Jet Mariano

Tag: Security hardening

  • When Inbox Rules Go Rogue: A 10-Command Playbook to Stop Impersonation

    Macro ant on a leaf—small bug, big damage. Quiet inbox rules (forward/delete/hide) are how real-account impersonation starts. This post shows 10 PowerShell fixes to stop it fast.

    Excerpt
    Most “email impersonation” losses start quietly—rules that forward, delete, or hide mail. This playbook backs up evidence, stops the bleed, removes risky rules, clears forwarding, and verifies. Calm hands, clear steps.

    Intro
    Most “email impersonation” (BEC) starts in two ways:

    1. Real-account misuse—someone phishes a password/token and quietly adds inbox rules (forward, delete, hide) or enables mailbox forwarding.
    2. No-account spoofing—look-alike domains and weak SPF/DKIM/DMARC let crooks send as if they’re us.

    This post fixes bucket #1 fast. You don’t need Compliance Center/Purview to clean a single mailbox: run these in Windows PowerShell 5.1 to back up → stop all rules → remove risky patterns → clear forwarding → verify. The examples below target [email protected]. After cleanup, keep the door shut by disabling SMTP AUTH/legacy protocols and blocking external auto-forwarding. (For bucket #2, tighten SPF/DKIM/DMARC—that’s outside this quick fix.)

    Perspective
    There are no super heroes in IT—no capes, no instant rescues. When rules go rogue, heroics make noise; runbooks make progress. The job is to protect people’s work with boring, proven steps.

    Practice (today, not someday)

    • Connect (read-only) — open a secure session to Exchange Online for the mailbox you’re fixing. Import-Module ExchangeOnlineManagement -RequiredVersion 3.9.0 -Force Connect-ExchangeOnline -UserPrincipalName [email protected] -ShowBanner:$false $mbx = "[email protected]"
    • Backup rules to CSV (read-only) — take a snapshot so you have evidence and an easy rollback reference. $ts = (Get-Date).ToString('yyyyMMdd-HHmm') Get-InboxRule -Mailbox $mbx | Select Name,Enabled,Priority,From,SentTo,SubjectContainsWords,MoveToFolder,ForwardTo,RedirectTo,DeleteMessage,StopProcessingRules | Sort Priority | Export-Csv "$env:USERPROFILE\Desktop\$($mbx)-InboxRules-$ts.csv" -NoTypeInformation -Encoding UTF8
    • Disable all rules (change) — safe stop; nothing runs while you fix things. Get-InboxRule -Mailbox $mbx | Disable-InboxRule -Confirm:$false
    • Remove delete rules (change) — get rid of any rule that silently deletes messages. Get-InboxRule -Mailbox $mbx | Where-Object {$_.DeleteMessage} | ForEach-Object { Remove-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
    • Remove hide/stop rules (change) — remove rules that hide mail (Junk/Archive/RSS/Conversation History) or halt further processing. Get-InboxRule -Mailbox $mbx | Where-Object { $_.StopProcessingRules -or ($_.MoveToFolder -match 'Junk|Archive|RSS|Conversation History') } | ForEach-Object { Remove-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
    • Remove forward/redirect rules, focusing on external (change) — strip any rule that forwards or redirects mail, especially off-tenant. $internal = @('jetmariano.us') # add internal domains if needed $rules = Get-InboxRule -Mailbox $mbx foreach($r in $rules){ $targets=@() foreach($t in @($r.ForwardTo)+@($r.RedirectTo)){ if($t -is [string]){$targets+=$t} elseif($t.PrimarySmtpAddress){$targets+=$t.PrimarySmtpAddress.ToString()} elseif($t.Address){$targets+=$t.Address.ToString()} elseif($t){$targets+=$t.ToString()} } $external = $false foreach($addr in $targets){ if($addr -match '@'){ $domain = ($addr -split '@')[-1].ToLower() if(-not ($internal -contains $domain)){ $external = $true } } } if($external -or $targets.Count -gt 0){ Remove-InboxRule -Mailbox $mbx -Identity $r.Name -Confirm:$false } }
    • Clear mailbox-level forwarding (change) — turn off any top-level forwarding set on the mailbox. Set-Mailbox -Identity $mbx -DeliverToMailboxAndForward:$false -ForwardingSmtpAddress $null -ForwardingAddress $null
    • Verify list and count (read-only) — prove you’re clean; zero is ideal. Get-InboxRule -Mailbox $mbx | Sort Priority | Format-Table Name,Enabled,ForwardTo,RedirectTo,MoveToFolder,DeleteMessage -Auto (Get-InboxRule -Mailbox $mbx | Measure-Object).Count
    • Re-enable only safe movers (optional change) — if you truly want routine filing, turn on only simple move-to-folder rules. Get-InboxRule -Mailbox $mbx | Where-Object { $_.MoveToFolder -and -not $_.ForwardTo -and -not $_.RedirectTo -and -not $_.DeleteMessage -and -not $_.StopProcessingRules } | ForEach-Object { Enable-InboxRule -Mailbox $mbx -Identity $_.Name -Confirm:$false }
    • Disconnect (read-only) — close your session cleanly. Disconnect-ExchangeOnline -Confirm:$false

    Final Reflection
    The work narrowed down to steady steps. Not a clever hack—just patience, order, and protection of someone’s inbox.

    Pocket I’m Keeping
    Runbooks over heroics.

    What I Hear Now
    Be steady. Protect the work. I’ll show you the next step.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

  • Beat the 99% Wall: Upgrade Windows 10 → 11 the Easy Offline Way (Do This Before Oct 5, 2025)

    When the upgrade sits at 99%… don’t panic. Go offline and run the ISO upgrade the smart way

    Windows 10 reaches end of life on Oct 5, 2025. After that, it won’t get security updates. If you stay on Win10, your machine is a sitting duck for malware and attackers. Don’t procrastinate.

    If Windows Update keeps failing—or hangs forever at 99%—use this clean, offline upgrade that skips the flaky “checking for updates” step.

    1) First, confirm your PC is Windows 11–ready

    Use Microsoft’s official checker:
    https://support.microsoft.com/en-us/windows/check-if-a-device-meets-windows-11-system-requirements-after-changing-device-hardware-f3bc0aeb-6884-41a1-ab57-88258df6812b

    Important: The most common blockers are the CPU and motherboard (TPM 2.0, UEFI/Secure Boot). If your device doesn’t meet Windows 11 requirements, it’s unsupported after Oct 5, 2025. Treat that Windows 10 PC as unsafe for internet use—either upgrade/replace the hardware, reassign it to offline tasks, or retire it.

    2) Prep (5–10 minutes)

    • Unplug non-essential USB devices (drives, printers, docks).
    • Ensure ≥30 GB free on C:.
    • Suspend BitLocker (if enabled): Control Panel → BitLocker → Suspend.
    • Temporarily disable third-party AV/VPN.
    • Clean Boot: msconfigServicesHide Microsoft servicesDisable all; Startup → disable everything.

    3) Reset Windows Update & appraiser caches (PowerShell)

    Open PowerShell as Administrator and run:

    net stop wuauserv
net stop bits
net stop cryptsvc

ren "C:\Windows\SoftwareDistribution" SoftwareDistribution.old
ren "C:\Windows\System32\catroot2" catroot2.old

rd /s /q "C:\$WINDOWS.~BT"
rd /s /q "C:\$WINDOWS.~WS"
rd /s /q "C:\Windows\Panther"
md "C:\Windows\Panther"

net start cryptsvc
net start bits
net start wuauserv

    Then heal the image:

    DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow

    4) Run the upgrade offline from ISO (no update checks)

    1. Download the official Windows 11 ISO (same edition/language/arch) from Microsoft.
    2. Right-click the ISO → Mount → note the drive letter (e.g., E:).
    3. Disconnect the network (unplug Ethernet / disable Wi-Fi).
    4. In elevated PowerShell, launch Setup with Dynamic Update disabled:
    Start-Process -FilePath 'E:\setup.exe' -ArgumentList '/auto upgrade /dynamicupdate disable /copylogs C:\$UpgradeLogs' -Verb RunAs -Wait

    (Optional quick blocker scan without upgrading):

    Start-Process -FilePath 'E:\setup.exe' -ArgumentList '/compat scanonly /dynamicupdate disable' -Verb RunAs -Wait

    5) If it still stalls

    • Drivers (most common):
      • Storage: Device Manager → Storage controllers → switch to Microsoft Standard controller (Update driver → Let me pick).
      • Display: use Microsoft Basic Display Adapter temporarily.
      • Remove extra language packs, old VPN clients, and heavy OEM utilities.
    • BIOS/Chipset: update from your PC maker’s support page.
    • Rerun the offline setup command.

    6) Pinpoint the exact blocker (2 minutes)

    If it fails again, run Microsoft SetupDiag and read the summary:

    mkdir C:\SetupDiag; cd C:\SetupDiag
.\SetupDiag.exe /Output:C:\SetupDiag\SetupDiagResults.log
    • Codes like 0xC1900101-0x… usually name a driver (oem*.inf)—remove/roll it back and retry.
    • Dynamic-Update/Appraiser errors → repeat Step 3 and ensure you’re truly offline with /dynamicupdate disable.

    7) After success

    • Re-enable BitLocker, AV/VPN, and normal startup apps.
    • Reconnect the network and run Windows Update to pull fresh drivers and features.

    © 2012–2025 Jet Mariano. All rights reserved.
    For usage terms, please see the Legal Disclaimer.

error: Content is protected !!