Tag: Exchange Online

My Essential IT Troubleshooting Guide
Simple Explanations for Real World Problems

One of my favorite seasons of my life. Serving the city, keeping critical systems alive, and learning the foundations that shaped who I am as an engineer today. Every console screen taught me something new and every problem strengthened my desire to help others through technology.

My Essential IT Troubleshooting Guide

In every company I have worked for, the tools that saved the day were not fancy dashboards but simple commands and fundamentals I could trust.
This is my personal troubleshooting arsenal, written so even a non technical reader can follow the logic behind what I do.

Each section answers three things
• What it is
• Why it matters
• How I use it in real life

Name Resolution Basics

A record

What
• A record is a phone book entry that says “this name belongs to this IP address.”

Why
• Users remember names better than numbers. If the A record is wrong or missing, they land in the wrong place or nowhere.

How I use it
• When a site is not loading, I ping the name and check if the IP address matches what we expect.
• If it does not, I fix the A record in DNS and wait for it to replicate.

CNAME

What
• A CNAME is a nickname that points one name to another name.

Why
• It lets you move services without breaking users. The public name stays the same while the target changes behind the scenes.

How I use it
• For services like autodiscover or app portals, I often see CNAMEs that point to Microsoft or another provider.
• When something breaks after a cutover, CNAMEs are one of the first things I verify.

DNS

What
• DNS is the global phone book that turns names into IP addresses.

Why
• If DNS fails, everything feels broken. Browsers, Outlook, file shares, all of them depend on DNS.

How I use it
• I run nslookup name.company.com to see which DNS server is answering and what IP it returns.
• If users in one site can reach something and other users cannot, I compare DNS answers between locations.

Hosts file

What
• The hosts file is a tiny local phone book on the computer.

Why
• It overrides DNS for that machine. One bad line can send traffic to the wrong place.

How I use it
• Location on Windows

C:\Windows\System32\drivers\etc\hosts

• I open it with Notepad as administrator.
• If someone hard coded a testing IP and forgot about it, I comment it out or remove it, then flush DNS.

Flush cache

ipconfig /flushdns

Nbtstat and TCP IP

What
• Nbtstat is an older tool for NetBIOS name resolution.
• Hard coded TCP IP means a manual IP instead of DHCP.

Why
• Nbtstat helps when legacy name lookups act strange.
• Hard coded IPs can cause conflicts or make VLAN changes painful.

How I use it
• nbtstat -n to see local NetBIOS names.
• nbtstat -c to see the name cache.
• When I find static IPs on client machines, I document them and move them to DHCP reservations so the network is easier to manage.

Network control panel shortcut

I still use this every week

From Run

ncp.cpl

It opens the Network Connections window so I can quickly check adapters, enable or disable, or look at IPv4 settings.

DHCP Essentials

What
• DHCP hands out IP addresses, gateways and DNS to clients.

Why
• If DHCP fails, users cannot get on the network or suddenly have duplicate addresses.

Best practices
• Use at least two DHCP servers where possible.
• Define scopes with correct gateway and DNS.
• Use reservations for printers and key servers.

Commands I use on clients

ipconfig /release
ipconfig /renew

If a user can reach the internet but not internal resources, I check that DNS from DHCP is internal and not a public resolver.

MX, Autodiscover and Mail Flow

MX record

What
• MX tells the world which server receives mail for your domain.

Why
• If MX points to the wrong place or has a low priority backup you forgot, email can vanish or queue.

How I use it
• I use MXToolbox to check MX records and verify that they point to Exchange Online or the correct email gateway.

Autodiscover

What
• Autodiscover tells Outlook where to find the mailbox and settings.

Why
• A broken autodiscover record means constant password prompts or profile creation failures.

How I use it
• I verify the Autodiscover CNAME or SRV record.
• I test with Outlook connectivity tools or Test-OutlookConnectivity when available.

Hunting spam engines and bad SMTP

Where malware hides
• In browser extensions
• In Outlook add ins
• In unknown services or scheduled tasks that send mail through SMTP

How I clean it without reimaging
• Check Outlook add ins and disable anything suspicious.
• Run msconfig and Task Manager to review startup items and tasks.
• Review SMTP logs on the server to see which host is sending unexpected traffic.

Certificates and SSL in Hybrid Environments

Internal web apps depend on trusted certificates so browsers know the site is safe. When an SSL expires, internal apps stop working and Chrome or Edge will show warnings.

Why we create new SSLs
• Internal web apps must be trusted.
• Intranet portals and legacy apps often stop working when an internal CA certificate expires.
• External issued certs from DigiCert or GoDaddy are trusted by browsers.

PowerShell to generate a CSR example
```
$csr = New-ExchangeCertificate -GenerateRequest `
-SubjectName "CN=mail.contoso.com" `
-DomainName "mail.contoso.com","autodiscover.contoso.com"
Set-Content -Path "C:\Certs\mail_csr.req" -Value $csr
```
After the CA signs it, import
```
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content "C:\Certs\mail_cer.cer" -Encoding byte -ReadCount 0)) -PrivateKeyExportable $true
```
Enable for necessary services
```
Enable-ExchangeCertificate -Thumbprint <Thumbprint> -Services IIS,POP,IMAP
```
Where I keep it
• C:\Certs or another controlled folder
• Never leave certificates scattered in Downloads

Core servers
• I open Task Manager with Ctrl Shift Esc
• File, Run, then mmc
• Add the Certificates snap in and import there
Or I import directly with PowerShell.

Machine Trust Relationship Problems

When Windows says “the trust relationship between this workstation and the primary domain failed,” the computer account and the domain no longer agree.

On a traditional domain
• Disable LAN and WiFi
• Log in using cached credentials
• Reset the local admin password if needed
• Disjoin from the domain and put it in a workgroup
• Reboot
• Join it back to the domain

For Azure AD joined devices

Check status

dsregcmd /status

If broken

dsregcmd /leave

Then re join from Settings under Access work or school.

RDP Session Cleanup

Sometimes users cannot remote into their office desktop because a stale session is still connected.

I run from my admin machine
```
query session /server:192.168.10.25
logoff <SessionID> /server:192.168.10.25
```
After that, they can reconnect without rebooting the server.

Active Directory Tools

ADSIEdit

What
• A low level editor for Active Directory objects.

Why
• Last resort for fixing broken attributes or lingering records when normal tools cannot reach them.

How I use it
• Only with full backups and a clear change plan.
• I use it to clean up orphaned objects or legacy settings left behind.

Event Viewer

What
• The black box recorder of Windows.

Why
• Every blue screen, login failure, replication problem and service crash leaves a trace here.

How I use it
• eventvwr.msc
• I focus on System and Directory Service logs on domain controllers, and Application logs on servers hosting apps.

FSMO Roles

What
• Flexible Single Master Operations are special AD roles for schema, naming, PDC, RID and infrastructure.

Why
• These make sure there is one source of truth for sensitive changes.

Best practice
• Know exactly which DC holds each role.
• Protect those DCs like crown jewels.

If a FSMO owner is gone forever
• You can seize the role to a healthy DC using ntdsutil.
• After seizing you never bring the old DC back online.

This is rare but every senior engineer should know the process in theory.

AD and Entra ID Health

On premise AD health

dcdiag
repadmin /replsummary
repadmin /showrepl

I always confirm
• DNS is correct
• SYSVOL is in sync
• Time is correct and within a few minutes across all DCs

Entra ID health

Connect-MgGraph
Get-MgUser
Get-MgDirectoryAudit

I check
• Sign in logs for failures
• Conditional Access for blocked locations
• Device compliance for machines that suddenly appear non compliant

AD controls computers and users on site.
Entra controls cloud identity and device trust.
In a hybrid world, both must be healthy.

Azure and Terraform

Azure CLI read only commands

az login
az account show
az group list
az vm list
az storage account list

These tell me what exists without changing anything.

Terraform for infrastructure as code
• Initialize the directory
terraform init
• Format
terraform fmt
• Validate
terraform validate
• Plan
terraform plan

Nothing changes until terraform apply is run.
For interviews, being comfortable with init, plan and validate already shows good understanding.

Microsoft 365 Services

Group Policy

Purpose
• Central control of security and settings for on premise joined machines.

How I create it
gpmc.msc
• New GPO
• Edit with the settings I want
• Link to the correct OU

Universal Print

What
• Cloud based printing that removes the need for classic print servers.

Why
• Easier management for hybrid and remote users.

I register printers in Universal Print and assign permissions based on groups, so users can get printers automatically.

SharePoint Online

Steps I follow
• Go to Microsoft 365 admin center
• Open SharePoint admin
• Create a new site
• Assign owners and members
• Set sharing and retention policies

This becomes the central place for team documents and intranet content.

OneDrive and Data Migration

OneDrive
• Sync client installed on machines
• Known Folder Move for Desktop, Documents and Pictures
• Version history to protect from mistakes and ransomware

Migrating data
• I prefer SharePoint Migration Tool or Mover.
• I clean old data first so I do not carry garbage into the cloud.
• I communicate to users what will move and what will not.

Why This Arsenal Matters

These are the tools I have relied on in city government, banks, energy drinks, and manufacturing.
They are not fancy, but they work.

Every time I help a user reconnect, restore a service, or clean up a broken configuration, I am really doing three things

• Protecting the company and its data
• Supporting my teammates so they are not alone in the fire
• Honoring the gift God gave me to understand and fix complex systems

This arsenal is how I serve.
Whether I am helping a small office or a multi site enterprise, the pattern is the same ask good questions, run the right checks, fix the root cause, and leave clear notes so the next engineer can see the path.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 28, 2025
Litigation Hold in M365 (Complete Guide + Best Practices)
Title:

Litigation Hold in M365 — What It Is and How to Do It Right

Introduction

Litigation Hold preserves mailbox and OneDrive data for legal or compliance needs. I’ve used it in Monster Energy, PIMCO, Church projects, and Martin.

What Litigation Hold Does
- Keeps deleted emails
- Preserves edited messages
- Locks OneDrive items
- Prevents irreversible deletion
- Meets legal retention requirements
How to Enable (GUI)

M365 Admin Center → Users → Mailbox → Litigation Hold → Enable

How to Enable (PowerShell)
```
Set-Mailbox [email protected] -LitigationHoldEnabled $true -LitigationHoldDuration 3650
```
Best Practices
- Keep at least 5 years
- Church uses 20 years
- Store the reason in the notes
- Never disable without GC/Legal approval
- Use eDiscovery to search preserved data
- Document everything
Common Misunderstandings

❌ Litigation Hold is NOT retention policy
❌ Litigation Hold is NOT backup
✔ Litigation Hold is legal preservation

Conclusion

Use Litigation Hold carefully.
Once enabled, treat that mailbox as evidence.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 25, 2025
Email Retention in M365 (Best Practices)
Email Retention in Microsoft 365 — How to Keep What Matters

Introduction

Email retention ensures messages are kept for the correct amount of time for:
- business
- legal
- compliance
- industry regulations
Monster, PIMCO, the Church, and Martin all used different retention needs.

Retention Policy Basics

Retention can:
- Delete after X years
- Keep and then delete
- Keep forever
- Auto-apply by keyword or location
Example Retention Policies

1. Keep 7 Years, Then Delete
```
New-RetentionCompliancePolicy -Name "7 Years Email"
New-RetentionComplianceRule -Name "7YearEmailRule" -Policy "7 Years Email" -RetentionDuration 2555 -RetentionAction Delete
```
2. Keep Forever

GUI:
Compliance → Data Lifecycle → Retention → Forever

3. Auto-Apply to Executives
```
New-RetentionComplianceRule -Name "ExecRetention" -Policy "ExecForever" -UserGroupFilter "JobTitle -eq 'Executive'"
```
Best Practices
- Always include shared mailboxes
- Use Labels for sensitive groups
- Never auto-delete without approval
- Align with CIS security
- Document your retention plan
Conclusion

Good retention protects the company — and the user.
It ensures you keep what matters and nothing more.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 25, 2025
The Evolution of Microsoft Exchange: From 5.0 to Exchange Online (EXO)
A Technical History Through the Tools, Upgrades, and Real-World Administration That Shaped Modern Email

Email administration today looks nothing like it did in the mid-1990s. What began as a system of flat files and small IS databases has evolved into a globally distributed, cloud-secure service powered by modern authentication, forensic automation, and layered identity protections.

This article covers the full evolution — from Exchange 5.0 → 5.5 → 2000 → 2003 → 2007 → 2010 → 2013 → 2016 → Hybrid → Exchange Online — through the practical tools and real operational practices that defined each era.

It also highlights legacy repair tools (ISINTEG, ESEUTIL), the emergence of PowerShell, and modern security controls such as DKIM, DMARC, and real-time EXO policies.

1. Exchange 5.0 — The GroupWise Era & The Limits of Early Messaging

When Exchange 5.0 existed, Novell GroupWise was still considered the enterprise email standard. Capacity was limited and reliability required constant hands-on administration.

Key Characteristics
- Basic directory service
- Small private and public folder stores
- No Active Directory yet
- No PowerShell
- 16GB database ceiling
- Frequent corruptions under heavy load
Real Tools Used

🔧 ISINTEG — Logical Database Repair

Example usage:
```
ISINTEG -pri -fix -test alltests
```
🔧 ESEUTIL — Physical Database Repair

Soft recovery:
```
ESEUTIL /r E00 /l "E:\logs" /d "E:\mdbdata"
```
Hard recovery:
```
ESEUTIL /p "E:\mdbdata\priv.edb"
```
Defrag/whitespace removal:
```
ESEUTIL /d "E:\mdbdata\priv.edb"
```
White space mattered because the database could never exceed the size limit, and defrags were essential to survive weekly growth.

2. Exchange 5.5 — The First True Enterprise Version

Exchange 5.5 replaced GroupWise in many organizations because it solved the two biggest weaknesses:

Major Improvements
- Larger database limits
- Internet Mail Connector (IMC) matured
- Directory replication across sites
- Better MAPI stability
- More predictable backups
This was the version where large organizations first began to trust Exchange for hundreds or thousands of users.

Database limitations still required:
- Regular whitespace removal
- Offline defrags
- ISINTEG repairs
3. Exchange 2000 / 2003 — Active Directory Arrives

The introduction of Active Directory changed everything.

Now Possible
- Kerberos authentication
- Unified Global Address List
- Recipient policies
- Improved SMTP stack
- Better routing groups
Tools of the Era
- ESEUTIL still required
- ISINTEG for logical repair
- Streaming file (.STM) management
- COM+ based transport pipeline
Disaster recovery still required:
- Hard repairs
- Log replays
- Offline maintenance windows
4. Exchange 2007 — PowerShell Revolutionizes Email Administration

Exchange 2007 was the turning point. This version introduced:

Major Innovations
- PowerShell (EMS)
- Role-based server architecture
- Database Availability Groups (DAGs begin later)
- Transport rules
- Modern SMTP pipeline
Example PowerShell Operations

Bulk mailbox creation
```
Import-Csv users.csv | % {
  New-Mailbox -UserPrincipalName $_.UPN -Name $_.Name -Alias $_.Alias
}
```
Transport rule creation
```
New-TransportRule -Name "Block EXE" -AttachmentExtensionMatchesWords ".exe" -RejectMessageReason "Executable blocked"
```
Database health
```
Get-MailboxDatabaseCopyStatus *
```
PowerShell replaced ISINTEG as the primary troubleshooting interface.

5. Exchange 2010 / 2013 — High Availability & Hybrid Era

These versions supported:
- DAGs with multiple copies
- Outlook Anywhere (RPC over HTTPS)
- Cross-forest migrations
- Massive mailboxes (50GB+)
- First large-scale hybrid deployments
Database Whitespace Management

Modern approach:
```
Get-MailboxDatabase -Status | ft Name,AvailableNewMailboxSpace
```
To reclaim all space:
1. Create new database
2. Move mailboxes
3. Remove old database
4. Mount clean database
Multi-region examples
- Databases per region (NA/APAC/EMEA)
- Public folder migrations
- CAS/Hub/MBX role separation
6. On-Prem to Cloud Migrations — AWS WorkMail, Exchange 2010, Hybrid, EXO

Organizations with large global footprints began migrating:

Migration Examples
- From AWS WorkMail → Exchange 2013 HA → EXO
- From Exchange 2010 datacenters → Hybrid → EXO
- From Exchange 2013 → EXO using HCW and staged cutover
Challenges Solved by EXO
- No more ESEUTIL
- No more ISINTEG
- No more DAG patching
- No more weekend downtimes
- Automatic redundancy
- Modern authentication
- Better malware scanning
7. Exchange Online — The Modern Cloud Era

Today, administrators rely on:
- Exchange Online PowerShell v3
- Graph API
- Defender for O365
- Purview eDiscovery
- Modern connectors
- DKIM / DMARC enforcement
- Real-time spam intelligence
- Modern auth for SMTP
How to Rotate DKIM 2048-bit Keys

Admin Center → Security → Email Authentication → DKIM → Rotate Keys

Verify in PowerShell
```
Get-DkimSigningConfig | fl Domain,Selector1CNAME,Selector2CNAME
```
Keys should be:
- 2048-bit
- Rotated regularly
- Protected from unauthorized access
**8. Real-World Security Hardening in EXO

(Including the Kill-Switch Scripts)**

Last-generation threats require immediate defensive controls.
These are sanitized versions of the two emergency scripts used to block impersonation attacks:

🛑 Kill Switch Transport Rule (Blocks All External Sender Impersonation)
```
New-TransportRule -Name "KILL-SWITCH" `
-FromScope NotInOrganization `
-SentToScope InOrganization `
-SetHeaderName "X-Blocked" `
-SetHeaderValue "EmergencyBlock" `
-StopRuleProcessing $true `
-Enabled $true `
-Mode Enforce
```
🛑 Block-All Impersonation Rule
```
New-TransportRule -Name "BLOCK-IMPERSONATION" `
-HeaderMatchesMessageHeader "From" `
-HeaderMatchesPatterns ".*@yourdomain\.com" `
-SentToScope InOrganization `
-FromScope NotInOrganization `
-RejectMessageReasonText "External sender attempted domain impersonation" `
-StopRuleProcessing $true
```
After the event is over, disable:
```
Disable-TransportRule "KILL-SWITCH"
Disable-TransportRule "BLOCK-IMPERSONATION"
```
9. Why Exchange Online Beats Every On-Prem Version

No More:
- Database corruption
- ESEUTIL repair weekends
- ISINTEG logical rebuilds
- Streaming file failures
- Whitespace management
- RPC failures
- CAS array dependency
Instead You Get:
- Multi-region HA
- Continuous patching
- DKIM / DMARC alignment
- Modern authentication
- Real-time message trace
- Defender Safe Links/Safe Attachments
- Purview forensic tools
- 24/7 cloud threat intelligence
10. Summary

This blog ties together:
- The original on-prem tools (ISINTEG, ESEUTIL)
- The arrival of AD
- The PowerShell revolution
- The hybrid era
- The modern cloud security stack
- DKIM rotation
- EXO forensic investigation
- Emergency transport rule defense
It shows why the move from Exchange 5.0 to EXO was inevitable — every stage improved reliability, scalability, administration, and security.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 24, 2025
DKIM Security: How Signing and Key Rotation Stop Email Spoofing
Introduction

DKIM (DomainKeys Identified Mail) is one of the most effective ways to verify that an email truly came from your organization. But many companies misunderstand one crucial truth:

DKIM is only as strong as the protection of its private key.

If attackers obtain your DKIM private key, they can sign email that appears cryptographically legitimate — even if it comes from a malicious server. This is why key length, rotation, and protection matter just as much as turning DKIM “on.”

Section 1 — What DKIM Actually Does

DKIM works by attaching a digital signature to every outbound message.
It ensures:
- The message hasn’t been altered
- The sender is authorized
- The domain identity can be verified
The core elements are:

1️⃣ DKIM Selector (s=)

Identifies which key is used.
Example:
s=mail2025;

2️⃣ DKIM Domain (d=)

The domain signing the message.
Example:
d=example-corp-secure.com;

3️⃣ Public Key (Published in DNS)

Stored in a TXT record:
mail2025._domainkey.example-corp-secure.com

4️⃣ Private Key (kept hidden on the mail server)

This is the key attackers target.
It signs every outbound message.

Section 2 — Why Private Keys Must Be 2048-bit Minimum

Attackers today can break 1024-bit DKIM keys.
- Cloud computing
- GPU farms
- Distributed cracking
This is why Microsoft and major ESPs recommend 2048-bit keys.

Weak DKIM = forged trust.

Section 3 — Why You Must Rotate DKIM Keys Regularly

Even a strong key becomes weaker over time:
- Keys leak
- Keys get copied
- Keys get exposed in old backups
- Misconfigured systems reuse keys
- Bad actors gather DNS data for months
Weekly or monthly rotation is considered best practice in regulated industries like banking.

Rotation protects your domain even if an attacker manages to obtain an older key.

Section 4 — How an Attacker Exploits DKIM

If the private key is stolen:
- They can sign malware
- They can sign phishing
- They bypass SPF failures
- They pass DKIM alignment
- They pass DMARC alignment
- Email goes straight to inbox
This is why DKIM alone is not enough.

Section 5 — Why DKIM Matters
- Prevents email tampering
- Builds domain trust
- Enables DMARC “reject” mode
- Protects your brand
- Reduces false positives
- Ensures message integrity
But DKIM is only strong if the private key is protected and rotated.

Conclusion

Most executives think DKIM is “set it and forget it.”
But email security today requires:
- Strong 2048-bit DKIM keys
- Regular rotation
- Tight private key protection
- Monitoring through Proofpoint and EOP
- DMARC enforcement
This is not optional anymore — especially for banks.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 23, 2025
Why PowerShell Still Beats Purview for Real Forensics: Speed, Depth, and No UI Limits
Introduction

Microsoft Purview is Microsoft’s compliance, audit, and eDiscovery platform for Microsoft 365. It provides GUI-driven tools for administrators to perform searches, create holds, review data, and respond to legal and compliance requirements.

But here’s the reality that senior M365 engineers know:

Purview is powerful, but it is not complete.
It has strict limits, throttles, and boundaries designed for safety and performance — not deep forensic analysis.

This is why serious investigations always end up in PowerShell, where engineers can bypass GUI limitations, perform deeper searches, and collect evidence with precision.

Section 1 — What Purview Is (in plain English)

Purview provides:
- Content search
- eDiscovery (Standard & Premium)
- Litigation holds
- Audit logs
- Labeling and retention
- Insider risk scanning
- Communication compliance
It is designed for:
- Legal teams
- Compliance officers
- HR investigations
- Corporate governance
- High-level reporting
And for these purposes, Purview works very well.

Section 2 — The Hidden Limitations of Purview

Here are the real limits engineers face:

1. Sending & Rate Limits

Purview actions follow the same throttling limits as Exchange Online.
You cannot pull unlimited messages instantly.

2. eDiscovery Query Limits

Each Purview search query is limited to:
10,000 characters
This is a major limitation for complex filters.

3. Maximum Export Sizes

Large exports (multiple gigabytes) often fail or time out.
This is why forensic engineers break searches into chunks.

4. Maximum Holds Per Mailbox

A mailbox can only have:
25 holds total
More than 25 affects performance, indexing, and mailbox health.

5. External Recipient Limits

Purview cannot override existing mailbox restrictions.

6. Tenant-Wide Limits

Even Premium eDiscovery has:
- Search concurrency limits
- Workflow throttling
- Processing delays
- Indexing dependency (if an item isn’t indexed, Purview can’t see it)
7. Purview is not real-time

It depends on indexing engines.
Indexing delays = missing results.

8. Purview cannot reveal everything

For true forensics you often need:
- Message trace logs
- Transport logs
- Historical mailbox snapshots
- DeletedItems and RecoverableItems subfolders
- Soft delete and hard delete content
- Hidden folders
- Unindexed items
Purview cannot provide all of that.

Section 3 — Why PowerShell is Superior for True Forensics

When Microsoft engineers or financial institutions perform real investigations, they do not rely on Purview alone. They rely on PowerShell because PowerShell can do what Purview cannot.

1. Access Every Folder (Including Hidden Ones)

PowerShell can query:
- Inbox
- Sent
- DeletedItems
- RecoverableItems
- Purges
- Versions
- Subfolders not visible in Outlook
- Unindexed items
Purview can’t.

2. No GUI query limit

There is no 10,000-character query restriction in PowerShell.

Pattern searches can be huge, detailed, and layered.

3. Deep Header and Message Metadata Extraction

PowerShell can extract:
- X-MS-Exchange-Organization-AuthAs
- X-MS-Exchange-CrossTenant-*
- Original client IP
- Authentication results
- Message submission type
- Connector source
- Spam confidence level (SCL)
- Envelope sender
- Message ID tracking
Purview provides only summarized metadata.

4. Instant, Real-Time Search

PowerShell does not wait for indexing.
You can search unindexed items directly.

This is critical in security incidents.

5. Mailbox Timeline Reconstruction

With PowerShell you can reconstruct:
- When the message was received
- When it was moved
- If rules redirected it
- If a compromised mailbox forwarded it
- If the user deleted it
- If it was purged
Purview cannot reconstruct movement history.

6. PowerShell is scripting + automation

You can automate:
- Large case collections
- Exports
- Multi-mailbox searches
- Pattern scans
- Complex filters
- Timeline reconstruction
Purview cannot automate eDiscovery at the same level.

Section 4 — When to Use Purview vs PowerShell

Use Purview for:
- Legal holds
- HR requests
- Basic content searches
- Governance
- Compliance reporting
- Policy enforcement
Use PowerShell for:
- Security incidents
- Ransomware investigations
- BEC (Business Email Compromise)
- External spoofing investigations
- Compromised mailbox analysis
- Hidden folder discovery
- Deep metadata extraction
- Multi-mailbox timeline reconstruction
Most senior email engineers agree:

Purview is the “legal view.”
PowerShell is the “truth view.”

Conclusion

Purview is an essential tool for compliance and legal workflows — but it is not a forensic engine.
Its GUI limits, throttles, and reliance on indexing mean that it can never replace the precision, speed, and depth of PowerShell.

This is why real investigations — especially in financial institutions and regulated organizations — always rely on PowerShell for final answers.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 23, 2025
Quick “Reflexes” Using PowerShell to Block Bad Actors: Emergency Transport Rules + Layer 3/7 Firewall Controls
In modern cloud environments, threats don’t wait for meetings, approvals, or planning sessions.
Sometimes an attack hits so fast that your only advantage is instinct, experience, and the ability to act immediately.

Last month, I experienced exactly that — a coordinated impersonation attempt from multiple bad actors in Europe using public cloud hosting (GCP) as their relay. They created their own connectors and attempted to impersonate internal executives and accounting contacts.

The attack bypassed standard controls because:
- They used legitimate cloud IP ranges
- They generated perfect SPF/DKIM passes
- Their mail flow looked “clean” until you read the headers
- They used crafted envelope senders + forged display names
The only way to stop them instantly — before users were tricked — was to drop two transport rules at highest priority using PowerShell.
These acted as “circuit breakers” until perimeter firewall rules could be deployed.

Below is the exact PowerShell approach, redacted and rewritten for general use.

🚨 Reflex Script #1 — Emergency “Kill Switch” Rule

Purpose: If attackers are impersonating an internal address like [email protected], this rule blocks any external sender who uses that address in the envelope from or header from.
```
# Connect to Exchange Online
Connect-ExchangeOnline

# Create emergency kill-switch rule
New-TransportRule -Name "KILL SWITCH: Block external spoofing of noreply" `
-FromScope External `
-HeaderContainsMessageHeader "From" `
-HeaderContainsWords "noreply@" `
-SetSCL 9 `
-StopRuleProcessing $true `
-Priority 0
```
What this rule does instantly:
- Stops external senders pretending to be noreply@
- Sets SCL=9 so the message is quarantined or rejected (depending on policy)
- Stops evaluation of all other rules — making it hit within milliseconds
🚨 Reflex Script #2 — Block ALL External Senders Using a Protected Address

Attackers often rotate payloads or try other internal addresses.
This second rule blocks all attempts — even if they change tactics.
```
New-TransportRule -Name "BLOCK ALL External From Protected Address" `
-FromScope External `
-SenderAddressMatchesPatterns "noreply@", "billing@", "alerts@" `
-SetSCL 9 `
-StopRuleProcessing $true `
-Priority 1
```
You can modify the patterns depending on the address being abused.

🛡️ Why This Worked Instantly

These scripts bypass the UI delay and:
- Apply before EOP content filters
- Hit prior to Safe Links/Safe Attachments
- Trigger even if messages pass SPF/DKIM/DMARC
- Intercept mail before it reaches the user’s mailbox
- Provide time to analyze, trace, and escalate
This is why reflex PowerShell is critical for senior-level engineers — the GUI is too slow during live attacks.

🔐 Permanent Fix: Layer 3 / Layer 7 Firewall Enforcement

Once the immediate threat was stopped with PowerShell, the permanent fix required:

Layer 3 (IP-based blocklists)

Blocking:
- Abused GCP IP ranges
- Known threat actor networks
- Anonymous compute nodes
Layer 7 (Application-layer filtering)

Policies included:
- Block SMTP traffic from unknown hosts
- Block unauthorized connector-based submissions
- Strict URL filtering for phishing redirectors
- Geo-blocking regions with no business presence
Once these firewall measures were active, the PowerShell Kill Switch rules were safely disabled to avoid unnecessary mail flow impact.

💡 Lessons Learned
1. Bad actors are fast — you must be faster.
2. Transport rules + PowerShell are your instant “circuit breakers.”
3. SPF/DKIM/DMARC are not enough when attackers leverage cloud infrastructure.
4. Layer 3 and Layer 7 controls create the “permanent seal.”
5. Instant response + longer-term architecture = real protection.
This is the type of real-world, battle-tested example that hiring panels want to hear.
Not theory — lived experience.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 23, 2025
How I Protected VIP Mailboxes in Exchange: My Experience Creating Shielded, Hidden, and Restricted Email Objects
Intro

In every organization — commercial, government, or religious — there are individuals whose roles require an extra layer of protection. These may include executives, legal teams, board members, or other high-visibility leaders. Their mailboxes must be shielded from noise, protected from internal misuse, and hardened against external threats.

This blog shares how I implemented a VIP Exchange Protection Model in one of the most globally distributed environments I’ve ever worked in.
All sensitive details are removed — but the principles and methods remain the same.

Why VIP Mailboxes Need Extra Protection

VIP users face unique risks:

1. They are targets for impersonation

Attackers attempt to spoof high-level leaders to gain authority over employees.

2. They receive a high volume of inbound email attempts

Even legitimate internal senders may unintentionally overwhelm their inboxes.

3. They must focus on mission-critical responsibilities

Unfiltered communication equals distraction and risk.

4. Their mailboxes contain sensitive or privileged information

Unauthorized access can lead to catastrophic consequences.

The goal of the VIP model is simple:

Only authorized individuals should be able to see, email, or discover these mailboxes.

My VIP Protection Model (Redacted & Generalized)

Below is the exact approach I used, without exposing private organizational information.

1. Hide VIP Mailboxes From the Global Address List (GAL)

This prevents the general population from seeing their email addresses.
```
Set-Mailbox "VIP Mailbox" -HiddenFromAddressListsEnabled $true
```
This ensures the mailbox exists — but only administrators know where it is.

2. Restrict Who Can Email VIPs (Allow Lists Only)

Instead of blocking all users, I inverted the model:

Only a hand-selected, approved list of senders can email VIPs.

I used:
- Transport Rules
- Moderation
- Recipient Restrictions
Example allow-list logic:
```
Set-Mailbox "VIP Mailbox" -AcceptMessagesOnlyFrom @("Assistant1","Assistant2","SecurityOffice")
```
If anyone outside this list tried to email the VIP:
- The message was blocked,
- Logged,
- And optionally forwarded to a monitored mailbox for review.
3. Prevent External Email Delivery Entirely

For VIP mailboxes that should never receive external messages:
```
Set-Mailbox "VIP Mailbox" -RequireSenderAuthenticationEnabled $true
```
This enforces authenticated internal senders only.

No anonymous sender.
No spoofed external mail.
No leakage.

4. Apply Enhanced Anti-Impersonation

This included:
- DMARC alignment enforcement
- Anti-spoofing engines (such as ATP / Defender)
- Display name protection (“VIP Name Protection”)
- Proofpoint Impostor Protection (in environments where I managed Proofpoint)
I ensured VIP names could not be spoofed internally or externally.

5. Enable Strict Audit Logging

For VIP mailboxes:
- Every access
- Every folder action
- Every send
- Every delegate assignment
…was logged and reviewed.
```
Set-Mailbox "VIP Mailbox" -AuditEnabled $true
```
This protected the VIP and the organization.

6. Controlled Delegation

VIP mailboxes should not have multiple delegates or dynamic permission assignments.

Only essential individuals were allowed:
- Executive assistants
- Chiefs of staff
- Security-approved personnel
Least privilege.
Zero trust.
No exceptions.

7. Role-Based Access Control (RBAC) For Admins

Even administrators require controlled boundaries.

I created RBAC roles to ensure:
- Only specific admins could view or manage VIP mailboxes
- No accidental changes
- No unauthorized mailbox access
This is premium-level Exchange governance.

The Result

By combining:
- Hidden GAL entries
- Sender allow-lists
- External blocking
- Anti-impersonation intelligence
- Transport rules
- Controlled delegation
- RBAC
- Audit trails
…I built a VIP Exchange Protection Framework that:
- Reduced risk
- Eliminated unwanted emails
- Protected sensitive correspondence
- Honored the mission of the organization
- Allowed leaders to focus on their responsibilities
- Created a safer communication ecosystem
This experience became one of the defining technical and spiritual stewardship assignments of my career.

Final Reflection

Protecting VIP mailboxes goes beyond technology — it’s stewardship, trust, and responsibility.

When you guard a mailbox, you are guarding:
- time,
- focus,
- privacy,
- and the ability of leaders to do their work without distraction.
Implementing this model taught me:

Security is an act of service — not just configuration.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 22, 2025
Exchange Online Throttling Policies: Why They Exist, When to Modify Them, and How to Justify Changes
Introduction

Exchange Online throttling policies exist for one core reason — to keep the Microsoft 365 ecosystem healthy, stable, and resistant to abuse.
Throttling protects the service from:
- Excessive load
- Misconfigured applications
- Compromised accounts sending thousands of emails
- Bulk operations that can degrade tenant performance
It’s not a punishment.
It’s Microsoft’s way of guaranteeing fairness across millions of tenants.

But in real production environments — especially at the enterprise, hybrid, or application-integration level — default throttling limits can sometimes block legitimate business-critical operations.
And when that happens, you must know:
1. Why throttling exists
2. How to detect throttling
3. When it’s justified to modify limits
4. How to request changes with Microsoft support
This is one of the topics principal-level interviewers love because it shows deep operational understanding.

Why Throttling Exists in Exchange Online

Microsoft enforces throttling to prevent:

1. Service Abuse

A single compromised account can send 10,000+ spam emails within minutes.
Throttling slows these bursts so EOP can react and block the session.

2. Tenant Misconfigurations

Common misconfigurations that trigger throttling:
- Line-of-business apps sending too many messages too quickly
- Applications reusing connections improperly
- Legacy services using Basic Auth patterns
- Scripts or PowerShell modules pulling data too fast
3. System Stability

If every tenant could push unlimited requests, the shared service collapses.
Throttling ensures:
- CPU fairness
- Bandwidth fairness
- Queue stability
- Storage and transport efficiency
How to Detect Throttling Events

You will usually see:

📌 Error Examples
- Server Busy
- Backoff due to throttling policy
- TooManyConcurrentConnections
- Exceeded message submission rate limit
- SendAsDenied triggered by backlog saturation
📌 Where You See These
- Exchange message trace
- Transport logs
- Application logs
- SMTP client logs
- EOP reports
- PowerShell scripts returning "ProcessingStopped"
📌 Behavioral Symptoms
- Messages stuck in Outbox
- Applications retrying endlessly
- High SMTP queue latency
- Inconsistent delivery within seconds-to-minutes range
When It Is Appropriate to Modify Exchange Online Throttling

This is key.
You never change throttling “because someone wants faster emails.”
You change throttling for business justification only, such as:

1. Application Mailbox Accounts

These accounts often need higher:
- MaxSendRate
- RecipientRateLimit
- MessageRateLimit
Examples:
- ERP systems
- CRM systems
- Manufacturing systems (Backflush, MES, D365)
- Monitoring systems
- Ticketing systems (ServiceNow, Jira, Zendesk)
2. Hybrid Exchange Servers

Hybrid servers may require adjusted:
- PowerShell concurrency
- EWS limits
- MRS (Mailbox Replication Service) migration speeds
Especially during:
- Large cutovers
- Fast-track migrations
- Bulk mailbox moves
3. Automated Services Needing High Burst Throughput

Scenarios where default throttling causes issues:
- Finance systems sending thousands of statements
- HR systems sending open enrollment packets
- Email marketing systems using authenticated SMTP
- Daily reporting engines generating PDFs for hundreds of users
How to Justify Throttling Changes to Microsoft Support

This is where senior-level experience shows.

Microsoft will not modify throttling unless you prove:

1. Operational Need

Explain what system is being blocked.

2. Business Impact

Show examples:
- Delayed invoices
- Delayed purchase orders
- Delayed system alerts
- Delayed manufacturing workflows
3. Technical Evidence

Provide logs showing:
- Backoff errors
- Submission rate failures
- EWS throttling hits
- Application retry loops
4. Confirmation That It’s Not Spam

Show the account is app credentialed, not user-driven.

5. You Have Already Tuned the Application

Microsoft wants evidence that:
- Retry logic exists
- Connection reuse is efficient
- Burst sending is controlled
If justified, Microsoft raises throttling for:

Specific service accounts only
(Never the whole tenant.)

They may change:
- Recipient rate limits
- Message burst limits
- EWS or Graph concurrency
- PowerShell session limits
Common Interview Question: “Why Not Remove Throttling Entirely?”

Perfect answer:

“Because throttling is part of Microsoft’s multi-tenant stability and security model.
Without it, one tenant’s misconfiguration or compromised account could degrade the entire service.
Changes should be scoped, justified, temporary, and monitored.”

PowerShell: Checking Throttling Policy Assigned to a Mailbox

Get-ThrottlingPolicyAssociation -Identity [email protected]

PowerShell: View Existing Throttling Policies

Get-ThrottlingPolicy | fl Name,MessageRateLimit,RecipientRateLimit

PowerShell: Create a Dedicated Policy for an App Mailbox

Set-ThrottlingPolicyAssociation -Identity [email protected] -ThrottlingPolicy AppMailboxPolicy

Conclusion

Throttling is not the enemy.
It’s a guardrail.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 22, 2025
Why RFC Email Standards Are Not Enough: A Real Look at Modern Email Security
🛡 How Email Spoofing REALLY Works (With a Safer Example)

Even though RFC standards gave us SPF, DKIM, and DMARC, the core SMTP protocol is still trust-based. That means attackers can abuse the protocol whenever a mail server is misconfigured or doesn’t enforce authentication.

SMTP actually has two places where the “sender” can be declared:
1. MAIL FROM (SMTP envelope)
2. From: (message header inside DATA)
Both of these can be forged.

Here is a safe, fictional example showing what a spoofing attack looks like when the attacker controls their own SMTP server. NONE of this uses real domains or copyrighted examples.

Example: Attacker Spoofing a CEO Email (Fictional Domain)

S: 220 mail.hacker-smtp.test Ready
C: HELO mail.hacker-smtp.test
S: 250 Hello
C: MAIL FROM:[email protected]
S: 250 Ok
C: RCPT TO:[email protected]
S: 250 Accepted
C: DATA
S: 354 End data with .
C: Subject: Immediate Action Required
C: From: [email protected]
C: To: [email protected]
C:
C: Hi Bob,
C: Please review this file urgently:
C: https://malicious-link.test
C:
C: Thanks,
C: Jane
C: .
S: 250 Message accepted
C: QUIT
S: 221 Closing connection

What happened here?
- The attacker never touched the real domain’s server.
- No SPF, DKIM, or DMARC was involved.
- They simply declared themselves as [email protected].
- The receiving system, if unprotected, trusts the SMTP envelope + header.
This is why:
- Email security must be enforced on the RECEIVING side.
- SPF/DKIM/DMARC without an email security gateway (ProofPoint, Barracuda, Cisco, etc.) is NOT enough.
🛡 Why SPF and DKIM Alone Can Be Faked

Attackers don’t guess your DNS records—
They retrieve them using public DNS queries.

Example: How Hackers Pull Your DKIM Public Key

nslookup -type=txt selector1._domainkey.yourdomain.com

Example: How Hackers Retrieve Your SPF Policy

nslookup -type=txt yourdomain.com

Your actual records are public by design.

Attackers do not break DKIM or SPF—
they simply copy what’s public and send email from a server you do not control.

This leads to the two main spoofing paths:

Two Ways Attackers Deliver Spoofed Email

1. Using Their Own SMTP Server
- Full control
- Can impersonate envelope sender and header
- Can ignore security standards
- Can replay your SPF/DKIM values
- Can build reputation over time
2. Using Someone Else’s SMTP Server
- Open relay servers
- Misconfigured mail servers
- Free public spoofing tools (many exist)
- Requires no authentication
- Still bypasses SPF/DKIM because enforcement happens at the receiver
🧩 Why You STILL Need ProofPoint or an SEG
- RFC standards are voluntary
- SPF/DKIM/DMARC are not enforcement engines
- They only give a pass/fail signal
- Your mail flow only becomes safe when paired with:
1. ProofPoint BEC + EAC protection
2. Malicious payload scanning
3. Impostor Detection™
4. Header anomaly detection
5. Authentication-layer reputation scoring
6. Threat intelligence for known bad SMTP sources
No SPF/DKIM/DMARC setting—no matter how perfect—
can stop a spoof that comes from an SMTP server across the world.

Only a receiving enforcement engine can.

Over the years I have worked with high end filtering solutions in multiple large enterprise environments. The dashboards have changed but their purpose has stayed the same.

Their goal is to strengthen the RFC standards that are not strong enough on their own.

Here are the RFCs that define the foundation of email authentication:
- SPF — RFC 7208
- DKIM — RFC 6376
- DMARC — RFC 7489
These standards are important but incomplete. Even with perfect configuration you can still get spoofing attempts, executive impersonation, phishing, and vendor fraud. The RFC by itself cannot stop the modern threat landscape.

Below is a clear breakdown of why.

Defense Wins Championships and Email Security Works the Same Way

In basketball you cannot win with offense alone. You win when you have strong defense and efficient offense working together.

Email follows the same pattern.

SPF is offense
DKIM is offense
DMARC is offense

They validate. They authenticate. They enforce the rule book.

But attackers do not care about the rule book.
They bypass these RFC standards every day.

This is why you need a real defense layer.

This is where filtering tools like Proofpoint or Barracuda add the protection the protocols cannot provide.

Why SPF, DKIM, and DMARC Are Not Enough

Even when perfectly configured these protocols only protect part of the message.

SPF

Checks the MAIL FROM envelope.
Attackers spoof the visible Header From instead.

DKIM

Signs the headers.
Attackers send unsigned mail from lookalike domains.

DMARC

Requires alignment.
Attackers bypass alignment through friendly name tricks and unicode abuse.

This is why even major companies with mature security still deal with spoofing.

The RFCs do not cover every modern attack vector.

What Third Party Filtering Tools Actually Do

Filtering solutions provide the defense layer that SPF, DKIM, and DMARC cannot offer.

They detect:
- impersonation
- behavior anomalies
- malicious intent
- lookalike domains
- CEO fraud
- malicious URLs
- dangerous attachments
- unknown senders
- unusual source locations
- suspicious API behavior
- threat reputation changes
They analyze behavior rather than relying only on protocol alignment.

Without this layer your domain becomes an easy target.

What Happens When Security Is Too Tight

When filters are over configured these are the problems you will see:
- executive emails going to junk
- vendors trapped in quarantine
- delayed messages
- business interruptions
- unhappy management
- slow communication
- loss of confidence in IT
Security must be layered not suffocating.

The Five Layers of Modern Email Security

This approach is what works in every large enterprise environment.

1. User Training

Teach users how spoofing works.
Show them friendly name manipulation.
Awareness reduces risk.

2. Proper Microsoft 365 Configuration

Connectors. Accepted domains. Transport rules.
Everything must be configured correctly.

3. SPF, DKIM, and DMARC

The RFC standards still matter.
Alignment must be correct.

4. Third Party Filtering Solutions

Proofpoint. Barracuda. Mimecast.
They provide what the RFC cannot.

5. APM Monitoring

Dynatrace. Splunk. AppDynamics.
These tools detect environmental issues that affect mail flow.

APM identifies:
- abnormal MAIL FROM attempts
- spikes in DKIM failures
- SMTP conversation problems
- delays before Proofpoint
- anomalies at the DNS level
This gives early warning before a threat becomes a major issue.

Final Thought

Email is the number one attack surface in every company.
The truth is simple.

You get what you pay for.

If you go cheap your domain becomes a soft target.
You will deal with spoofing
You will deal with ransomware
You will deal with compromised accounts
You will deal with vendor fraud

If you invest in complete layered defense your organization becomes a bad target.

This is how modern email security works today.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 21, 2025
When Inbox Rules Go Rogue: A 10-Command Playbook to Stop Impersonation
Macro ant on a leaf—small bug, big damage. Quiet inbox rules (forward/delete/hide) are how real-account impersonation starts. This post shows 10 PowerShell fixes to stop it fast.

Excerpt
Most “email impersonation” losses start quietly—rules that forward, delete, or hide mail. This playbook backs up evidence, stops the bleed, removes risky rules, clears forwarding, and verifies. Calm hands, clear steps.

Intro
Most “email impersonation” (BEC) starts in two ways:
1. Real-account misuse—someone phishes a password/token and quietly adds inbox rules (forward, delete, hide) or enables mailbox forwarding.
2. No-account spoofing—look-alike domains and weak SPF/DKIM/DMARC let crooks send as if they’re us.
This post fixes bucket #1 fast. You don’t need Compliance Center/Purview to clean a single mailbox: run these in Windows PowerShell 5.1 to back up → stop all rules → remove risky patterns → clear forwarding → verify. The examples below target [email protected]. After cleanup, keep the door shut by disabling SMTP AUTH/legacy protocols and blocking external auto-forwarding. (For bucket #2, tighten SPF/DKIM/DMARC—that’s outside this quick fix.)

Perspective
There are no super heroes in IT—no capes, no instant rescues. When rules go rogue, heroics make noise; runbooks make progress. The job is to protect people’s work with boring, proven steps.

Practice (today, not someday)
- Connect (read-only) — open a secure session to Exchange Online for the mailbox you’re fixing. Import-Module ExchangeOnlineManagement -RequiredVersion 3.9.0 -Force Connect-ExchangeOnline -UserPrincipalName [email protected] -ShowBanner:$false $mbx = "[email protected]"
- Backup rules to CSV (read-only) — take a snapshot so you have evidence and an easy rollback reference. $ts = (Get-Date).ToString('yyyyMMdd-HHmm') Get-InboxRule -Mailbox $mbx | Select Name,Enabled,Priority,From,SentTo,SubjectContainsWords,MoveToFolder,ForwardTo,RedirectTo,DeleteMessage,StopProcessingRules | Sort Priority | Export-Csv "$env:USERPROFILE\Desktop\$($mbx)-InboxRules-$ts.csv" -NoTypeInformation -Encoding UTF8
- Disable all rules (change) — safe stop; nothing runs while you fix things. Get-InboxRule -Mailbox $mbx | Disable-InboxRule -Confirm:$false
- Remove delete rules (change) — get rid of any rule that silently deletes messages. Get-InboxRule -Mailbox $mbx | Where-Object {$_.DeleteMessage} | ForEach-Object { Remove-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
- Remove hide/stop rules (change) — remove rules that hide mail (Junk/Archive/RSS/Conversation History) or halt further processing. Get-InboxRule -Mailbox $mbx | Where-Object { $_.StopProcessingRules -or ($_.MoveToFolder -match 'Junk|Archive|RSS|Conversation History') } | ForEach-Object { Remove-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
- Remove forward/redirect rules, focusing on external (change) — strip any rule that forwards or redirects mail, especially off-tenant. $internal = @('jetmariano.us') # add internal domains if needed $rules = Get-InboxRule -Mailbox $mbx foreach($r in $rules){ $targets=@() foreach($t in @($r.ForwardTo)+@($r.RedirectTo)){ if($t -is [string]){$targets+=$t} elseif($t.PrimarySmtpAddress){$targets+=$t.PrimarySmtpAddress.ToString()} elseif($t.Address){$targets+=$t.Address.ToString()} elseif($t){$targets+=$t.ToString()} } $external = $false foreach($addr in $targets){ if($addr -match '@'){ $domain = ($addr -split '@')[-1].ToLower() if(-not ($internal -contains $domain)){ $external = $true } } } if($external -or $targets.Count -gt 0){ Remove-InboxRule -Mailbox $mbx -Identity $r.Name -Confirm:$false } }
- Clear mailbox-level forwarding (change) — turn off any top-level forwarding set on the mailbox. Set-Mailbox -Identity $mbx -DeliverToMailboxAndForward:$false -ForwardingSmtpAddress $null -ForwardingAddress $null
- Verify list and count (read-only) — prove you’re clean; zero is ideal. Get-InboxRule -Mailbox $mbx | Sort Priority | Format-Table Name,Enabled,ForwardTo,RedirectTo,MoveToFolder,DeleteMessage -Auto (Get-InboxRule -Mailbox $mbx | Measure-Object).Count
- Re-enable only safe movers (optional change) — if you truly want routine filing, turn on only simple move-to-folder rules. Get-InboxRule -Mailbox $mbx | Where-Object { $_.MoveToFolder -and -not $_.ForwardTo -and -not $_.RedirectTo -and -not $_.DeleteMessage -and -not $_.StopProcessingRules } | ForEach-Object { Enable-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
- Disconnect (read-only) — close your session cleanly. Disconnect-ExchangeOnline -Confirm:$false
Final Reflection
The work narrowed down to steady steps. Not a clever hack—just patience, order, and protection of someone’s inbox.

Pocket I’m Keeping
Runbooks over heroics.

What I Hear Now
Be steady. Protect the work. I’ll show you the next step.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
October 8, 2025

Exchange Online: Mailbox Used/Quota/Available (Redacted)

Excerpt

Exchange Online sometimes reports mailbox sizes with “Unlimited” wrappers that break simple math. Today I built a one-liner-friendly PowerShell snippet that returns Used GB, Quota GB, and Available GB—even when EXO wraps values in Unlimited<T>.

Intro

I needed the available mailbox size for [mailbox]@[domain] without exposing tenant internals. The usual TotalItemSize parsing failed because EXO returned Unlimited<ByteQuantifiedSize>. Here’s the redacted approach that works reliably and falls back cleanly.

Notes from {Speaker}

Context: Exchange Online + PowerShell; target was [mailbox]@[domain].
Constraint: TotalItemSize and ProhibitSendQuota show Unlimited wrappers or localized strings.
Goal: Get UsedGB / QuotaGB / AvailableGB with no tenant secrets.

Perspective (direct quotes)

“If it’s Unlimited<T>, ask for .Value—and always guard with IsUnlimited.”
“When objects don’t expose bytes, regex the (123,456 bytes) pattern as a fallback.”

Practice (today, not someday)

Use this redacted snippet. It works with Get-EXO* and falls back to classic cmdlets:

# EXO connection (redacted UPN)
Connect-ExchangeOnline -UserPrincipalName [me] -ShowBanner:$false

$upn = '[mailbox]@[domain]'   # e.g., [email protected]

try {
  $stat = Get-EXOMailboxStatistics -Identity $upn -ErrorAction Stop
  $mbx  = Get-EXOMailbox           -Identity $upn -PropertySets Quota -ErrorAction Stop

  $usedBytes = if ($stat.TotalItemSize.PSObject.Properties.Name -contains 'Value') {
    [int64]$stat.TotalItemSize.Value.ToBytes()
  } else {
    [int64](([regex]::Match($stat.TotalItemSize.ToString(), '\(([\d,]+)\sbytes\)')).Groups[1].Value -replace ',','')
  }

  $quotaBytes = if ($mbx.ProhibitSendQuota -and `
                    ($mbx.ProhibitSendQuota.PSObject.Properties.Name -contains 'IsUnlimited') -and `
                    -not $mbx.ProhibitSendQuota.IsUnlimited) {
    [int64]$mbx.ProhibitSendQuota.Value.ToBytes()
  } elseif ($mbx.ProhibitSendQuota.ToString() -notmatch 'Unlimited') {
    [int64](([regex]::Match($mbx.ProhibitSendQuota.ToString(), '\(([\d,]+)\sbytes\)')).Groups[1].Value -replace ',','')
  } else { $null }
}
catch {
  $stat = Get-MailboxStatistics -Identity $upn
  $mbx  = Get-Mailbox           -Identity $upn
  $usedBytes  = [int64](([regex]::Match($stat.TotalItemSize.ToString(), '\(([\d,]+)\sbytes\)')).Groups[1].Value -replace ',','')
  $quotaBytes = if ($mbx.ProhibitSendQuota.ToString() -match 'Unlimited') { $null }
                else { [int64](([regex]::Match($mbx.ProhibitSendQuota.ToString(), '\(([\d,]+)\sbytes\)')).Groups[1].Value -replace ',','') }
}

$usedGB  = [math]::Round($usedBytes/1GB, 2)
$quotaGB = if ($quotaBytes) { [math]::Round($quotaBytes/1GB, 2) } else { $null }
$availGB = if ($quotaBytes) { [math]::Round(($quotaBytes-$usedBytes)/1GB, 2) } else { $null }

[pscustomobject]@{
  Mailbox            = $upn
  UsedGB             = $usedGB
  QuotaGB            = $quotaGB
  AvailableGB        = $availGB
  StorageLimitStatus = $stat.StorageLimitStatus
}

Final Reflection

EXO’s objects are powerful but quirky. Guarding for IsUnlimited, using .Value.ToBytes(), and keeping a regex fallback turns a flaky one-off into a repeatable tool.

Pocket I’m Keeping

“Parse what’s there, not what you expect.” When APIs return wrapped or localized strings, a small fallback (regex for (#### bytes)) saves the day.

What I Hear Now (direct quotes)

“Measure in bytes, report in GB.”
“Handle Unlimited first, then do math.”
“One clean object out—every time.”

Link to the Script

Microsoft Exchange Online PowerShell (Get-EXOMailbox, Get-Mailbox) — official docs

September 30, 2025

Restoring Delivery Safely: SCL-1 + Tenant Allow/Block List
Message trace + quarantine check (redacted): verified deliveries and deployed a Priority-0 SCL-1 allow rule for [partner-domain]

Excerpt

When a trusted partner’s emails started landing in spam (or nowhere at all), I traced the path, set a top-priority allow rule, and used Defender’s Allow/Block list to force clean delivery—without exposing internal details.

Intro

Today’s note is for admins who wear the on-call hat. Messages from [partner-domain] weren’t reaching our users. Some were quarantined as spam; others never showed. I documented the exact, reversible steps I used to restore delivery while keeping our environment safe and auditable. All vendor names, mailboxes, IPs, and hostnames are redacted.

Notes from {Speaker}
- Symptom: Mail from [partner-domain] was flagged/filtered; end users reported “not delivered” or “went to Junk.”
- Tools used: Exchange Admin Center, Microsoft 365 Defender, Exchange Online PowerShell.
- Constraints: Multiple legacy transport rules; need a change that’s surgical, auditable, and easy to roll back.
- Guardrails: Prefer allowlisting at the domain + spoof layer (not blanket bypass for everything). Keep headers/SPF/DKIM intact for future tuning.
Perspective (direct quotes)

“No decision is a decision—so we’ll choose the safe, reversible one.”
“Top-priority SCL-1 with Stop processing beats noisy downstream rules.”
“If spoof intelligence is tripping, meet it where it lives: Tenant Allow/Block.”

Practice (today, not someday)

1) Triage — see what actually happened
```
Connect-ExchangeOnline -UserPrincipalName [me] -ShowBanner:$false
Get-MessageTrace -StartDate (Get-Date).AddDays(-2) -EndDate (Get-Date) `
  -SenderAddress *@[partner-domain] |
  Select Received,SenderAddress,RecipientAddress,Status

# If quarantined:
Connect-IPPSSession
Get-QuarantineMessage -StartReceivedDate (Get-Date).AddDays(-2) `
  -EndReceivedDate (Get-Date) -SenderAddress *@[partner-domain]
```
2) Create a top-priority transport rule to force deliver
- Condition: Sender domain is [partner-domain]
- Action: Set SCL to -1
- Option: Stop processing more rules
- Priority: 0 (top)
PowerShell (redacted names):
```
New-TransportRule -Name "Allow [partner-domain] (SCL-1)" `
  -SenderDomainIs "[partner-domain]" -SetSCL -1 -StopRuleProcessing $true -Priority 0
```
3) Add an org-wide Allow (Defender)
- Defender → Policies & rules → Tenant Allow/Block List
- Domains & addresses → Add → Allow → [partner-domain]
- If Message Trace shows Spoof/High Confidence Phish, also allow under Spoofing for the exact sending pair.
4) (Optional) Anti-spam policy allow list
- Anti-spam inbound policy → Allowed domains → add [partner-domain].
5) Verify
```
Get-TransportRule "Allow [partner-domain] (SCL-1)" |
  fl Name,Priority,State,SenderDomainIs,SetSCL,StopRuleProcessing

# Send a new test; re-run Get-MessageTrace to confirm Status = Delivered
```
6) Longer-term hygiene (ask the sender)
- Ensure SPF passes (include correct outbound hosts).
- Turn on DKIM for their domain.
- Align DMARC policy gradually (none → quarantine → reject) once stable.
Final Reflection

Most “email is broken” moments aren’t outages—they’re safety systems doing their job a bit too eagerly. The win is balancing protection with precision so real mail flows and risky mail doesn’t.

Pocket I’m Keeping

Put the SCL-1 allow rule with Stop Processing at the top. It’s decisive, reversible, and neutralizes noisy legacy rules downstream.

What I Hear Now (direct quotes)

“Measure twice, move to Priority 0 once.”
“Don’t fight spoof intelligence—configure it.”
“Document the rollback the same minute you deploy the fix.”
- Microsoft 365 Defender — Tenant Allow/Block List (TABL)
- Exchange Online — Transport rules (mail flow rules)
- Message trace in the modern EAC
  (references listed for context; links omitted for privacy—add your preferred docs when publishing)
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
September 29, 2025
Marked in Time — Sep 24, 2025 Email Offboarding: Forward for 14 Days → Then Retire the Mailbox (No Shared Mailboxes)
Clean handoff: 14-day forward then retired the mailbox. using powershell

Excerpt

A simple, low-risk offboarding pattern: enable a 14-day forward to the supervisor with an auto-reply, keep copies in the mailbox, then remove forwarding and retire the account. No shared mailboxes, no drama.

Photo suggestion

Something neutral and professional: a close-up of a keyboard lock icon, or a soft sunset over a temple (if you want to keep the page’s visual theme).
Caption idea: “Quiet handoffs, clean closures.”

Context (redacted)

Policy: No shared mailbox conversions. For leavers, enable a 2-week mail forward to the supervisor, show a clear auto-reply, then delete the user so the mailbox soft-deletes and later hard-deletes. Team files live in SharePoint/Teams; local working data is archived to encrypted USB for short-term retention.

Before (T0) — Enable 14-Day Forward + Auto-Reply

Goal: Forward new messages for two weeks and keep a copy in the mailbox for audit/review; clearly inform senders.

Replace with your addresses before running:
$User = "[email protected]"
$Supervisor = "[email protected]"
```
# Admin sign-in
Import-Module ExchangeOnlineManagement -ErrorAction SilentlyContinue
Connect-ExchangeOnline

# Vars
$User       = "[email protected]"
$Supervisor = "[email protected]"
$Days       = 14
$Now        = Get-Date
$End        = $Now.AddDays($Days)

# Enable mailbox-level forwarding (keep a copy)
Set-Mailbox -Identity $User `
  -ForwardingSmtpAddress $Supervisor `
  -DeliverToMailboxAndForward $true

# Schedule auto-replies for the same window
$InternalMsg = @"
This mailbox is no longer monitored.
For assistance, please contact $Supervisor or call the main line.
"@

$ExternalMsg = @"
Thanks for your message. This mailbox is no longer monitored.
Please email $Supervisor for assistance.
"@

Set-MailboxAutoReplyConfiguration -Identity $User `
  -AutoReplyState Scheduled `
  -StartTime $Now `
  -EndTime $End `
  -InternalMessage $InternalMsg `
  -ExternalMessage $ExternalMsg `
  -ExternalAudience All
```
Parallel housekeeping (same day):
- Reset the user’s password, revoke sign-in sessions, and (optionally) block sign-in during the transition.
- Transfer/confirm ownership of OneDrive/SharePoint/Teams files needed by the team.
- Archive any local workstation data to an encrypted USB (BitLocker To Go) if policy allows.
After (T+14) — Remove Forwarding → Retire Account

Goal: Stop forwarding, disable auto-reply, and delete the user (soft-delete mailbox). Optionally hard-delete the mailbox once soft-delete is visible.
```
Import-Module ExchangeOnlineManagement -ErrorAction SilentlyContinue
Connect-ExchangeOnline

$User = "[email protected]"

# Remove mailbox-level forwarding & auto-reply
Set-Mailbox -Identity $User -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false
Set-MailboxAutoReplyConfiguration -Identity $User -AutoReplyState Disabled

# Delete the user in Entra ID (do this in the portal or via Graph)
# Entra admin center → Users → select user → Delete
# After directory sync, the mailbox will be in "soft-deleted" state (up to 30 days)

# Optional: Permanently delete the mailbox once soft-deleted
$Soft = Get-Mailbox -SoftDeletedMailbox -ErrorAction SilentlyContinue |
        Where-Object {$_.PrimarySmtpAddress -eq $User}
if ($Soft) {
  Remove-Mailbox -PermanentlyDelete -Identity $Soft.ExchangeGuid -Confirm:$false
}
```
Lessons Learned
- Clarity beats complexity. Forward + auto-reply for a defined window avoids confusing senders and helps the team capture anything urgent.
- Keep a copy while forwarding. It preserves context during the transition.
- No shared mailbox needed. If policy prohibits it, you can still do a clean, auditable handoff.
- Document the timestamps. Password reset, token revocation, forward on/off, user deletion, and any permanent mailbox purge.
Pocket I’m Keeping
- Short window, clear message, clean cutover.
- Files belong in SharePoint/Teams; email is a temporary bridge.
- Quiet, consistent process reduces friction and drama.
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
September 12, 2025
Marked in Time — Fixing a “Sender not allowed” DL (redacted)
Excerpt
Our all-hands list rejected internal senders after we allowed two external addresses. Here’s what happened, how to fix it cleanly in Exchange Online, and a PowerShell snippet you can reuse.

Intro
Two days ago, I could email everyone@[redacted].com just fine. Today, my message bounced: “this group only accepts messages from people in its organization or on its allowed senders list.” We’d recently added two partner addresses (s@[partner].com, j@[partner].com) so they could email the DL. That change flipped the DL into strict allow-list mode—blocking even internal senders who weren’t explicitly listed. Here’s the minimal, durable fix.

Straight line (what happened)
• Symptom: NDR when sending to everyone@[redacted].com from an internal account.
• State check showed:
– RequireSenderAuthenticationEnabled: False
– AcceptMessagesOnlyFromSendersOrMembers: {} (and earlier, it contained only the two partner GUIDs).
• Root cause: Delivery management was saved in “only these senders” mode; membership/ownership doesn’t matter in that state.
• Goal: Let all internal, authenticated users send; allow only specific externals; block the rest.

Fix (clean model)
1. Let internal, authenticated users send to the DL (no hard allow-list on the group).
2. Enforce external restrictions with a transport rule that allows only the partner exceptions.
Commands (PowerShell — Exchange Online)

Connect
```
Connect-ExchangeOnline -ShowBanner:$false
```
Allow internal, authenticated senders (clear hard allow-list)
```
Set-DistributionGroup everyone@[redacted].com `
  -AcceptMessagesOnlyFromSendersOrMembers $null `
  -RequireSenderAuthenticationEnabled:$true
```
Create the external block rule with an allow-list
```
# remove if an older copy exists (safe if none)
Get-TransportRule "Block external to Everyone (except allow-list)" -ErrorAction SilentlyContinue |
  Remove-TransportRule -Confirm:$false

New-TransportRule "Block external to Everyone (except allow-list)" `
  -FromScope NotInOrganization `
  -AnyOfToHeader "everyone@[redacted].com" `
  -ExceptIfFrom "s@[partner].com","j@[partner].com" `
  -RejectMessageReasonText "External senders are not allowed for this list."
```
Verify
```
Get-DistributionGroup everyone@[redacted].com |
  fl PrimarySmtpAddress,RequireSenderAuthenticationEnabled,AcceptMessagesOnlyFromSendersOrMembers

Get-TransportRule "Block external to Everyone (except allow-list)" |
  fl Name,State,FromScope,AnyOfToHeader,ExceptIfFrom
```
Update the allow-list later
```
# add another partner
Set-TransportRule "Block external to Everyone (except allow-list)" `
  -ExceptIfFrom @{Add="newuser@[partner].com"}

# remove a partner
Set-TransportRule "Block external to Everyone (except allow-list)" `
  -ExceptIfFrom @{Remove="j@[partner].com"}
```
Smoke tests
• Internal sender → everyone@[redacted].com: delivers.
• External sender (not on list): NDR with “External senders are not allowed…”
• Allowed partner (s@[partner].com or j@[partner].com): delivers.

Why not leave the DL in allow-list mode?
Because it’s brittle. Every internal sender must be explicitly added, which guarantees future bounces and admin toil. Using RequireSenderAuthenticationEnabled for internal mail + a transport rule for externals gives you clarity and control.

Final reflection
Small toggles can have outsized effects. DL delivery settings look simple, but one checkbox can silently change who’s “allowed.” The durable pattern is: authenticate inside, whitelist outside, and verify with a quick trace.

Pocket I’m keeping
• Always snapshot DL settings before/after a change.
• Prefer transport rules for external policy; don’t hard-gate internals via allow-lists.
• Add a ready-to-run “add/remove external exception” snippet to the runbook.

What I hear now
Clarity beats cleverness. Make the rule obvious enough that the next admin can read it and know exactly who can send and why.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
September 7, 2025
How to Bypass Spam Filtering for Internal Senders Using PowerShell
Intro:
When internal emails from trusted coworkers suddenly stop showing up in your focused inbox or fail to trigger your Outlook rules, it’s easy to miss critical messages. In my case, one sender was previously blocked due to a spoofing incident, and although removed from the block list, her messages were still bypassing my folder rules—buried in the inbox. Message Trace confirmed the emails were delivered, but not filtered correctly. Here’s how I resolved the issue using PowerShell.

🔍 Problem Recap:

Despite the sender being trusted and allowed, her emails:
- Skipped my Outlook inbox rules
- Did not show up in Focused Inbox or designated folders
- Were confirmed delivered via Message Trace
- Were previously on the Blocked Sender List, but later removed
The Exchange Admin Center (EAC) didn’t offer the flexibility I needed to create an accurate spam bypass rule. So I switched to PowerShell.

🛠️ Solution: Create a Transport Rule via PowerShell

Instead of struggling with the limited dropdowns in the modern Exchange portal, I used the New-TransportRule cmdlet to create a spam filter bypass rule in just a few lines.

Here’s how:
```
Connect-ExchangeOnline -UserPrincipalName [email protected]

New-TransportRule -Name "Bypass Spam Filtering from Trusted Senders" `
  -From '[email protected]','[email protected]' `
  -SetSCL -1
```
What it does:
- Matches emails from the listed senders
- Sets SCL (Spam Confidence Level) to -1, meaning “do not treat as spam”
- Ensures messages bypass all anti-spam filters and go straight to your inbox
⚡ Why Use PowerShell?

The new Exchange Admin Center UI (EAC) lacks direct options to set SCL or bypass spam filtering with precision. PowerShell:
- Provides full control
- Is faster and more reliable
- Allows batch configuration
- Gives access to legacy controls like -SetSCL
🔐 Notes:
- Email addresses in the example are redacted for privacy
- Make sure you have the Exchange Online PowerShell v3 module installed
- You can verify the rule with:
```
Get-TransportRule "Bypass Spam Filtering from Trusted Senders" | Format-List Name, From, SetSCL
```
Conclusion:
PowerShell remains the most powerful tool in any IT administrator’s arsenal—especially when the GUI can’t keep up. If you ever run into stubborn mail delivery or spam issues, consider creating targeted transport rules using PowerShell. It’s fast, clean, and gets the job done without frustration.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
July 22, 2025

Tag: Exchange Online

My Essential IT Troubleshooting Guide

Name Resolution Basics

A record

CNAME

DNS

Hosts file

Nbtstat and TCP IP

Network control panel shortcut

DHCP Essentials

MX, Autodiscover and Mail Flow

MX record

Autodiscover

Hunting spam engines and bad SMTP

Certificates and SSL in Hybrid Environments

Machine Trust Relationship Problems

RDP Session Cleanup

Active Directory Tools

ADSIEdit

Event Viewer

FSMO Roles

AD and Entra ID Health

Azure and Terraform

Microsoft 365 Services

Group Policy

Universal Print

SharePoint Online

OneDrive and Data Migration

Why This Arsenal Matters

Title:

Introduction

What Litigation Hold Does

How to Enable (GUI)

How to Enable (PowerShell)

Best Practices

Common Misunderstandings

Conclusion

Introduction

Retention Policy Basics

Example Retention Policies

1. Keep 7 Years, Then Delete

2. Keep Forever

3. Auto-Apply to Executives

Best Practices

Conclusion

1. Exchange 5.0 — The GroupWise Era & The Limits of Early Messaging

Key Characteristics

Real Tools Used

🔧 ISINTEG — Logical Database Repair

🔧 ESEUTIL — Physical Database Repair

2. Exchange 5.5 — The First True Enterprise Version

Major Improvements

3. Exchange 2000 / 2003 — Active Directory Arrives

Now Possible

Tools of the Era

4. Exchange 2007 — PowerShell Revolutionizes Email Administration

Major Innovations

Example PowerShell Operations

5. Exchange 2010 / 2013 — High Availability & Hybrid Era

Database Whitespace Management

Multi-region examples

6. On-Prem to Cloud Migrations — AWS WorkMail, Exchange 2010, Hybrid, EXO

Migration Examples

Challenges Solved by EXO

7. Exchange Online — The Modern Cloud Era

How to Rotate DKIM 2048-bit Keys

Verify in PowerShell

**8. Real-World Security Hardening in EXO

🛑 Kill Switch Transport Rule (Blocks All External Sender Impersonation)

🛑 Block-All Impersonation Rule

9. Why Exchange Online Beats Every On-Prem Version

No More:

Instead You Get:

10. Summary

Introduction

Section 1 — What DKIM Actually Does

1️⃣ DKIM Selector (s=)

2️⃣ DKIM Domain (d=)

3️⃣ Public Key (Published in DNS)

4️⃣ Private Key (kept hidden on the mail server)