azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/cascades-tucson/docs/cloud/m365-impersonation-protection.md
Howard Enos d2e375df8a sync: auto-sync from ACG-TECH03L at 2026-04-18 10:17:42 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-18 10:17:42
2026-04-18 10:17:45 -07:00

98 lines
7.2 KiB
Markdown
Raw Blame History

# M365 Anti-Impersonation Protection — Cascades
**Status:** Documentation only — policy not yet configured. Requires Business Premium (Defender for Office 365 Plan 1) or equivalent Defender for O365 add-on; Business Standard alone does not include the anti-impersonation engine.
**Trigger:** follow-up to Megan Hiatt's phishing email incident, 2026-04-17.
**Last updated:** 2026-04-18 (Howard)
## What this covers
Microsoft 365 Defender anti-phishing impersonation protection has two lists that need to be curated per tenant:
1. **Trusted senders / domains** — partners we actually do business with. Adding them prevents legitimate mail from being caught by anti-impersonation rules (which flag lookalikes of these names/domains). This is NOT an allowlist that bypasses spam/malware scanning — it just tells the impersonation engine "yes, this one is the real one, anything that resembles it is suspect."
2. **Protected users** — internal accounts that are high-value impersonation targets (executives, finance, anyone who can approve money or PHI disclosure). Inbound mail that mimics their display name from outside the tenant gets flagged.
For Cascades we're also protecting the **domain** `cascadestucson.com` itself so lookalike domains (e.g., `cascadestucsom.com`, `cascadestuscon.com`) get flagged as impersonation attempts.
## Currently configured (per Howard's 2026-04-17 email)
### Protected domains
- cascadestucson.com
- azcomputerguru.com
### Protected users
- Megan Hiatt
- John Trozzi
- Crystal Rodriguez
- Meredith Kuhn
- Tamra Matthews
- "accounting" (presumably the accounting@cascadestucson.com shared mailbox / anything with that display name)
**Verify on next portal visit:** double-check the exact protected-users list in Defender → Policies → Anti-phishing → Impersonation. Howard's email lists "Megan, John, crystal, Meredith, accounting, crystal and tamra" — the duplicate "crystal" is probably a typo.
## Trusted partners to add (from Megan Hiatt, 2026-04-17)
Megan's "top domains I regularly do business with" reply. Preferred configuration: add the **domain** where we want any sender on that domain trusted; add the **specific email** where we only want that one person trusted.
| Add as | Value | Business purpose |
|---|---|---|
| User | Matt Hermes — `Matt.Hermes@kold.com` | KOLD-TV — local media |
| User | SoAPRA — `soapra.npra@gmail.com` | State senior-living industry assoc (individual Gmail — user, not domain) |
| User | Lovely Laurence Garcia — `partnersuccess@caring.com` | Caring.com partner success |
| User | Caring Leads Team — `leadsteam@caring.com` | Caring.com lead routing |
| User | Assisted Living Locators (N. Tucson) — `sheril@assistedlivinglocators.com` | Senior-living placement agency |
| User | Angel Ramirez — `angel@placitacare.com` | PlacitaCare — referral partner |
| User | Anne Connell — `AnneC@cascadeliving.com` | Cascade Living (parent / affiliated property — verify relationship) |
| User | A Place for Mom AR — `ar@aplaceformom.com` | APFM accounts receivable — referral fees |
| User | `BillingWO@gray.tv` | Gray Television — ad billing |
| User | 8x8 Support — `noreply@8x8.com` | VoIP vendor no-reply (may not need impersonation protection since it's already an automated sender — include per Megan) |
| User | C.J. Duque — `cjduque@trucraftdesign.com` | Tru Craft Design — vendor |
| User | `compressionprinting@gmail.com` | Compression Printing — vendor |
| User | Lisa Burns — `lisab4421@gmail.com` | Personal/individual partner contact |
| User | `jbuenafe-leads@caring.com` | Caring.com lead contact (one of many) |
**Domain-level adds to consider (Howard to decide):** because Cascades gets mail from many different addresses at Caring.com and aplaceformom.com, adding `caring.com` and `aplaceformom.com` as trusted **domains** instead of individual addresses saves constant curation. Megan explicitly called out that Caring.com contacts "are changing all the time." Adding the domain once covers them all. Only risk: if a domain itself is spoofed, any sender claiming to be from it will be trusted — but the anti-impersonation engine is specifically about lookalike sender domains, so this is the correct use case.
Recommended domain-level trusted partners:
- `caring.com` — multiple contacts, constantly rotating
- `aplaceformom.com` — same pattern (APFM has many reps)
- `kold.com` — news media
- `assistedlivinglocators.com` — agency with multiple reps
- `cascadeliving.com`**confirm this is a legitimate affiliated property before trusting the whole domain**
- `gray.tv` — billing automation from multiple accounts
Individual addresses to keep as **user-level** entries (not domain):
- The two gmail.com partners (Lisa Burns, Compression Printing) — cannot trust `gmail.com` as a domain, obviously
- `soapra.npra@gmail.com` — same
- `angel@placitacare.com` — small vendor, domain-level overkill
- `cjduque@trucraftdesign.com` — same
- `noreply@8x8.com` — utility address, not a lookalike impersonation target anyway; Megan may have listed it for general allowlisting rather than anti-impersonation — revisit
## Outstanding / awaiting input
- **John Trozzi** (per 2026-04-17 email, bottom of thread): "I will gather this information for you tomorrow." → follow up for his partners list.
- **Meredith Kuhn** — did not respond yet on impersonation list; she's the one most likely to be impersonated in a wire-fraud attack as Executive Director. Follow up.
- **Ashley Jensen** (Assistant ED, Accounting) — same; likely overlaps with Meredith's list heavily.
- **Cascade Living affiliation** — Anne Connell at `cascadeliving.com`. Verify with Meredith whether Cascades of Tucson is owned/affiliated with Cascade Living properties before trusting the domain wholesale. If affiliated, add as trusted domain; if arm's-length, keep as user-level.
## Implementation notes (when ready)
1. Purchase Business Premium or Defender for O365 P1 add-on (impersonation engine lives in Defender, not EOP baseline)
2. Defender portal → Email & collaboration → Policies & rules → Threat policies → Anti-phishing → edit the Standard preset or create `CSC - Anti-Phishing Standard`
3. Impersonation tab:
- Add protected users (Meredith, Megan, John, Crystal, Tamra, Ashley — anyone who can approve money/PHI)
- Add protected domains: `cascadestucson.com`, `azcomputerguru.com`, and any affiliated properties verified above
- Add trusted senders/domains (sections above)
- Action when user is impersonated: **Quarantine message** (not just "move to Junk" — attackers test Junk-only delivery)
- Mailbox intelligence: **On**, with "impersonated users" action = Quarantine
4. Spoof intelligence: On, with action Quarantine
5. Turn on Safety Tips
6. Review quarantine daily for first 2 weeks — tune the trusted list based on false positives
7. Document in this file any legitimate senders we have to add mid-operation so the list stays authoritative
## Related docs
- `docs/cloud/m365.md` — overall M365 state
- `docs/cloud/p2-staff-candidates.md` — staff P2 rollout (overlapping stakeholders)
- `docs/cloud/caregiver-m365-p2-rollout.md` — phone-side rollout (different user population)
- `docs/security/hipaa.md` — HIPAA program this feeds into
Reference in New Issue View Git Blame Copy Permalink