--- title: Quantum WMS slug: quantumwms type: client project_key: clients/quantumwms last_updated: 2026-06-01 --- # Quantum WMS ## Overview | Field | Value | |---|---| | Company | Quantum Wealth Management | | Primary domain | quantumwms.com | | Personal domain | sheilaperess.com | | M365 tenant (CURRENT) | `quantumwms.onmicrosoft.com` / `2fd0092b-e9b7-474c-ad73-301f34dd6b64` — Pax8-provisioned 2026-05-27 | | Old tenants (bypassed) | `8f7eaff4-...` (`NETORGFT2570783`, GoDaddy/johnvelez) and dormant `ddf3d2c9-...` (`netorg18235235`) — NOT in use | | GoDaddy admin | `plan@johnvelez.com` (John Velez) — ACG has delegate access | | Project key | `clients/quantumwms` | ## Current Status (2026-06-01) - **6/03 license-lapse deadline: RESOLVED.** Both firm users are M365 Business Premium licensed AND have activated Office (John + Sheila both signed into Microsoft Office from the Tucson office 2026-05-27). They will not lose Office apps when M365 Personal lapses 2026-06-03. - **Mail still on Intermedia (HEX).** MX cutover to Exchange Online not yet done; mailboxes in the new tenant are still empty. - **Migration remainder pending:** PST backups (pre-cutover), MX/mail cutover, CA enforcement, Defender for Business onboarding, DMARC/SPF/DKIM, DNS -> Cloudflare, Exchange Online Plan 1 for personal-domain accounts, GoDaddy/Intermedia cancellation. ### [WARNING] Security: active password-spray on john@quantumwms.com Read-only review 2026-06-01 (see `clients/quantumwms/reports/2026-06-01-m365-review.md`): - `john@quantumwms.com` hit by a **distributed password-spray** — 98 failed sign-ins from 98 unique IPs (datacenter/proxy IPv6 + Amsterdam NL malicious-flagged IP + Praha CZ password guess). **0 successful malicious logins — account NOT breached** (Entra blocked the IPs; password guesses failed). - **Exposure:** John is NOT MFA-registered, his initial password is weak/OSINT-guessable, and the protective CA policies (require-MFA, block-non-US) are **report-only**. Security Defaults is ON but only protects users who have registered MFA — neither John nor Sheila has. - **Recommended (not yet done):** force-reset John's password; drive both users through MFA registration; enforce CA001 (MFA) + CA003 (block non-US) now (break-glass already excluded). ## Contacts | Name | Role | Notes | |---|---|---| | John Velez | Primary / M365 global admin | plan@johnvelez.com; GoDaddy account owner for both domains | | Sheila Peress | Owner/principal | sheilaperess.com personal domain; compliance decision-maker; final say on license tier | ## Current Email Infrastructure - **Registrar:** GoDaddy (quantumwms.com + sheilaperess.com) — ACG has delegate access - **DNS:** GoDaddy DomainControl (NS03/NS04.DOMAINCONTROL.COM) — no DNSSEC - **Mail routing:** Intermedia hosted Exchange — `exch090.serverdata.net` cluster (east/west) - IP: `64.78.25.106` (Intermedia data center) - Autodiscover: `ar-east.exch090.serverdata.net` - This is Exchange Server software hosted by Intermedia, NOT Exchange Online - **Intermedia setup:** Appears hybrid on-premises Exchange — carries full Exchange Server CVE exposure ### DNS / Email Security Gaps (CRITICAL) | Record | Status | Impact | |---|---|---| | DMARC | **MISSING** | Anyone can spoof @quantumwms.com with no enforcement | | SPF | **TWO RECORDS** (misconfiguration) | RFC 7208 allows only one; causes unpredictable SPF evaluation and deliverability failures | | DKIM | Not found on standard selectors | Outbound mail not cryptographically signed | | DNSSEC | Not signed | Domain hijack risk | SPF records found (conflict): 1. `v=spf1 include:spf.intermedia.net -all` 2. `v=spf1 include:_spf-usg1.ppe-hosted.com include:secureserver.net ~all` ## M365 Tenant (CURRENT — `2fd0092b`) - **Tenant:** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` ("Quantum Wealth Management"), Pax8-provisioned 2026-05-27 - **Domains:** `quantumwms.onmicrosoft.com` (initial), `quantumwms.com` (primary, verified) - **Management:** Pax8 GDAP "Default_Ariz_Quantum Weal_704149625747913" (180 days). All 5 ComputerGuru remediation apps consented w/ directory roles. - **Email:** still on Intermedia HEX — MX not yet cut to Exchange Online. ### Users (verified 2026-06-01) | UPN | Display | License | MFA registered | Notes | |---|---|---|---|---| | `john@quantumwms.com` | John Velez | Business Premium (SPB) | **No** | Office activated 5/27; under password-spray (see Security) | | `sheila@quantumwms.com` | Sheila Peress | Business Premium (SPB) | **No** | Office activated 5/27; 8 clean sign-ins | | `sysadmin@quantumwms.com` | Mike Swanson | none | Yes (Authenticator + TOTP) | Global Admin (daily) | | `breakglass@quantumwms.onmicrosoft.com` | Break Glass | none | No (by design) | Emergency GA, CA-excluded, vaulted at `clients/quantumwms/m365-breakglass.sops.yaml` | ### Conditional Access (all report-only as of 2026-06-01 — enforcing nothing) - CA001 Require MFA (all users), CA002 Block legacy auth, CA003 Block sign-in outside US — each excludes break-glass. Security Defaults is ON (interim MFA). ### Consent URL (Tenant Admin tier) ``` https://login.microsoftonline.com/8f7eaff4-f913-4d3f-b8b9-92e695d987c6/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent ``` Post-consent onboard command: ```bash bash onboard-tenant.sh 8f7eaff4-f913-4d3f-b8b9-92e695d987c6 ``` ## Compliance Context: Broker/Dealer Requirements John and Sheila believe Intermedia is mandated by their Broker/Dealer. **This is almost certainly incorrect.** ### What SEC Rule 17a-4 / FINRA Rule 4511 actually require - Electronic communication retention (3 years accessible, 6 years total for most records) - Non-rewritable, non-erasable (WORM-compliant) archiving - Supervisory review capability - Ability to produce records on regulatory demand ### What they do NOT require - Intermedia specifically - Any named third-party vendor - Exchange Server or hosted Exchange ### Microsoft 365 satisfies all FINRA/17a-4 requirements Microsoft Purview (included in Business Premium) provides WORM-compliant archiving with a CFTC/SEC 17a-4 compliance attestation from Cohasset Associates. The majority of FINRA-registered broker/dealers run on Exchange Online. FINRA has published guidance explicitly endorsing cloud-based recordkeeping. ### Action item (BLOCKER) Sheila has been asked to produce **written policy from the Broker/Dealer that explicitly names Intermedia** as the required platform. This policy is expected not to exist — the B/D policy will require compliant archiving, not a specific vendor. Resolution expected before meeting 2026-05-27 14:00. ## Recommended Architecture: M365 Business Premium + Mailprotector ### License Plan | Account | License | Domain | |---|---|---| | John (firm) | M365 Business Premium | quantumwms.com | | Sheila (firm) | M365 Business Premium | quantumwms.com | | Sheila (personal) | Exchange Online Plan 1 | sheilaperess.com | | Others TBD | Exchange Online Plan 1 | TBD | ### What Business Premium provides over Intermedia | Capability | Intermedia Hosted Exchange | M365 Business Premium | |---|---|---| | Email | Exchange Server (hosted) | Exchange Online (Microsoft cloud) | | Exchange CVE exposure | YES — full Server CVE surface | No — Microsoft patches same-day | | Spam/malware filtering | Basic | Defender for Office 365 Plan 1 (Safe Links, Safe Attachments) | | Frontend filtering | None | Mailprotector (ACG-managed) | | MFA enforcement | Manual | Entra ID P1 — Conditional Access | | FINRA archiving | Intermedia archiver (extra cost) | Microsoft Purview — included | | Desktop Office apps | No | Yes (Word, Excel, Outlook, etc.) | | Mobile device management | No | Intune — included | | DMARC/DKIM setup | Not managed | ACG-managed during migration | ### Migration Steps 1. [DONE] Get consent from John (2026-05-26) 2. Obtain written B/D compliance policy from Sheila — confirm no Intermedia mandate 3. Add quantumwms.com as verified domain to johnvelez.com tenant 4. Purchase 2x Business Premium (direct or ACG CSP) 5. Create firm mailboxes (john@quantumwms.com, sheila@quantumwms.com) 6. Assign Business Premium licenses 7. Set up Mailprotector frontend for quantumwms.com 8. Configure DMARC, fix SPF (single record), configure DKIM 9. Cut MX from Intermedia → Exchange Online 10. Migrate existing mail from Intermedia → Exchange Online 11. Activate Office apps on their machines 12. Cancel Intermedia after cutover confirmed 13. Move DNS (quantumwms.com + sheilaperess.com) to Cloudflare 14. Purchase Exchange Online Plan 1 for personal domain accounts 15. Cancel GoDaddy email hosting per account as each migrates ### GoDaddy Decoupling Plan - DNS: move both domains to Cloudflare (transfer locks must be removed in GoDaddy first) - M365 licensing: swap GoDaddy-resold O365 Business Essentials → Business Premium - Intermedia: cancel after mail cutover confirmed ## Open Items - [x] **RESOLVED:** B/D compliance "Intermedia mandate" — IFG (Jen Curry) confirmed Intermedia HEX is being phased out and **recommended** the move to M365 (2026-05-27). - [x] **DONE:** 2x Business Premium licensed + Office activated for John & Sheila (2026-05-27) — 6/03 lapse risk cleared. - [ ] **SECURITY (new, 2026-06-01):** force-reset John's password; get John + Sheila MFA-registered; enforce CA001 + CA003 (john@ under active password-spray, currently failing). - [ ] PST backups of John + Sheila mailboxes before Intermedia cutover. - [ ] Mail/MX cutover Intermedia HEX -> Exchange Online; then migrate existing mail. - [ ] Defender for Business onboarding; DMARC, single SPF, DKIM. - [ ] DNS for both domains -> Cloudflare. - [ ] Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade; determine additional personal-domain accounts. - [ ] Cancel GoDaddy email hosting + Intermedia per account as each migrates.