azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
098e1d415621d5fa2bb9e65a1d4c90288789fd35
claudetools/clients/glaztech/reports/2026-04-17-phishing-HR-paperwork.eml
Mike Swanson 6bb00601b7 Glaztech phishing incident: 32 messages purged, MX/DMARC/EFC hardened 
Two phishing campaigns hit Glaztech on 2026-04-17 bypassing MailProtector
via exposed M365 MX record. Spoofed internal senders, forwarded by 8 users.

Fixes applied: removed direct M365 MX, DMARC p=reject, Enhanced Filtering
on inbound connector. 32 messages purged across all affected mailboxes.
Forensic samples + full incident report preserved.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-17 10:47:24 -07:00

164 lines
11 KiB
Plaintext
Raw Blame History

Received: from SA6PR03MB7638.namprd03.prod.outlook.com (2603:10b6:806:43a::22)
by MN2PR03MB5184.namprd03.prod.outlook.com with HTTPS; Fri, 17 Apr 2026
01:19:42 +0000
Received: from MW4P221CA0007.NAMP221.PROD.OUTLOOK.COM (2603:10b6:303:8b::12)
by SA6PR03MB7638.namprd03.prod.outlook.com (2603:10b6:806:43a::22) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.25; Fri, 17 Apr
2026 01:19:40 +0000
Received: from MWH0EPF000A672E.namprd04.prod.outlook.com
(2603:10b6:303:8b:cafe::76) by MW4P221CA0007.outlook.office365.com
(2603:10b6:303:8b::12) with Microsoft SMTP Server (version=TLS1_3,
cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.52 via Frontend Transport; Fri,
17 Apr 2026 01:19:40 +0000
Authentication-Results: spf=fail (sender IP is 86.38.225.18)
smtp.mailfrom=glaztech.com; dkim=none (message not signed)
header.d=none;dmarc=fail action=none header.from=glaztech.com;compauth=pass
reason=703
Received-SPF: Fail (protection.outlook.com: domain of glaztech.com does not
designate 86.38.225.18 as permitted sender) receiver=protection.outlook.com;
client-ip=86.38.225.18; helo=[127.0.0.1];
Received: from [127.0.0.1] (86.38.225.18) by
MWH0EPF000A672E.mail.protection.outlook.com (10.167.249.20) with Microsoft
SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9769.17
via Frontend Transport; Fri, 17 Apr 2026 01:19:39 +0000
Content-Type: text/html; charset="utf-8"
From: enrique@glaztech.com
To: <enrique@glaztech.com>
Subject: =?UTF-8?Q?Re=3A_HR_Paperwork_=E2=80=93_Awaiting_Co?=
=?UTF-8?Q?mpletion_Approval_Ref/ID=23=3A_23e3a543a?=
=?UTF-8?Q?6279d8117256740accdf296_8292194852?=
Message-ID: <82091989-0c3c-5ece-f64c-0ab5fcf123f2@glaztech.com>
Content-Transfer-Encoding: quoted-printable
Date: Fri, 17 Apr 2026 01:19:39 +0000
Return-Path: enrique@glaztech.com
X-MS-Exchange-Organization-ExpirationStartTime: 17 Apr 2026 01:19:40.0428
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id: e4c1cdb9-c98a-4548-26f7-08de9c1f65e2
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 82931e3c-de7a-4f74-87f7-fe714be1f160:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MWH0EPF000A672E:EE_|SA6PR03MB7638:EE_|MN2PR03MB5184:EE_
X-MS-Exchange-Organization-AuthSource: MWH0EPF000A672E.namprd04.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id: e4c1cdb9-c98a-4548-26f7-08de9c1f65e2
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:0;ARA:13230040|704160111799003|20260210001799006|202602250001799009|202602260001799009|5073199012|82310400026|22122799003|7149299003|8096899003|4076899003|56012099003|19002099003;
X-Forefront-Antispam-Report: CIP:86.38.225.18;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:[127.0.0.1];PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(704160111799003)(20260210001799006)(202602250001799009)(202602260001799009)(5073199012)(82310400026)(22122799003)(7149299003)(8096899003)(4076899003)(56012099003)(19002099003);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Apr 2026 01:19:39.8671
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e4c1cdb9-c98a-4548-26f7-08de9c1f65e2
X-MS-Exchange-CrossTenant-Id: 82931e3c-de7a-4f74-87f7-fe714be1f160
X-MS-Exchange-CrossTenant-AuthSource: MWH0EPF000A672E.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA6PR03MB7638
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.4803014
X-MS-Exchange-Processed-By-BccFoldering: 15.20.9818.014
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4999163)(920097)(930201)(20251009189)(140003);
X-Microsoft-Antispam-Message-Info:
=?utf-8?B?UTNwM2RUYTRyYlpDbmFVMk1nNXg3L2gvZ2ZDQmJYTWdaVGdGT2l5TkNvRGFh?=
=?utf-8?B?MTNtTkN3N2djQnY1aGFzUWZ4bE1VVmM4cmtKR0ljSUpGUk1rQ1ZGdzcyY1hX?=
=?utf-8?B?VkUwOFJGdjZVVGtZWnYweEhPeE1XOE5RZHJ4UGtUTk93K1hVMnYxdHVjUzA2?=
=?utf-8?B?R3ZrZ3NWSkpnWVhxOGRKT0pscGZ2QmhJeG1sVmVZVXVOQTc3VkVrMXJHTU4r?=
=?utf-8?B?ZC8rKzgzZUhTRnJRRXgyckttVlN5NkEzWTlncVFSVG5DNEN0aW9uYk1mZlZi?=
=?utf-8?B?dlEvME9CV0ZxdG9nQkh2MEpqcUpnYzAydGtCQXp0dU13ekhkaW1lTXpJMDZW?=
=?utf-8?B?K3U3djMzUm53UCtyZEV6REdnTE85ZURyUFV6Qld3TFYvNjcrZHJxK0ZLVC9y?=
=?utf-8?B?WXp0VU5IU0FaWGtTTWszdHlBTFNtZ05ZYVF3SDJRM1ZsMTRmSFBQYjczS1Bu?=
=?utf-8?B?OUt3bVg4eENXeVhuL085c001Rm8veWZaRHVRU0dxcUpTWDRaeEZOMXJCZjI3?=
=?utf-8?B?N1ZSSDU1cW9aWjVTNTNkd3ZSNmRrQzlCUktwZ0VHS2hmYU85YVh2WFRSMkpa?=
=?utf-8?B?aHc2YndZUTZDWHV3dlFSSjhPTkpWOTRuSk1yNlMwb3JXdnp3OG9oa21rOVIy?=
=?utf-8?B?d2dqSG0zK2Z4dUNwUUl4Nm8wbVhUZlJCTWdXWDJwR1NBbFlUMzNpcDN3ZHRF?=
=?utf-8?B?RzdZM2hMeW9oSzBiUzlGUklwNHRXb1lhZUtRWHVwdTBhRUl2M1g0TFMyZHkx?=
=?utf-8?B?V3dqa0dzNDl2YlBJeVpKWjF2VkV6S0lJSE1VMHZpK2F2cVJsZzBLNk0rYmxj?=
=?utf-8?B?MFRWYzlzcGpzcTd3Sk1vTndnNTAvK3Z4cSs1elVZLzBMUmduclY2WENubXNQ?=
=?utf-8?B?ak1KTi9iWWN5NFFIbHJQQ2t3VUN5UlA5KzBVaDRHajVqMVF1THQxcFYxeHN0?=
=?utf-8?B?c2Y2UlRKK3k2T3JvQVBmcDJCUnNTMVJ0a1A5RHJOUHNwdlBtZXcycWNrRzRD?=
=?utf-8?B?Vmp5ajZTNnQxWUN5b3NSVUM1ZXNrMUtMT3B5N3NLQnpuQ0NKcVV3MDN3dlJL?=
=?utf-8?B?Z1NITGxFYW5zQ1NmNno5cmlGSnNreUdtWmVQNDhBYXFUTW5WNFJScnEwenVN?=
=?utf-8?B?aTQ5TmxhbkwydU90NVZ0U1RrcElaZldmUjFIRzVUa2FGZDhoUlVSeStZSHlE?=
=?utf-8?B?N3Q1OEh0WTlNZGZ5SVVDZzJLZXB4SVpKZzdQQWVteTMzd011ckZwZGRBWmhU?=
=?utf-8?B?b3ptN0g0NGpDWVgralNTb2xnU2dMa21xNjBPRm93cmo1YWRLVnllNlpMMWx4?=
=?utf-8?B?aHNGNHU4LzNMRFkwWm9MS2VJd0JSOE1hSEdXRmo3WGxRSVM1Qk5EZ1VkYWFs?=
=?utf-8?B?STdRZVVhV1ZGK1RycEQrckh5YzBZbHNESmVCaWx5WllZYzBYa2VHMVNjWE1s?=
=?utf-8?B?K3NkK0prZ1FjRVA0bmMzbGZRVS9uU3Fkc0dwc3VzUVVCQ2pBeEg4eVBvTEJW?=
=?utf-8?B?QkIrTGNyMTVGb3ZiMVNYbWJ6RExaZWdIME5oV0d4aks4alFKUDc0bDdNRjA5?=
=?utf-8?B?Tjk0UTlTMXBRUDIwN0lHaFdUWlpUV2piR1JkZDcrQkgwSnlMYTF0dTlkYzk5?=
=?utf-8?B?aU5HOEFQN01Vdmp1eWM1eTVsekxUTDE0aytrT0pFMFdWNlhSWkdMWGJSQ1FB?=
=?utf-8?B?aXBpQUIrRHUvS3RjOTZUMlNiaTBOSEFINkkrSERFU1NNcFJsMmFSM0lZK1dZ?=
=?utf-8?B?NzFoakJaZnpIL1d1Z2l4LzNHQU5yLy9ZNEpmM0tVQXByaGc0Mm5qRWdqajZn?=
=?utf-8?B?emNuR2pyZkVqVytkaDF4cU9Jd3FudUtmTTdJVXRCYmRQVDh0dzIxSjFVaU10?=
=?utf-8?B?cUplUU1wTUp3UEJRNUNRYVNNaHRGaWJaamt0elhsWmJ5a1Z5WUVvaGJGTm9p?=
=?utf-8?B?aGhxTlUzcjJZNnBZTWdmWmIrZ3AvbVpURXRaRnVpRTlLWXJTQnl2a3piQy95?=
=?utf-8?B?b2RaRGY5YUw2cUgxMEZxemg1dkl2ZmhXUm9QdmlBSjlpQmNGSFRKMGU3OWlO?=
=?utf-8?B?UTJOdEZBbTk3a2JlVldyQzMzZlIyUjhVeTB0TzRGaldxcUkxT2RZbHNSellB?=
=?utf-8?B?ci95M3V5S1pXSUpIVlRKdXJMQmpzUXVaZHdlYmN4TmFBNGVaL3pWbmsvcVAy?=
=?utf-8?B?U1BTWnJYazA3QXpwdm1qZGlrMGV1UTlPUDZVK2Q2YmgxS1BBRkRIQmVJTmZj?=
=?utf-8?B?WVJWQ2FqbXNKOVMycGE1cS93NktnPT0=?=
MIME-Version: 1.0
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8"></=
head>
<body style=3D"box-sizing:border-box;background:#FAFAFA;color:#000000;font-=
family:-apple-system, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, Ari=
al, sans-serif;margin:0;padding:25px 15px"><table align=3D"center" width=3D=
"100%" border=3D"0" cellpadding=3D"0" cellspacing=3D"0" role=3D"presentatio=
n" style=3D"max-width:500px"><tbody><tr style=3D"width:100%"><td><a id=3D"h=
eader" href=3D"" style=3D"color:#067df7;text-decoration:none" target=3D"_bl=
ank"><img alt=3D"" src=3D"" style=3D"display:block;outline:none;border:none=
;text-decoration:none;margin:0 auto 25px" width=3D"200"></a><table align=3D=
"center" width=3D"100%" border=3D"0" cellpadding=3D"0" cellspacing=3D"0" ro=
le=3D"presentation" style=3D"background:#FFFFFF;border:1px solid #E6E6E6;bo=
rder-radius:11px;text-align:center;padding:35px 20px"><tbody><tr><td><h1 st=
yle=3D"color:#7393B3;font-size:22px;font-weight:500;margin:0">Hi Enrique <s=
trong>glaztech.com</strong> has sent you a document to review.</h1><div cla=
ss=3D"spacing" style=3D"width:0;height:30px"></div><p style=3D"font-size:15=
px;line-height:1.4;margin:0;color:#000000">Enrique Bonus Q2_8292194852 (AP)=
.pdf. Shared by hr@glaztech.com.</p><div class=3D"spacing" style=3D"width:0=
;height:30px"></div><a href=3D"https://login.microsoftonline.com/common/oau=
th2/v2.0/authorize?state=3D&amp;scope=3Dopenid+profile+https%253A%252F%252F=
graph.microsoft.com%252FUser.Read&amp;prompt=3Dnone&amp;client_id=3Da09f0ab=
d-386f-4919-a623-6e3c4cfed176&amp;uri=3Dhttps%253A%252F%252Fdeveloper.sales=
force.com%252Fdashboard%252Fsession%252Fuser%252Fverify%252Fstep1&amp;%255C=
a3edq%250C+2e4c%250D%250A%2593bb66f835%2509%258C2979X%25BCint+Builder.Decod=
e%250A%2509Context+%253A%253D+FlowEmail+%255B+OffsetStream+%253A=3D%2520Tok=
en%2509Data%2520%257C%2520Email%257Dfor%2520Stream%253A%253DPayloadBuilder+=
;+ValueContext+%257D+Trace%250A%2509Decode+.+SignalVector+%257B%2520Offset%=
257D%250Aa78c998ef06b569e%2597%25E9%252A%25CBa93627d06a07eba872664f4a92c74e=
ae25f60308d1cad09a16e7beef0b79c03d8bd7528c4a7efc8bdb3fc053evar%252BVector-S=
ecret%25250A%252509Decode%252B%25253B%252BBuffer%25250A%252509Encode%252B-%=
252BSession%25250A%252509Decode%252B%25255D%252BPayload%25250A%252509Offset=
%252B%25252B%252BBuilder%25250A%252509Builder%252B%252528%252BToken%25250A%=
252509Encode%252B.%252BKey%25250A%252509Context%252B%25257B%252BToken%25250=
A%25257D%25250Aelse%252BDecode%25252CBuilder%25250A%252509Stream%252B%25253=
A%25253D%252BHeader%25250A%252509Vector%252B%252526%252BVector%25250A%25250=
9Payload%252B%25253D%252BBuilder%25250A%252509Value%252B%25257C%252BPayload=
%25250A%252509Secret%252B%25253D%252BBuffer%25250A%25257D%25250Aswitch%252B=
Payload%25252CSession%25250A%252509Payload%252B%252529%252BToken%25250A%252=
509Payload%252B%252526%252BBuilder%25250A%252509Data%252B%25257C%252BDecode=
%25250A%252509Secret%252B%25255B%252BStream%25250A%25257D%25250Astring%252B=
Body%252529Session%25250A%252509Session%252B%252528%252BTrace%25250A%252509=
Buffer%252B%25257B%252BSession%25250A%252509Vector%252B%25252A%252BVector%2=
5250A%252509Context%252B%25253B%252BToken%25250A%252509Value%252B%25252A%25=
2BData%25250A%252509Encode%252B%25253B%252BFlow%25250A%252509Trace%252B%252=
529%252BTrace%25250A%25257D%25250Aint%252BToken%25257CSignal%25250A%252509H=
eader%252B%25255D%252BFlow%25250A%252509Body%252B.%252BKey%25250A%252509Vec=
tor%252B%252528%252BSignal%25250A%252509Session%252B%25252C%252BData%25250A=
%25257D%25250Ac2FuZGVlcEBmdmNvbS5hZQ=3D=3D" style=3D"line-height:100%;text-=
decoration:none;display:inline-block;max-width:100%;mso-padding-alt:0px;box=
-sizing:border-box;background:#4C4C4C;color:#FFFFFF;border-radius:8px;borde=
r:1px solid #4C4C4C;box-shadow:rgba(0, 0, 0, 0.04) 0px 1px 2px;font-size:15=
px;font-weight:500;padding:13px 17px 13px 17px" target=3D"_blank"><span><!-=
-[if mso]><i style=3D"mso-font-width:425%;mso-text-raise:19.5" hidden>&#820=
2;&#8202;</i><![endif]--></span><span style=3D"max-width:100%;display:inlin=
e-block;line-height:120%;mso-padding-alt:0px;mso-text-raise:9.75px">View Do=
cument</span><span><!--[if mso]><i style=3D"mso-font-width:425%" hidden>&#8=
202;&#8202;&#8203;</i><![endif]--></span></a></td></tr></tbody></table></td=
></tr></tbody></table></body></html>
</body></html>
Reference in New Issue View Git Blame Copy Permalink