forged.

    Here is a safe, fictional example showing what a spoofing attack looks like when the attacker controls their own SMTP server. NONE of this uses real domains or copyrighted examples.

    Example: Attacker Spoofing a CEO Email (Fictional Domain)

    S: 220 mail.hacker-smtp.test Ready
    C: HELO mail.hacker-smtp.test
    S: 250 Hello
    C: MAIL FROM:[email protected]
    S: 250 Ok
    C: RCPT TO:[email protected]
    S: 250 Accepted
    C: DATA
    S: 354 End data with .
    C: Subject: Immediate Action Required
    C: From: [email protected]
    C: To: [email protected]
    C:
    C: Hi Bob,
    C: Please review this file urgently:
    C: https://malicious-link.test
    C:
    C: Thanks,
    C: Jane
    C: .
    S: 250 Message accepted
    C: QUIT
    S: 221 Closing connection

    What happened here?

    • The attacker never touched the real domain’s server.
    • No SPF, DKIM, or DMARC was involved.
    • They simply declared themselves as [email protected].
    • The receiving system, if unprotected, trusts the SMTP envelope + header.

    This is why:

    • Email security must be enforced on the RECEIVING side.
    • SPF/DKIM/DMARC without an email security gateway (ProofPoint, Barracuda, Cisco, etc.) is NOT enough.

    🛡 Why SPF and DKIM Alone Can Be Faked

    Attackers don’t guess your DNS records—
    They retrieve them using public DNS queries.

    Example: How Hackers Pull Your DKIM Public Key

    nslookup -type=txt selector1._domainkey.yourdomain.com

    Example: How Hackers Retrieve Your SPF Policy

    nslookup -type=txt yourdomain.com

    Your actual records are public by design.

    Attackers do not break DKIM or SPF
    they simply copy what’s public and send email from a server you do not control.

    This leads to the two main spoofing paths:

    Two Ways Attackers Deliver Spoofed Email

    1. Using Their Own SMTP Server

    • Full control
    • Can impersonate envelope sender and header
    • Can ignore security standards
    • Can replay your SPF/DKIM values
    • Can build reputation over time

    2. Using Someone Else’s SMTP Server

    • Open relay servers
    • Misconfigured mail servers
    • Free public spoofing tools (many exist)
    • Requires no authentication
    • Still bypasses SPF/DKIM because enforcement happens at the receiver

    🧩 Why You STILL Need ProofPoint or an SEG

    • RFC standards are voluntary
    • SPF/DKIM/DMARC are not enforcement engines
    • They only give a pass/fail signal
    • Your mail flow only becomes safe when paired with:
    1. ProofPoint BEC + EAC protection
    2. Malicious payload scanning
    3. Impostor Detection™
    4. Header anomaly detection
    5. Authentication-layer reputation scoring
    6. Threat intelligence for known bad SMTP sources

    No SPF/DKIM/DMARC setting—no matter how perfect—
    can stop a spoof that comes from an SMTP server across the world.

    Only a receiving enforcement engine can.

    Over the years I have worked with high end filtering solutions in multiple large enterprise environments. The dashboards have changed but their purpose has stayed the same.

    Their goal is to strengthen the RFC standards that are not strong enough on their own.

    Here are the RFCs that define the foundation of email authentication:

    • SPF — RFC 7208
    • DKIM — RFC 6376
    • DMARC — RFC 7489

    These standards are important but incomplete. Even with perfect configuration you can still get spoofing attempts, executive impersonation, phishing, and vendor fraud. The RFC by itself cannot stop the modern threat landscape.

    Below is a clear breakdown of why.

    Defense Wins Championships and Email Security Works the Same Way

    In basketball you cannot win with offense alone. You win when you have strong defense and efficient offense working together.

    Email follows the same pattern.

    SPF is offense
    DKIM is offense
    DMARC is offense

    They validate. They authenticate. They enforce the rule book.

    But attackers do not care about the rule book.
    They bypass these RFC standards every day.

    This is why you need a real defense layer.

    This is where filtering tools like Proofpoint or Barracuda add the protection the protocols cannot provide.

    Why SPF, DKIM, and DMARC Are Not Enough

    Even when perfectly configured these protocols only protect part of the message.

    SPF

    Checks the MAIL FROM envelope.
    Attackers spoof the visible Header From instead.

    DKIM

    Signs the headers.
    Attackers send unsigned mail from lookalike domains.

    DMARC

    Requires alignment.
    Attackers bypass alignment through friendly name tricks and unicode abuse.

    This is why even major companies with mature security still deal with spoofing.

    The RFCs do not cover every modern attack vector.

    What Third Party Filtering Tools Actually Do

    Filtering solutions provide the defense layer that SPF, DKIM, and DMARC cannot offer.

    They detect:

    • impersonation
    • behavior anomalies
    • malicious intent
    • lookalike domains
    • CEO fraud
    • malicious URLs
    • dangerous attachments
    • unknown senders
    • unusual source locations
    • suspicious API behavior
    • threat reputation changes

    They analyze behavior rather than relying only on protocol alignment.

    Without this layer your domain becomes an easy target.

    What Happens When Security Is Too Tight

    When filters are over configured these are the problems you will see:

    • executive emails going to junk
    • vendors trapped in quarantine
    • delayed messages
    • business interruptions
    • unhappy management
    • slow communication
    • loss of confidence in IT

    Security must be layered not suffocating.

    The Five Layers of Modern Email Security

    This approach is what works in every large enterprise environment.

    1. User Training

    Teach users how spoofing works.
    Show them friendly name manipulation.
    Awareness reduces risk.

    2. Proper Microsoft 365 Configuration

    Connectors. Accepted domains. Transport rules.
    Everything must be configured correctly.

    3. SPF, DKIM, and DMARC

    The RFC standards still matter.
    Alignment must be correct.

    4. Third Party Filtering Solutions

    Proofpoint. Barracuda. Mimecast.
    They provide what the RFC cannot.

    5. APM Monitoring

    Dynatrace. Splunk. AppDynamics.
    These tools detect environmental issues that affect mail flow.

    APM identifies:

    • abnormal MAIL FROM attempts
    • spikes in DKIM failures
    • SMTP conversation problems
    • delays before Proofpoint
    • anomalies at the DNS level

    This gives early warning before a threat becomes a major issue.

    Final Thought

    Email is the number one attack surface in every company.
    The truth is simple.

    You get what you pay for.

    If you go cheap your domain becomes a soft target.
    You will deal with spoofing
    You will deal with ransomware
    You will deal with compromised accounts
    You will deal with vendor fraud

    If you invest in complete layered defense your organization becomes a bad target.

    This is how modern email security works today.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Marked in Time — Sep 24, 2025 Email Offboarding: Forward for 14 Days → Then Retire the Mailbox (No Shared Mailboxes)

    Clean handoff: 14-day forward then retired the mailbox. using powershell

    Excerpt

    A simple, low-risk offboarding pattern: enable a 14-day forward to the supervisor with an auto-reply, keep copies in the mailbox, then remove forwarding and retire the account. No shared mailboxes, no drama.

    Photo suggestion

    Something neutral and professional: a close-up of a keyboard lock icon, or a soft sunset over a temple (if you want to keep the page’s visual theme).
    Caption idea: “Quiet handoffs, clean closures.”

    Context (redacted)

    Policy: No shared mailbox conversions. For leavers, enable a 2-week mail forward to the supervisor, show a clear auto-reply, then delete the user so the mailbox soft-deletes and later hard-deletes. Team files live in SharePoint/Teams; local working data is archived to encrypted USB for short-term retention.

    Before (T0) — Enable 14-Day Forward + Auto-Reply

    Goal: Forward new messages for two weeks and keep a copy in the mailbox for audit/review; clearly inform senders.

    Replace with your addresses before running:
    $User = "[email protected]"
    $Supervisor = "[email protected]"

    # Admin sign-in
Import-Module ExchangeOnlineManagement -ErrorAction SilentlyContinue
Connect-ExchangeOnline

# Vars
$User       = "[email protected]"
$Supervisor = "[email protected]"
$Days       = 14
$Now        = Get-Date
$End        = $Now.AddDays($Days)

# Enable mailbox-level forwarding (keep a copy)
Set-Mailbox -Identity $User `
  -ForwardingSmtpAddress $Supervisor `
  -DeliverToMailboxAndForward $true

# Schedule auto-replies for the same window
$InternalMsg = @"
This mailbox is no longer monitored.
For assistance, please contact $Supervisor or call the main line.
"@

$ExternalMsg = @"
Thanks for your message. This mailbox is no longer monitored.
Please email $Supervisor for assistance.
"@

Set-MailboxAutoReplyConfiguration -Identity $User `
  -AutoReplyState Scheduled `
  -StartTime $Now `
  -EndTime $End `
  -InternalMessage $InternalMsg `
  -ExternalMessage $ExternalMsg `
  -ExternalAudience All

    Parallel housekeeping (same day):

    • Reset the user’s password, revoke sign-in sessions, and (optionally) block sign-in during the transition.
    • Transfer/confirm ownership of OneDrive/SharePoint/Teams files needed by the team.
    • Archive any local workstation data to an encrypted USB (BitLocker To Go) if policy allows.

    After (T+14) — Remove Forwarding → Retire Account

    Goal: Stop forwarding, disable auto-reply, and delete the user (soft-delete mailbox). Optionally hard-delete the mailbox once soft-delete is visible.

    Import-Module ExchangeOnlineManagement -ErrorAction SilentlyContinue
Connect-ExchangeOnline

$User = "[email protected]"

# Remove mailbox-level forwarding & auto-reply
Set-Mailbox -Identity $User -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false
Set-MailboxAutoReplyConfiguration -Identity $User -AutoReplyState Disabled

# Delete the user in Entra ID (do this in the portal or via Graph)
# Entra admin center → Users → select user → Delete
# After directory sync, the mailbox will be in "soft-deleted" state (up to 30 days)

# Optional: Permanently delete the mailbox once soft-deleted
$Soft = Get-Mailbox -SoftDeletedMailbox -ErrorAction SilentlyContinue |
        Where-Object {$_.PrimarySmtpAddress -eq $User}
if ($Soft) {
  Remove-Mailbox -PermanentlyDelete -Identity $Soft.ExchangeGuid -Confirm:$false
}

    Lessons Learned

    • Clarity beats complexity. Forward + auto-reply for a defined window avoids confusing senders and helps the team capture anything urgent.
    • Keep a copy while forwarding. It preserves context during the transition.
    • No shared mailbox needed. If policy prohibits it, you can still do a clean, auditable handoff.
    • Document the timestamps. Password reset, token revocation, forward on/off, user deletion, and any permanent mailbox purge.

    Pocket I’m Keeping

    • Short window, clear message, clean cutover.
    • Files belong in SharePoint/Teams; email is a temporary bridge.
    • Quiet, consistent process reduces friction and drama.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!