azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-05-26 15:58:46

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-05-26 15:58:46
This commit is contained in:
Mike Swanson
2026-05-26 15:58:50 -07:00
parent 5bb2064716
commit c7e5dfc673
5 changed files with 1228 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

759
clients/quantumwms/reports/2026-05-26-email-infrastructure-assessment.html Normal file
View File

@@ -0,0 +1,759 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Email Infrastructure Assessment — Quantum WMS</title>
<style>
@import url('https://fonts.googleapis.com/css2?family=Jost:ital,wght@0,300;0,400;0,500;0,600;0,700;0,800;1,400&display=swap');
:root {
--navy: oklch(27% 0.078 252);
--navy-mid: oklch(38% 0.072 252);
--navy-muted: oklch(54% 0.055 252);
--amber: oklch(66% 0.175 60);
--amber-deep: oklch(50% 0.16 52);
--amber-text: oklch(40% 0.14 50);
--surface: oklch(99.5% 0.004 248);
--bg: oklch(97% 0.009 248);
--border: oklch(91% 0.011 248);
--border-mid: oklch(85% 0.015 248);
--text: oklch(22% 0.018 248);
--text-mid: oklch(42% 0.014 248);
--text-muted: oklch(60% 0.010 248);
--danger-bg: oklch(97.5% 0.016 22);
--danger-border: oklch(78% 0.12 22);
--danger-text: oklch(38% 0.19 22);
--danger-heading: oklch(32% 0.18 22);
--success-bg: oklch(97.5% 0.013 155);
--success-border: oklch(76% 0.11 155);
--success-text: oklch(34% 0.15 155);
--info-bg: oklch(97.5% 0.013 252);
--info-border: oklch(80% 0.09 252);
--info-text: oklch(32% 0.12 252);
}
*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
html { -webkit-font-smoothing: antialiased; }
body {
font-family: 'Jost', system-ui, sans-serif;
font-size: 15px;
line-height: 1.75;
color: var(--text);
background: var(--bg);
}
/* PAGE */
.page {
max-width: 860px;
margin: 48px auto;
background: var(--surface);
box-shadow: 0 2px 40px oklch(22% 0.06 252 / 0.11);
}
/* AMBER CAP */
.amber-cap { height: 4px; background: var(--amber); }
/* HEADER */
.header {
background: var(--navy);
padding: 48px 56px 40px;
}
.header .firm-name {
font-size: 10.5px;
font-weight: 700;
letter-spacing: 2.5px;
text-transform: uppercase;
color: var(--amber);
margin-bottom: 22px;
}
.header h1 {
font-size: clamp(22px, 3.2vw, 33px);
font-weight: 800;
line-height: 1.12;
letter-spacing: -0.5px;
color: oklch(99% 0.003 248);
margin-bottom: 10px;
}
.header .confidential {
font-size: 12px;
color: oklch(68% 0.04 248);
font-weight: 400;
}
.meta-strip {
display: flex;
gap: 0;
margin-top: 34px;
padding-top: 28px;
border-top: 1px solid oklch(100% 0 0 / 0.09);
}
.meta-cell {
padding-right: 36px;
}
.meta-cell:not(:last-child) {
border-right: 1px solid oklch(100% 0 0 / 0.09);
margin-right: 36px;
}
.meta-cell .meta-label {
font-size: 10px;
font-weight: 700;
letter-spacing: 1.5px;
text-transform: uppercase;
color: oklch(60% 0.045 248);
margin-bottom: 3px;
}
.meta-cell .meta-value {
font-size: 13px;
font-weight: 500;
color: oklch(93% 0.005 248);
}
/* BODY */
.body { padding: 52px 56px 48px; }
/* EXEC SUMMARY */
.exec-summary {
border: 1px solid var(--info-border);
border-top: 3px solid var(--navy);
background: var(--info-bg);
border-radius: 1px;
padding: 24px 28px;
margin-bottom: 52px;
font-size: 14.5px;
color: var(--info-text);
}
.exec-summary p { margin-bottom: 12px; }
.exec-summary p:last-child { margin-bottom: 0; }
.exec-summary strong { color: var(--navy); }
/* HEADINGS */
h2 {
font-size: 19px;
font-weight: 700;
color: var(--navy);
margin: 52px 0 18px;
letter-spacing: -0.25px;
}
.body > h2:first-of-type { margin-top: 0; }
h3 {
font-size: 11px;
font-weight: 700;
letter-spacing: 1.8px;
text-transform: uppercase;
color: var(--navy-muted);
margin: 32px 0 12px;
}
p { margin-bottom: 14px; }
/* DNS CARDS */
.dns-grid {
display: grid;
grid-template-columns: 1fr 1fr;
gap: 12px;
margin: 18px 0 26px;
}
.dns-card {
background: var(--danger-bg);
border: 1px solid var(--danger-border);
border-radius: 1px;
padding: 20px 22px 18px;
}
.dns-card .record-label {
font-size: 10px;
font-weight: 700;
letter-spacing: 2px;
text-transform: uppercase;
color: var(--danger-text);
opacity: 0.65;
margin-bottom: 6px;
}
.dns-card .record-status {
font-size: 15.5px;
font-weight: 700;
color: var(--danger-heading);
margin-bottom: 9px;
line-height: 1.2;
}
.dns-card .record-desc {
font-size: 12.5px;
color: oklch(40% 0.055 22);
line-height: 1.52;
}
/* CALLOUTS */
.callout {
display: grid;
grid-template-columns: 18px 1fr;
gap: 14px;
padding: 16px 22px;
border-radius: 1px;
border: 1px solid;
margin: 18px 0;
font-size: 14px;
align-items: start;
}
.callout-icon { font-size: 14px; margin-top: 2px; }
.callout-body strong { display: block; font-weight: 700; margin-bottom: 4px; }
.callout.danger { background: var(--danger-bg); border-color: var(--danger-border); color: var(--danger-text); }
.callout.success { background: var(--success-bg); border-color: var(--success-border); color: var(--success-text); }
.callout.info { background: var(--info-bg); border-color: var(--info-border); color: var(--info-text); }
/* TABLES */
.data-table {
width: 100%;
border-collapse: collapse;
margin: 16px 0 28px;
font-size: 13.5px;
}
.data-table thead tr { background: var(--navy); }
.data-table thead th {
padding: 12px 18px;
text-align: left;
font-size: 11.5px;
font-weight: 600;
letter-spacing: 0.4px;
color: oklch(93% 0.004 248);
}
.data-table tbody tr { border-bottom: 1px solid var(--border); }
.data-table tbody tr:nth-child(even) { background: oklch(98.5% 0.005 248); }
.data-table tbody td {
padding: 11px 18px;
vertical-align: middle;
}
.data-table tbody td:first-child { font-weight: 500; color: var(--text); }
/* BADGES */
.badge {
display: inline-block;
padding: 3px 10px;
border-radius: 2px;
font-size: 11.5px;
font-weight: 700;
letter-spacing: 0.2px;
border: 1px solid;
}
.badge.no { background: var(--danger-bg); border-color: var(--danger-border); color: var(--danger-text); }
.badge.yes { background: var(--success-bg); border-color: var(--success-border); color: var(--success-text); }
.badge.partial { background: oklch(97.5% 0.014 80); border-color: oklch(80% 0.12 80); color: oklch(40% 0.15 72); }
/* MAIL FLOW */
.mail-flow {
display: flex;
align-items: center;
flex-wrap: wrap;
gap: 8px;
background: oklch(98% 0.007 248);
border: 1px solid var(--border);
border-radius: 1px;
padding: 16px 20px;
margin: 14px 0 26px;
}
.flow-step {
background: var(--surface);
border: 1px solid var(--border-mid);
border-radius: 2px;
padding: 5px 13px;
font-size: 12.5px;
font-weight: 600;
color: var(--navy);
white-space: nowrap;
}
.flow-arrow { color: var(--amber-deep); font-size: 13px; font-weight: 700; }
.flow-note {
width: 100%;
font-size: 11.5px;
color: var(--text-muted);
margin-top: 6px;
padding-top: 10px;
border-top: 1px solid var(--border);
}
/* RULE BOX */
.rule-box {
background: oklch(98.5% 0.006 248);
border: 1px solid var(--border);
border-radius: 1px;
padding: 22px 26px;
margin: 18px 0;
}
.rule-box .rule-label {
font-size: 10px;
font-weight: 700;
letter-spacing: 2px;
text-transform: uppercase;
color: var(--navy-muted);
margin-bottom: 16px;
}
.rule-box ul { list-style: none; padding: 0; }
.rule-box ul li {
display: flex;
align-items: baseline;
gap: 13px;
font-size: 14px;
padding: 9px 0;
border-bottom: 1px solid var(--border);
color: var(--text);
}
.rule-box ul li:last-child { border-bottom: none; padding-bottom: 0; }
.rule-box ul li:first-child { padding-top: 0; }
.rule-box ul li::before {
content: '';
width: 6px;
height: 6px;
border-radius: 50%;
background: var(--amber);
flex-shrink: 0;
margin-top: 8px;
}
/* ACTION BOX */
.action-box {
background: var(--amber-deep);
border-radius: 1px;
padding: 32px 36px;
margin: 44px 0 40px;
}
.action-box .action-kicker {
font-size: 10px;
font-weight: 700;
letter-spacing: 2.5px;
text-transform: uppercase;
color: oklch(88% 0.07 62);
margin-bottom: 14px;
}
.action-box h2 {
font-size: 20px;
font-weight: 700;
color: oklch(99% 0.003 62);
margin: 0 0 18px;
letter-spacing: -0.2px;
}
.action-box p {
font-size: 14.5px;
color: oklch(93% 0.03 62);
margin-bottom: 12px;
line-height: 1.65;
}
.action-box p:last-child { margin-bottom: 0; }
.action-box strong { color: oklch(99% 0.003 62); }
/* TIMELINE */
.timeline {
margin: 22px 0 4px;
}
.tl-row {
display: grid;
grid-template-columns: 148px 32px 1fr;
min-height: 42px;
}
.tl-date {
font-size: 12.5px;
font-weight: 600;
color: var(--navy);
padding: 10px 16px 10px 0;
text-align: right;
white-space: nowrap;
line-height: 1.4;
}
.tl-gutter {
display: flex;
flex-direction: column;
align-items: center;
}
.tl-dot {
width: 10px;
height: 10px;
border-radius: 50%;
background: var(--amber);
margin-top: 13px;
flex-shrink: 0;
position: relative;
z-index: 1;
}
.tl-line {
width: 2px;
flex: 1;
background: var(--border);
margin-top: 3px;
margin-bottom: -2px;
}
.tl-text {
font-size: 13.5px;
color: var(--text-mid);
padding: 10px 0 10px 16px;
line-height: 1.55;
}
.tl-row:last-child .tl-line { display: none; }
/* DIVIDER */
.divider {
height: 1px;
background: var(--border);
margin: 48px 0;
}
/* FOOTER */
.footer {
background: var(--navy);
padding: 22px 56px;
display: flex;
justify-content: space-between;
align-items: center;
}
.footer-firm {
font-size: 13px;
font-weight: 700;
color: oklch(95% 0.005 248);
margin-bottom: 2px;
}
.footer-contact {
font-size: 12px;
color: oklch(64% 0.045 248);
}
.footer-right {
font-size: 11px;
color: oklch(50% 0.04 248);
text-align: right;
line-height: 1.65;
}
/* PRINT */
@media print {
body { background: white; }
.page { box-shadow: none; margin: 0; max-width: 100%; }
}
</style>
</head>
<body>
<div class="page">
<div class="amber-cap"></div>
<div class="header">
<div class="firm-name">Arizona Computer Guru LLC</div>
<h1>Email Infrastructure Assessment<br>and Migration Recommendation</h1>
<div class="confidential">Confidential — Prepared for Quantum WMS</div>
<div class="meta-strip">
<div class="meta-cell">
<div class="meta-label">Prepared for</div>
<div class="meta-value">John &amp; Sheila Velez, Quantum WMS</div>
</div>
<div class="meta-cell">
<div class="meta-label">Date</div>
<div class="meta-value">May 26, 2026</div>
</div>
<div class="meta-cell">
<div class="meta-label">Prepared by</div>
<div class="meta-value">Mike Swanson</div>
</div>
</div>
</div>
<div class="body">
<div class="exec-summary">
<p>Following our review of Quantum WMS's current email infrastructure, we have identified significant security deficiencies in your existing Intermedia hosted Exchange setup.</p>
<p>We are recommending a migration to <strong>Microsoft 365 Business Premium</strong> with <strong>Mailprotector</strong> as a managed email security frontend. This solution is technically superior, more cost-effective, and fully satisfies your regulatory compliance requirements under FINRA Rule 4511 and SEC Rule 17a-4.</p>
<p>Before we finalize the migration plan, we need one item from Sheila (detailed at the end of this document).</p>
</div>
<h2>Current State: Intermedia Hosted Exchange</h2>
<p>Your email is currently hosted by Intermedia on their Exchange Server cluster. This is an important distinction: <strong>Intermedia is not running Microsoft's cloud.</strong> They run Exchange Server software in their own data center, the same software that runs on an on-premises server. This has major security implications.</p>
<h3>Your Domain Has No Email Security Records</h3>
<p>Our DNS assessment revealed the following active security risks:</p>
<div class="dns-grid">
<div class="dns-card">
<div class="record-label">DMARC</div>
<div class="record-status">Missing</div>
<div class="record-desc">Anyone can send email appearing to come from @quantumwms.com with zero enforcement. This is the primary mechanism used in CEO fraud and vendor impersonation attacks.</div>
</div>
<div class="dns-card">
<div class="record-label">SPF</div>
<div class="record-status">Misconfigured (2 records)</div>
<div class="record-desc">Internet standards allow only one SPF record per domain. Having two causes unpredictable authentication failures and can result in your legitimate email being rejected as spam.</div>
</div>
<div class="dns-card">
<div class="record-label">DKIM</div>
<div class="record-status">Not Configured</div>
<div class="record-desc">DKIM cryptographically signs outbound email, proving it originated from your server and was not tampered with in transit. Without it, recipients cannot fully authenticate your email.</div>
</div>
<div class="dns-card">
<div class="record-label">DNSSEC</div>
<div class="record-status">Not Signed</div>
<div class="record-desc">Your domain has no cryptographic protection against DNS hijacking or spoofing attacks at the infrastructure layer.</div>
</div>
</div>
<div class="callout danger">
<span class="callout-icon">&#9888;</span>
<div class="callout-body">
<strong>These issues exist today, regardless of which email platform you use.</strong>
Correcting them is a required step and one we will handle as part of the migration.
</div>
</div>
<h3>Exchange Server CVE Exposure</h3>
<p>Because Intermedia runs Exchange Server — not Exchange Online — your infrastructure is subject to the same critical vulnerabilities that have affected on-premises Exchange servers globally:</p>
<table class="data-table">
<thead>
<tr>
<th>Vulnerability</th>
<th>Disclosed</th>
<th>Impact</th>
</tr>
</thead>
<tbody>
<tr><td>ProxyLogon (CVE-2021-26855)</td><td>March 2021</td><td>Full server compromise, mass-exploited worldwide</td></tr>
<tr><td>ProxyShell (CVE-2021-34473)</td><td>August 2021</td><td>Remote code execution without authentication</td></tr>
<tr><td>ProxyNotShell (CVE-2022-41040)</td><td>October 2022</td><td>Actively exploited before patch availability</td></tr>
<tr><td>OWASSRF (CVE-2022-41080)</td><td>December 2022</td><td>Used in the Rackspace hosted Exchange breach</td></tr>
</tbody>
</table>
<p><strong>Microsoft patches Exchange Online the same day vulnerabilities are disclosed.</strong> Intermedia patches their hosted clusters on their own schedule. The gap between disclosure and deployment is precisely when attacks occur.</p>
<div class="divider"></div>
<h2>Recommended Solution: M365 Business Premium + Mailprotector</h2>
<h3>Microsoft 365 Business Premium — $22/user/month</h3>
<p>A complete cloud-native productivity and security platform that replaces Intermedia entirely:</p>
<table class="data-table">
<thead>
<tr><th>Service</th><th>What It Provides</th></tr>
</thead>
<tbody>
<tr><td>Exchange Online</td><td>Cloud email, Microsoft-managed, same-day security patching</td></tr>
<tr><td>Office Apps (Desktop)</td><td>Word, Excel, Outlook, PowerPoint on up to 5 devices per user</td></tr>
<tr><td>Microsoft Teams</td><td>Chat, video conferencing, file collaboration</td></tr>
<tr><td>OneDrive / SharePoint</td><td>1 TB cloud file storage per user</td></tr>
<tr><td>Microsoft Purview</td><td>FINRA/SEC 17a-4 compliant email archiving (WORM storage) — included</td></tr>
<tr><td>Defender for Office 365</td><td>Safe Links, Safe Attachments, advanced anti-phishing</td></tr>
<tr><td>Microsoft Entra ID P1</td><td>Conditional Access, MFA enforcement, sign-in risk detection</td></tr>
<tr><td>Microsoft Intune</td><td>Mobile device and PC management</td></tr>
</tbody>
</table>
<h3>Mailprotector — ACG-Managed Email Security Frontend</h3>
<p>Mailprotector sits in front of Exchange Online as an additional filtering layer: inbound spam and malware are blocked before mail reaches your inbox. ACG configures and monitors it; you do not need to manage it.</p>
<div class="mail-flow">
<span class="flow-step">Sender</span>
<span class="flow-arrow">&#8594;</span>
<span class="flow-step">Mailprotector</span>
<span class="flow-arrow">&#8594;</span>
<span class="flow-step">Exchange Online</span>
<span class="flow-arrow">&#8594;</span>
<span class="flow-step">Your Inbox</span>
<div class="flow-note">Inbound: filtered for spam and malware before delivery &nbsp;·&nbsp; Outbound: DKIM-signed, SPF-aligned, DMARC-enforced</div>
</div>
<h3>Security Posture Comparison</h3>
<table class="data-table">
<thead>
<tr>
<th>Capability</th>
<th>Intermedia (Current)</th>
<th>M365 + Mailprotector</th>
</tr>
</thead>
<tbody>
<tr>
<td>Exchange CVE Exposure</td>
<td><span class="badge no">Yes — Server CVEs</span></td>
<td><span class="badge yes">No — Exchange Online</span></td>
</tr>
<tr>
<td>Same-Day Security Patching</td>
<td><span class="badge no">No</span></td>
<td><span class="badge yes">Yes</span></td>
</tr>
<tr>
<td>Inbound Threat Filtering</td>
<td><span class="badge partial">Basic</span></td>
<td><span class="badge yes">Mailprotector + Defender</span></td>
</tr>
<tr>
<td>Safe Links / Safe Attachments</td>
<td><span class="badge no">No</span></td>
<td><span class="badge yes">Yes</span></td>
</tr>
<tr>
<td>MFA Enforcement Policy</td>
<td><span class="badge partial">Manual, per-user</span></td>
<td><span class="badge yes">Conditional Access (Entra P1)</span></td>
</tr>
<tr>
<td>DMARC / DKIM / SPF</td>
<td><span class="badge no">Not managed</span></td>
<td><span class="badge yes">ACG-configured</span></td>
</tr>
<tr>
<td>FINRA/SEC 17a-4 Archiving</td>
<td><span class="badge partial">Extra-cost add-on</span></td>
<td><span class="badge yes">Included (Purview)</span></td>
</tr>
<tr>
<td>Desktop Office Apps</td>
<td><span class="badge no">No</span></td>
<td><span class="badge yes">Yes</span></td>
</tr>
<tr>
<td>Mobile Device Management</td>
<td><span class="badge no">No</span></td>
<td><span class="badge yes">Yes (Intune)</span></td>
</tr>
<tr>
<td>Sign-In Risk Detection</td>
<td><span class="badge no">No</span></td>
<td><span class="badge yes">Yes (Entra P1)</span></td>
</tr>
</tbody>
</table>
<div class="divider"></div>
<h2>Regarding Your Broker/Dealer Compliance Requirement</h2>
<p>You have indicated that your Broker/Dealer may require Intermedia for compliance purposes. We want to address this directly.</p>
<div class="rule-box">
<div class="rule-label">What FINRA Rule 4511 &amp; SEC Rule 17a-4 Actually Require</div>
<ul>
<li>Electronic communication retention in non-rewritable, non-erasable (WORM) storage</li>
<li>Minimum retention: 3 years readily accessible, 6 years total</li>
<li>Records indexed and available for regulatory inspection on demand</li>
<li>Supervisory review capability</li>
</ul>
</div>
<div class="callout success">
<span class="callout-icon">&#10003;</span>
<div class="callout-body">
<strong>Microsoft 365 is fully FINRA/SEC 17a-4 compliant.</strong>
Microsoft Purview has received a formal compliance assessment from Cohasset Associates confirming that Exchange Online meets the requirements of SEC Rule 17a-4(f) and CFTC Rule 1.31. The majority of FINRA-registered broker/dealers run on Exchange Online today.
</div>
</div>
<div class="callout info">
<span class="callout-icon">&#8505;</span>
<div class="callout-body">
<strong>The regulations specify outcomes, not vendors.</strong>
FINRA Rule 4511 and SEC Rule 17a-4 do not name Intermedia or any specific platform as a required provider. If your Broker/Dealer's written policy names Intermedia explicitly, we would consider that extraordinary and recommend reviewing it with your compliance attorney.
</div>
</div>
<div class="action-box">
<div class="action-kicker">Action Required — Sheila</div>
<h2>Please Provide the Written Policy Before Our Meeting</h2>
<p>Please locate and provide the <strong>written policy from your Broker/Dealer</strong> that specifies your email and security compliance requirements.</p>
<p>We are looking for any document that defines which platforms are approved or required, specifies archiving or retention standards, or names Intermedia as a required provider.</p>
<p>Please have this document — or confirmation that no such document exists — ready for our meeting on <strong>Tuesday, May 27 at 2:00 PM</strong>.</p>
</div>
<h2>Proposed Timeline</h2>
<div class="timeline">
<div class="tl-row">
<div class="tl-date">Now &rarr; May 27</div>
<div class="tl-gutter"><div class="tl-dot"></div><div class="tl-line"></div></div>
<div class="tl-text">Sheila obtains B/D compliance policy; confirm Intermedia is not mandated</div>
</div>
<div class="tl-row">
<div class="tl-date">May 27, 2:00 PM</div>
<div class="tl-gutter"><div class="tl-dot"></div><div class="tl-line"></div></div>
<div class="tl-text">Review policy; confirm migration go/no-go; finalize license counts</div>
</div>
<div class="tl-row">
<div class="tl-date">May 28 &ndash; 29</div>
<div class="tl-gutter"><div class="tl-dot"></div><div class="tl-line"></div></div>
<div class="tl-text">Purchase Business Premium licenses; configure tenant and mailboxes</div>
</div>
<div class="tl-row">
<div class="tl-date">May 30 &ndash; 31</div>
<div class="tl-gutter"><div class="tl-dot"></div><div class="tl-line"></div></div>
<div class="tl-text">Set up Mailprotector; configure DMARC, DKIM, SPF; test mail flow</div>
</div>
<div class="tl-row">
<div class="tl-date">June 1 &ndash; 2</div>
<div class="tl-gutter"><div class="tl-dot"></div><div class="tl-line"></div></div>
<div class="tl-text">Mail migration from Intermedia; DNS cutover to Exchange Online</div>
</div>
<div class="tl-row">
<div class="tl-date">June 3</div>
<div class="tl-gutter"><div class="tl-dot"></div></div>
<div class="tl-text">Current GoDaddy O365 Essentials lapses. New Business Premium is live before this date.</div>
</div>
</div>
</div>
<div class="footer">
<div>
<div class="footer-firm">Arizona Computer Guru LLC</div>
<div class="footer-contact">mike@azcomputerguru.com &nbsp;·&nbsp; (520) 226-3987</div>
</div>
<div class="footer-right">
Confidential — Quantum WMS<br>
May 26, 2026
</div>
</div>
</div>
</body>
</html>

237
clients/quantumwms/reports/2026-05-26-email-infrastructure-assessment.txt Normal file
View File

@@ -0,0 +1,237 @@
EMAIL INFRASTRUCTURE ASSESSMENT & MIGRATION RECOMMENDATION
Arizona Computer Guru LLC
Prepared for: John Velez & Sheila Peress, Quantum WMS
Date: May 26, 2026
Prepared by: Mike Swanson
================================================================================
EXECUTIVE SUMMARY
================================================================================
Following our review of Quantum WMS's current email infrastructure, we have
identified significant security deficiencies in the current Intermedia hosted
Exchange setup and have confirmed that a migration to Microsoft 365 Business
Premium is technically superior, more cost-effective, and fully satisfies your
regulatory compliance requirements under FINRA Rule 4511 and SEC Rule 17a-4.
We are recommending: Microsoft 365 Business Premium (exchange and full Office
suite) with Mailprotector as a managed email security frontend.
Before we proceed, we need one item from Sheila: the written policy from your
Broker/Dealer specifying email and security compliance requirements. Details
at the end of this document.
================================================================================
CURRENT STATE: INTERMEDIA HOSTED EXCHANGE
================================================================================
Your current email is hosted by Intermedia on their "exch090" Exchange Server
cluster. This is important to understand: Intermedia is not running Microsoft's
cloud. They are running Exchange Server software in their own data center —
the same software that runs on an on-premises server. This distinction has
major security implications.
CRITICAL: YOUR DOMAIN HAS NO EMAIL SECURITY RECORDS
----------------------------------------------------
During our assessment we found the following DNS configuration issues that
represent active security risks today:
DMARC Record: MISSING
-----------------------------------------------------------------------
DMARC is what tells the internet what to do with email that claims to
be from @quantumwms.com but wasn't sent by your mail server. Without
it, anyone in the world can send email that appears to come from your
domain with no enforcement. This is the primary mechanism used in
CEO fraud and vendor impersonation attacks.
SPF Records: TWO RECORDS (misconfiguration)
-----------------------------------------------------------------------
Your domain has two conflicting SPF records:
Record 1: v=spf1 include:spf.intermedia.net -all
Record 2: v=spf1 include:_spf-usg1.ppe-hosted.com
include:secureserver.net ~all
Internet standards (RFC 7208) permit only ONE SPF record per domain.
Having two causes receiving mail servers to evaluate them unpredictably,
which can result in your legitimate email being marked as spam or
rejected outright.
DKIM: NOT CONFIGURED
-----------------------------------------------------------------------
DKIM cryptographically signs outbound email, proving it originated
from your mail server and has not been tampered with in transit.
Without it, your email cannot be fully authenticated by recipients.
These three issues exist independently of which email platform you use and
need to be corrected as part of any migration.
SECURITY RISKS: EXCHANGE SERVER CVE EXPOSURE
--------------------------------------------
Because Intermedia runs Exchange Server (not Exchange Online), your email
infrastructure is subject to the same vulnerabilities that have affected
on-premises Exchange servers worldwide over the past several years:
- ProxyLogon (CVE-2021-26855) — mass-exploited March 2021
- ProxyShell (CVE-2021-34473) — mass-exploited August 2021
- ProxyNotShell (CVE-2022-41040) — actively exploited October 2022
- OWASSRF (CVE-2022-41080) — Rackspace breach, December 2022
Microsoft patches Exchange Online the same day vulnerabilities are
disclosed. Intermedia patches their hosted Exchange clusters on their
own schedule. The gap between disclosure and patch deployment is when
attacks occur.
WHAT INTERMEDIA DOES NOT PROVIDE
---------------------------------
- Advanced threat protection (no Safe Links, Safe Attachments)
- Conditional Access / MFA enforcement policies
- Modern email archiving with FINRA compliance certification
- Desktop Office applications (Word, Excel, Outlook, etc.)
- Mobile device management
- Identity protection or sign-in risk detection
================================================================================
RECOMMENDED SOLUTION: M365 BUSINESS PREMIUM + MAILPROTECTOR
================================================================================
MICROSOFT 365 BUSINESS PREMIUM
-------------------------------
$22/user/month (direct) — includes:
Exchange Online Full cloud email, Microsoft-managed, same-day patching
Desktop Office Apps Word, Excel, Outlook, PowerPoint, OneNote (5 devices)
Microsoft Teams Chat, video, file collaboration
SharePoint / OneDrive 1 TB cloud file storage per user
Microsoft Purview FINRA/SEC 17a-4 compliant email archiving (WORM)
Defender for Office 365 Safe Links, Safe Attachments, anti-phishing (Plan 1)
Microsoft Entra ID P1 Conditional Access, MFA enforcement, sign-in risk
Microsoft Intune Mobile device and PC management
MAILPROTECTOR (ACG-MANAGED FRONTEND)
-------------------------------------
Mailprotector sits in front of Exchange Online as an additional email
security layer, providing:
- Inbound spam and malware filtering before mail reaches Exchange
- Outbound filtering and DLP
- Quarantine management
- ACG-managed — we handle configuration, updates, and tuning
WHAT THIS LOOKS LIKE DAY-TO-DAY
--------------------------------
Inbound mail path:
Sender -> Mailprotector (spam/malware filter) -> Exchange Online -> Outlook
Outbound mail path:
Outlook -> Exchange Online -> Internet (DKIM-signed, SPF-aligned, DMARC-enforced)
Result: your outbound email is cryptographically authenticated, and your
inbound email is filtered twice before reaching your inbox.
SECURITY POSTURE COMPARISON
----------------------------
Intermedia M365 Business Premium
+ Mailprotector
-----------------------------------------------------------------------
Exchange CVE exposure Yes (Exchange Server) No (Exchange Online)
Same-day security patching No (Intermedia pace) Yes (Microsoft)
Inbound threat filtering Basic Mailprotector + Defender
Safe Links (URL scanning) No Yes
Safe Attachments No Yes
MFA enforcement policy Manual, per-user Conditional Access (P1)
DMARC/DKIM/SPF Not managed ACG-configured
Email archiving (FINRA) Extra cost add-on Included (Purview)
Desktop Office apps No Yes
Mobile device management No Yes (Intune)
Sign-in risk detection No Yes (Entra P1)
-----------------------------------------------------------------------
================================================================================
REGARDING YOUR BROKER/DEALER COMPLIANCE REQUIREMENT
================================================================================
You have indicated that your Broker/Dealer may require Intermedia for
compliance purposes. We want to address this directly.
WHAT FINRA RULE 4511 AND SEC RULE 17a-4 ACTUALLY REQUIRE:
The regulations require that broker/dealers retain electronic
communications (including email) in a format that is:
1. Non-rewritable and non-erasable (WORM storage)
2. Retained for a minimum period (3 years accessible, 6 total)
3. Indexed and available for regulatory inspection on demand
4. Subject to supervisory review
The regulations do NOT name any specific vendor or platform.
They specify outcomes, not products.
MICROSOFT 365 IS FINRA/SEC 17a-4 COMPLIANT:
Microsoft Purview Compliance (included in Business Premium) has received
a formal compliance assessment from Cohasset Associates confirming that
Exchange Online and SharePoint Online meet the requirements of SEC Rule
17a-4(f) and CFTC Rule 1.31. This assessment is publicly available.
The majority of FINRA-registered broker/dealers — including large
institutions — run on Exchange Online today. FINRA has published
guidance explicitly endorsing cloud-based recordkeeping solutions.
OUR EXPECTATION:
If your Broker/Dealer has a written policy specifying Intermedia by
name as the required platform, we would consider that extraordinary and
would want to review it alongside your compliance attorney. In our
experience, B/D policies specify archiving standards, not vendors.
================================================================================
ACTION REQUIRED FROM SHEILA — BEFORE OUR MEETING TOMORROW AT 2 PM
================================================================================
Please locate and provide the written policy from your Broker/Dealer that
specifies your email and security compliance requirements.
Specifically, we are looking for any document that:
- Defines which email platforms are approved or required
- Specifies archiving or retention requirements for electronic communications
- Names Intermedia (or any vendor) as a required provider
If no such document exists, or if the policy specifies standards rather
than a named vendor, we can proceed with the Microsoft 365 migration on
the timeline we discussed.
Please have this document (or confirmation that it does not exist) ready
for our meeting on Tuesday, May 27 at 2:00 PM.
If you have questions before then, call or text Mike at Arizona Computer
Guru.
================================================================================
PROPOSED TIMELINE
================================================================================
Now through May 27: Sheila obtains B/D compliance policy
May 27 (2 PM): Review policy; confirm migration go/no-go
May 28-29: Purchase licenses; configure tenant
May 30-31: Stand up mailboxes; configure Mailprotector
June 1-2: Mail migration from Intermedia; DNS cutover
June 3: Current GoDaddy O365 Essentials lapses — new
Business Premium is live before this date
================================================================================
Arizona Computer Guru LLC
Mike Swanson
mike@azcomputerguru.com
(520) 226-3987
================================================================================