Jet Mariano

Tag: M365 Security

CIS Hardening Standards in M365 (With Examples)
Title:

CIS for Microsoft 365 — Practical Hardening You Can Apply Today

Introduction

CIS (Center for Internet Security) publishes best-practice security baselines. In M365, CIS basically means:
- Hardening Azure AD
- Enforcing access control
- Strengthening authentication
- Improving logging
- Locking down Exchange, SharePoint, and Teams
- Using Conditional Access correctly
- Reducing attack surface
Below is the real-world version, not the theoretical one.

1. Require MFA (CIS Level 1 Control)

CIS Recommendation: MFA for all accounts.

How to apply:
Use Conditional Access:
- Include: All users
- Exclude: Break-glass admin
- Require MFA
- State: On
2. Disable Legacy Authentication

CIS Control: Block Basic Auth.

Azure Example:
CA Policy → Block legacy protocols
Exchange → Disable POP/IMAP/SMTP AUTH

3. Passwordless Authentication

CIS: Prefer passwordless.

Implementation:
Enable:
- Windows Hello
- Authenticator App
- FIDO2 keys
4. Limit Global Admin Roles

CIS: Admin roles must be minimized.

How to do it:
Assign:
- GA = 2 accounts
- Use PIM (Privileged Identity Management)
- Require MFA + justification
5. Require Compliant Devices

CIS: Block unmanaged devices.

Apply with Conditional Access:
Grant → Require device to be:
- Compliant
- Hybrid joined
- Or require approved apps
6. Exchange Online Protections

CIS: Anti-phishing, anti-malware, safe links, safe attachments.

7. Audit Logging

CIS: Must be enabled.

Check:
```
Get-AdminAuditLogConfig
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
```
8. Session Control

Use Conditional Access → Session Limits
- 8 hour max
- Force reauthentication
Conclusion

CIS is not complicated.
It’s just applying security baselines consistently using tools already built into M365:
- Conditional Access
- Defender
- PIM
- MFA
- Logging
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 25, 2025
Why RFC Email Standards Are Not Enough: A Real Look at Modern Email Security
🛡 How Email Spoofing REALLY Works (With a Safer Example)

Even though RFC standards gave us SPF, DKIM, and DMARC, the core SMTP protocol is still trust-based. That means attackers can abuse the protocol whenever a mail server is misconfigured or doesn’t enforce authentication.

SMTP actually has two places where the “sender” can be declared:
1. MAIL FROM (SMTP envelope)
2. From: (message header inside DATA)
Both of these can be forged.

Here is a safe, fictional example showing what a spoofing attack looks like when the attacker controls their own SMTP server. NONE of this uses real domains or copyrighted examples.

Example: Attacker Spoofing a CEO Email (Fictional Domain)

S: 220 mail.hacker-smtp.test Ready
C: HELO mail.hacker-smtp.test
S: 250 Hello
C: MAIL FROM:[email protected]
S: 250 Ok
C: RCPT TO:[email protected]
S: 250 Accepted
C: DATA
S: 354 End data with .
C: Subject: Immediate Action Required
C: From: [email protected]
C: To: [email protected]
C:
C: Hi Bob,
C: Please review this file urgently:
C: https://malicious-link.test
C:
C: Thanks,
C: Jane
C: .
S: 250 Message accepted
C: QUIT
S: 221 Closing connection

What happened here?
- The attacker never touched the real domain’s server.
- No SPF, DKIM, or DMARC was involved.
- They simply declared themselves as [email protected].
- The receiving system, if unprotected, trusts the SMTP envelope + header.
This is why:
- Email security must be enforced on the RECEIVING side.
- SPF/DKIM/DMARC without an email security gateway (ProofPoint, Barracuda, Cisco, etc.) is NOT enough.
🛡 Why SPF and DKIM Alone Can Be Faked

Attackers don’t guess your DNS records—
They retrieve them using public DNS queries.

Example: How Hackers Pull Your DKIM Public Key

nslookup -type=txt selector1._domainkey.yourdomain.com

Example: How Hackers Retrieve Your SPF Policy

nslookup -type=txt yourdomain.com

Your actual records are public by design.

Attackers do not break DKIM or SPF—
they simply copy what’s public and send email from a server you do not control.

This leads to the two main spoofing paths:

Two Ways Attackers Deliver Spoofed Email

1. Using Their Own SMTP Server
- Full control
- Can impersonate envelope sender and header
- Can ignore security standards
- Can replay your SPF/DKIM values
- Can build reputation over time
2. Using Someone Else’s SMTP Server
- Open relay servers
- Misconfigured mail servers
- Free public spoofing tools (many exist)
- Requires no authentication
- Still bypasses SPF/DKIM because enforcement happens at the receiver
🧩 Why You STILL Need ProofPoint or an SEG
- RFC standards are voluntary
- SPF/DKIM/DMARC are not enforcement engines
- They only give a pass/fail signal
- Your mail flow only becomes safe when paired with:
1. ProofPoint BEC + EAC protection
2. Malicious payload scanning
3. Impostor Detection™
4. Header anomaly detection
5. Authentication-layer reputation scoring
6. Threat intelligence for known bad SMTP sources
No SPF/DKIM/DMARC setting—no matter how perfect—
can stop a spoof that comes from an SMTP server across the world.

Only a receiving enforcement engine can.

Over the years I have worked with high end filtering solutions in multiple large enterprise environments. The dashboards have changed but their purpose has stayed the same.

Their goal is to strengthen the RFC standards that are not strong enough on their own.

Here are the RFCs that define the foundation of email authentication:
- SPF — RFC 7208
- DKIM — RFC 6376
- DMARC — RFC 7489
These standards are important but incomplete. Even with perfect configuration you can still get spoofing attempts, executive impersonation, phishing, and vendor fraud. The RFC by itself cannot stop the modern threat landscape.

Below is a clear breakdown of why.

Defense Wins Championships and Email Security Works the Same Way

In basketball you cannot win with offense alone. You win when you have strong defense and efficient offense working together.

Email follows the same pattern.

SPF is offense
DKIM is offense
DMARC is offense

They validate. They authenticate. They enforce the rule book.

But attackers do not care about the rule book.
They bypass these RFC standards every day.

This is why you need a real defense layer.

This is where filtering tools like Proofpoint or Barracuda add the protection the protocols cannot provide.

Why SPF, DKIM, and DMARC Are Not Enough

Even when perfectly configured these protocols only protect part of the message.

SPF

Checks the MAIL FROM envelope.
Attackers spoof the visible Header From instead.

DKIM

Signs the headers.
Attackers send unsigned mail from lookalike domains.

DMARC

Requires alignment.
Attackers bypass alignment through friendly name tricks and unicode abuse.

This is why even major companies with mature security still deal with spoofing.

The RFCs do not cover every modern attack vector.

What Third Party Filtering Tools Actually Do

Filtering solutions provide the defense layer that SPF, DKIM, and DMARC cannot offer.

They detect:
- impersonation
- behavior anomalies
- malicious intent
- lookalike domains
- CEO fraud
- malicious URLs
- dangerous attachments
- unknown senders
- unusual source locations
- suspicious API behavior
- threat reputation changes
They analyze behavior rather than relying only on protocol alignment.

Without this layer your domain becomes an easy target.

What Happens When Security Is Too Tight

When filters are over configured these are the problems you will see:
- executive emails going to junk
- vendors trapped in quarantine
- delayed messages
- business interruptions
- unhappy management
- slow communication
- loss of confidence in IT
Security must be layered not suffocating.

The Five Layers of Modern Email Security

This approach is what works in every large enterprise environment.

1. User Training

Teach users how spoofing works.
Show them friendly name manipulation.
Awareness reduces risk.

2. Proper Microsoft 365 Configuration

Connectors. Accepted domains. Transport rules.
Everything must be configured correctly.

3. SPF, DKIM, and DMARC

The RFC standards still matter.
Alignment must be correct.

4. Third Party Filtering Solutions

Proofpoint. Barracuda. Mimecast.
They provide what the RFC cannot.

5. APM Monitoring

Dynatrace. Splunk. AppDynamics.
These tools detect environmental issues that affect mail flow.

APM identifies:
- abnormal MAIL FROM attempts
- spikes in DKIM failures
- SMTP conversation problems
- delays before Proofpoint
- anomalies at the DNS level
This gives early warning before a threat becomes a major issue.

Final Thought

Email is the number one attack surface in every company.
The truth is simple.

You get what you pay for.

If you go cheap your domain becomes a soft target.
You will deal with spoofing
You will deal with ransomware
You will deal with compromised accounts
You will deal with vendor fraud

If you invest in complete layered defense your organization becomes a bad target.

This is how modern email security works today.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
November 21, 2025
How to Bypass Spam Filtering for Internal Senders Using PowerShell
Intro:
When internal emails from trusted coworkers suddenly stop showing up in your focused inbox or fail to trigger your Outlook rules, it’s easy to miss critical messages. In my case, one sender was previously blocked due to a spoofing incident, and although removed from the block list, her messages were still bypassing my folder rules—buried in the inbox. Message Trace confirmed the emails were delivered, but not filtered correctly. Here’s how I resolved the issue using PowerShell.

🔍 Problem Recap:

Despite the sender being trusted and allowed, her emails:
- Skipped my Outlook inbox rules
- Did not show up in Focused Inbox or designated folders
- Were confirmed delivered via Message Trace
- Were previously on the Blocked Sender List, but later removed
The Exchange Admin Center (EAC) didn’t offer the flexibility I needed to create an accurate spam bypass rule. So I switched to PowerShell.

🛠️ Solution: Create a Transport Rule via PowerShell

Instead of struggling with the limited dropdowns in the modern Exchange portal, I used the New-TransportRule cmdlet to create a spam filter bypass rule in just a few lines.

Here’s how:
```
Connect-ExchangeOnline -UserPrincipalName [email protected]

New-TransportRule -Name "Bypass Spam Filtering from Trusted Senders" `
  -From '[email protected]','[email protected]' `
  -SetSCL -1
```
What it does:
- Matches emails from the listed senders
- Sets SCL (Spam Confidence Level) to -1, meaning “do not treat as spam”
- Ensures messages bypass all anti-spam filters and go straight to your inbox
⚡ Why Use PowerShell?

The new Exchange Admin Center UI (EAC) lacks direct options to set SCL or bypass spam filtering with precision. PowerShell:
- Provides full control
- Is faster and more reliable
- Allows batch configuration
- Gives access to legacy controls like -SetSCL
🔐 Notes:
- Email addresses in the example are redacted for privacy
- Make sure you have the Exchange Online PowerShell v3 module installed
- You can verify the rule with:
```
Get-TransportRule "Bypass Spam Filtering from Trusted Senders" | Format-List Name, From, SetSCL
```
Conclusion:
PowerShell remains the most powerful tool in any IT administrator’s arsenal—especially when the GUI can’t keep up. If you ever run into stubborn mail delivery or spam issues, consider creating targeted transport rules using PowerShell. It’s fast, clean, and gets the job done without frustration.

© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.
July 22, 2025

error: Content is protected !!