280→ 281→--- 282→ 283→### Files & Locations 284→ 285→- **Phishing email:** `D:\Workplace\Personal Documents\Profile\Documents\DF Spam\` 286→- **QR phishing attachment:** `ATT29306.docx` 287→- **Malicious URL:** `https://acuvatech.cyou?a=ghaubner@dataforth.com` 288→ 289→--- 290→ 291→## Update: 21:30 - Phishing Remediation Complete 292→ 293→### Ticket: Phishing Attempt - Determine Entrypoint and Resolve 294→ 295→### Actions Completed 296→ 297→#### 1. Deleted "true" App Registration 298→- **App ID:** a21e971d-1fcb-41a7-9b01-c45b8d7d1754 299→- **Action:** Manually deleted in Entra ID by admin 300→- **Reason:** Unused app with Mail.Read/Mail.Send permissions, created by internal user but never used 301→ 302→#### 2. Deleted Phishing Emails from All Mailboxes 303→Used Graph API to search and delete phishing emails across all 148 user mailboxes. 304→ 305→**Emails Deleted:** 306→| Mailbox | Subject | Campaign | 307→|---------|---------|----------| 308→| jlohr@dataforth.com | Please Review: Dataforth corporation 2026 Updated Pay Structure & Appraisal Guidelines ID-ssEcpoQ1EQ | January 2026 | 309→| jlohr@dataforth.com | Dataforth corporation – December Bonus and Allocation for All Staff (x3) | December 2025 | 310→| jlohr@dataforth.com | Reminder: Dataforth corporation – December Bonus... | December 2025 | 311→| jantar@dataforth.com | Dataforth corporation – December Bonus and Allocation for All Staff (x2) | December 2025 | 312→| jantar@dataforth.com | Dataforth corporation – January Bonus and Allocation for All Staff | January 2026 | 313→| jantar@dataforth.com | Reminder: Dataforth corporation – December Bonus... | December 2025 | 314→| croedig@dataforth.com | Dataforth corporation – December Bonus and Allocation for All Staff | December 2025 | 315→ 316→**Total: 10 phishing emails deleted** 317→ 318→Internal discussion threads (RE:/FW: emails) were preserved for audit trail. 319→ 320→#### 3. Configured Exchange Online Mail Flow Protection 321→ 322→**Root Cause:** Phishing emails bypassed MailProtector by connecting directly to M365's MX endpoint (`dataforth-com.mail.protection.outlook.com`) instead of routing through the MX records pointing to MailProtector. 323→ 324→**Solution Implemented:** 325→ 326→**A. Inbound Connector Created** 327→- **Name:** MailProtector Inbound 328→- **Type:** Partner organization → Office 365 329→- **Sender IPs:** 52.0.31.31, 52.0.74.211, 52.0.70.91 330→ 331→**B. Transport Rule Created** 332→- **Name:** Mailptroctor Only (Reject Direct Mail) 333→- **Priority:** 0 (highest) 334→- **Mode:** Enforce 335→- **Condition:** Sender is located 'NotInOrganization' (external) 336→- **Action:** Reject with explanation "Direct Mail Not Allowed - Please route through MX" (status code 5.7.1) 337→- **Exception:** Sender IP is in range 52.0.70.91, 52.0.74.211, or 52.0.31.31 338→ 339→**Testing Results:** 340→- SMTP connection to M365 still accepts messages at protocol level (normal behavior) 341→- Transport rule rejects messages during processing - they never reach inbox 342→- Verified by sending test emails from non-MailProtector IP - none delivered 343→ 344→--- 345→ 346→### Attack Summary 347→ 348→| Campaign | Date | Subject Pattern | Method | 349→|----------|------|-----------------|--------| 350→| December 2025 | ~Dec 2025 | "December Bonus and Allocation for All Staff" | QR code → credential harvest | 351→| January 2026 | 2026-01-04 | "2026 Updated Pay Structure & Appraisal Guidelines" | QR code → credential harvest | 352→ 353→**Attack Vector:** 354→1. Attacker spoofs internal sender (ghaubner, jlohr, etc.) 355→2. Sends directly to `dataforth-com.mail.protection.outlook.com` (bypasses MX/MailProtector) 356→3. M365 accepts despite SPF fail (no enforcement without transport rule) 357→4. Attachment contains QR code linking to `acuvatech.cyou?a=victim@dataforth.com` 358→5. QR code leads to credential harvesting page with pre-populated email 359→ 360→**Origin IP:** 31.57.166.164 (no reverse DNS, external) 361→ 362→--- 363→ 364→### Security Status After Remediation 365→ 366→| Category | Before | After | Notes | 367→|----------|--------|-------|-------| 368→| Phishing Emails | Present | ✅ Removed | 10 emails deleted | 369→| "true" App | Present | ✅ Deleted | Removed from Entra | 370→| Direct M365 Bypass | ⚠️ Vulnerable | ✅ Blocked | Transport rule enforcing | 371→| OAuth Consents | ✅ Clean | ✅ Clean | No changes needed | 372→| MailProtector | Working | Working | Now enforced as only path | 373→ 374→--- 375→ 376→### MailProtector Gateway IPs (Reference) 377→ 378→These IPs are authorized to deliver mail to Dataforth M365: 379→``` 380→52.0.31.31 381→52.0.74.211 382→52.0.70.91 383→``` 384→ 385→--- 386→ 387→### Verification Steps 388→ 389→To verify transport rule is working: 390→1. **Exchange Admin Center** → **Mail flow** → **Message trace** 391→2. Search for sender: `attacker@malicious.com` (or any external) 392→3. Messages from non-MailProtector IPs should show **Failed/Rejected** 393→4. Rejection reason: "Transport rule: Mailptroctor Only (Reject Direct Mail)" 394→ 395→--- 396→ 397→### Recommendations 398→ 399→1. ✅ **COMPLETED:** Block direct M365 connections (transport rule) 400→2. ✅ **COMPLETED:** Remove phishing emails from all mailboxes 401→3. ✅ **COMPLETED:** Delete suspicious "true" app registration 402→4. **Consider:** External email warning banner for spoofed internal senders 403→5. **Consider:** User awareness training about QR code phishing 404→6. **Monitor:** Message trace for rejected bypass attempts 405→ Whenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.