Files

Howard Enos f15862440e sync: auto-sync from HOWARD-HOME at 2026-04-21 15:07:39

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-21 15:07:39

2026-04-21 15:07:42 -07:00

12 KiB

Raw Blame History

Cascades Tucson — Post-DMARC Spoofing Recheck

Date: 2026-04-21 Tenant: Cascades of Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498) Subject: Verify whether Mike's 2026-04-20 DMARC change (p=none -> p=quarantine; pct=100) stopped the inbound same-domain envelope-spoofing campaign Tool: Claude-MSP-Access Graph API (old app fabb3421-8b34-484b-bc17-e46de9703418) — Howard's box doesn't yet have the new tiered-suite secrets; see "Gaps". Scope: READ-ONLY. No deletions. Window: 2026-04-19T00:00:00Z -> 2026-04-21T20:22Z (~68h) Analyst: Howard Enos (Howard-Home)

TL;DR

Public DMARC posture confirmed p=quarantine; pct=100 (verified this morning in 2026-04-21-spoofing-hunt.md). Mike's fix is live.
Since the DMARC change propagated (sometime between 18:28Z 2026-04-20 and now), zero signature-matching spoofing has been delivered. 26-hour spoof-free window.
Two phishes from yesterday's campaign were NOT caught by Mike's 16:34Z sweep — both landed before DMARC enforcement. Listed below for cleanup + user notification:
- accounting@cascadestucson.com — still sitting in Inbox
- jd.martin@cascadestucson.com — user-deleted, currently in Deleted Items
Campaign pattern confirmed unchanged: attacker continues to envelope-spoof cascadestucson.com from cheap hosting, SPF=fail / DKIM=none / DMARC=fail. compauth=pass reason=703 was letting them through on the old p=none policy.

Method

Acquired Graph client-credentials token against old app (fabb3421) — consented in Cascades, has Mail.ReadWrite. Direct OAuth request; get-token.sh has no tier mapping for this app intentionally (deprecated), but it's the only route available until the tiered suite is consented in Cascades + secrets synced to Howard's vault.
Pulled 46 internal mailboxes via /v1.0/users (filtered out 4 shared/legacy + 4 guest accounts). 5 mailboxes returned MailboxNotEnabledForRESTAPI (unlicensed / on-prem / inactive — ann.dery, Kitchenipad, nick.pavloff, Stephanie.Devin, sysadmin). Remaining ~41 scanned.
For each scannable mailbox, GET /v1.0/users/{upn}/messages?$filter=receivedDateTime ge 2026-04-19T00:00:00Z with pagination. 1,416 messages total across the 48h+ window.
Client-side regex on subject against the 2026-04-20 campaign signatures: (ATTN|Mailbox.*Expire|Login.*Expire|Password.*Expire|Pending.*Documents|Pending.*Pages|Approval Pending|Document Ready for Review|Service Termination|Executed NDA|Request for Quotation|REF#[0-9a-f]{6,}|[0-9a-f]{32,}|zoom\.nl|awstrack\.me|DocExchange_Noreply).
Pulled internetMessageHeaders + resolved parentFolderId for each hit.

Hits — 3 total

#	Mailbox	Received (UTC)	Folder	Subject	From (envelope)	Origin IP	Country	LANG	Classification
1	john.trozzi	2026-04-20 12:23	Sent Items	Fw: ATTN!! -- Pending 5 (Pages)...	john.trozzi@...	(internal)	--	--	User forward to MSP (expected, per 4/20 report Group D). Not phishing.
2	accounting@	2026-04-20 13:41	Inbox	Action Required: Service Termination Alert -- 19fb74fa1dc7...	accounting@... (envelope-spoof)	104.168.70.29	US	zh-cn	Phish. Missed by Mike's sweep. Needs deletion + user advisory.
3	jd.martin	2026-04-20 18:28	Deleted Items	NSA: Cascadestucson Executed NDA Agreement Ref: 0ad45d53...	jd.martin@... (envelope-spoof)	178.211.155.48	DE	en	Phish. User already deleted. Purge from Deleted Items; no body action needed.

Header evidence — hit #2 (accounting@)

Authentication-Results: spf=fail (sender IP is 104.168.70.29) smtp.mailfrom=cascadestucson.com;
  dkim=none (message not signed) header.d=none;
  dmarc=fail action=none header.from=cascadestucson.com;
  compauth=pass reason=703
Received-SPF: Fail (protection.outlook.com: domain of cascadestucson.com does not designate 104.168.70.29 as permitted sender)
X-Forefront-Antispam-Report: CIP:104.168.70.29;CTRY:US;LANG:zh-cn;SCL:1;...;PTR:104-168-70-29-ip.gqlists.us.com
X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;auth:0;dest:I;...
Return-Path: accounting@cascadestucson.com
From: <accounting@cascadestucson.com>

Body preview: Microsoft password-expiry credential phish, "Click to re-activate same password".

Key fact: dmarc=fail action=none tells us that at the time Microsoft evaluated this message (13:41Z on 4/20), the published DMARC policy was still p=none. Mike's DNS change hadn't yet taken effect (or hadn't propagated to the Microsoft resolver).

Header evidence -- hit #3 (jd.martin)

Authentication-Results: spf=fail (sender IP is 178.211.155.48) smtp.mailfrom=cascadestucson.com;
  dkim=none (message not signed) header.d=none;
  dmarc=fail action=none header.from=cascadestucson.com;
  compauth=pass reason=703
Received-SPF: Fail ... client-ip=178.211.155.48; helo=[127.0.0.1];
X-Forefront-Antispam-Report: CIP:178.211.155.48;CTRY:DE;LANG:en;SCL:1;...;PTR:178.211.155.48.deltahost-ptr
X-Microsoft-Antispam-Mailbox-Delivery: ucf:0;jmr:0;auth:0;dest:I;...

Body preview: "All Parties Have Signed The Completed Document ... Cascadestucson Executed Agreement_3048189612.pdf". DocuSign-themed click-through phish.

Key fact: dmarc=fail action=none -- same as hit #2. DMARC still at p=none at 18:28Z on 4/20. This is four hours AFTER Mike's sweep completed at 16:34Z, meaning the DNS record change had not yet taken effect at delivery time.

Attacker infrastructure update

Two new attacker IPs observed yesterday, not present in 2026-04-20 sweep inventory:

New IP	Country	Hoster	PTR	LANG	Relation
104.168.70.29	US	ColoCrossing	104-168-70-29-ip.gqlists.us.com	zh-cn	Same ASN (AS36352) as yesterday's 104.168.101.10 but different /24 -- same operator using fresh IPs
178.211.155.48	DE	Deltahost	178.211.155.48.deltahost-ptr	en	Same hoster as yesterday's 139.28.37.117 -- Deltahost is this operator's preferred persistence host

Operator language suggests Southeast Asia origin (zh-cn + en across recent 48h). Same attacker continues rotating through cheap hosting.

DMARC verdict -- IS THE FIX WORKING?

Short answer: yes, with caveat on observability.

Evidence:

No signature-matching phish received after 18:28Z on 2026-04-20.
Current public DMARC is p=quarantine; pct=100.
26-hour clean window and counting.

Caveats:

We don't have direct proof that DMARC is now rejecting/quarantining (we'd need to see a new phish arrive after propagation and observe it routed to Junk with action=quarantine in its headers). The attacker may simply be between sending waves.
DMARC reports are still routed to info@cascadestucson.com -- an internal mailbox no one is parsing. If enforcement is working we can't easily confirm it without an aggregator. This is a high-leverage next fix (flagged in the 4/21 morning spoofing-hunt report).
Signature-based regex catches this operator's current playbook. A tactic change (new subject patterns) would slip past this sweep. DMARC itself is indifferent to subject content -- any same-domain envelope-spoof from non-authorized IP will now be quarantined regardless.

Recommended cleanup (require explicit YES to proceed)

Not executed -- this pass is read-only. If you want them purged:

Delete accounting@cascadestucson.com message id AQMkAGRjNzE5NDUwLWI2ZjktNDE3YS05YTllLTNmYzYyMGE0NWQ0NQBGAAAD7oeHAXheiECLcOgfhwMwDgcAlgOsb8qXsE_VgW2XdaO1MQAAAgEMAAAAlgOsb8qXsE_VgW2XdaO1MQADm5EpmQAAAA== from Inbox. Subject "Action Required: Service Termination Alert". Received 2026-04-20 13:41Z from 104.168.70.29. Credential phish.
Delete jd.martin@cascadestucson.com message id AAMkADk0YjhmY2ViLTViZWUtNDYyYS1hZDRjLWU3MjhmN2Y5MzNhOQBGAAAAAACUE8AD88wOS6xVQwpQaOUGBwBS7ua6a1vNSIAr62dlr20tAAAAAAEKAABS7ua6a1vNSIAr62dlr20tAAAAdqo0AAA= from Deleted Items (purge). Subject "NSA: Cascadestucson Executed NDA Agreement". Received 2026-04-20 18:28Z from 178.211.155.48.
Advise users:
- accounting@ (shared accounting inbox, whoever manages it -- Mary Hogan-Padilla per yesterday's inventory) -- "you received a fake password-expiry email on 4/20; did anyone click it?"
- jd.martin -- "the NDA email from 4/20 18:28 UTC was a phish; confirm you didn't click/enter credentials"

Also recommended (not dependent on cleanup)

Add to Exchange TABL IP Block List (additive to yesterday's list):
- 104.168.70.29 (ColoCrossing, same operator as yesterday's 104.168.101.10)
- 178.211.155.48 (Deltahost, same hoster as yesterday's 139.28.37.117)
Consider broader Deltahost block if more IPs from 178.211.155.0/24 or 139.28.37.0/24 appear -- the operator clearly has deep inventory at Deltahost.
Move DMARC rua to an aggregator (dmarcian, EasyDMARC, Valimail have free tiers) so we can verify enforcement is working AND see who else is spoofing cascadestucson.com in the wild.
Escalate DMARC to p=reject once a week of aggregator data confirms no legitimate senders are being quarantined in error. p=reject is harder to talk yourself out of enforcing; p=quarantine still lets users fish junk messages out of Junk Email.
Re-onboard Cascades to the new tiered app suite (Security Investigator + Exchange Operator) so future investigations can use Exchange message trace, anti-phishing policy review, quarantine inspection, transport rules audit -- none of which the deprecated fabb3421 app can do.

Gaps -- what this sweep did NOT cover

Junk/Quarantine content from non-signature subjects. If the attacker rotated subject lines this sweep wouldn't catch them. Exchange message trace (currently blocked) is the correct tool for "show me all messages where Authentication-Results contained dmarc=fail".
Anti-phishing policy state. Can't review spoof intelligence / impersonation protection settings via Graph -- needs Exchange Online REST.
Transport rules. Same -- Exchange Online REST needed.
Connection filter / IP allow list audit. Same.
Defender alerts. Cascades SKU may not include MDO; and the Defender tier requires MDE license anyway.
DMARC aggregate-report parsing. Reports route to info@cascadestucson.com; nobody parses them.
5 mailboxes not scanned (REST API disabled): ann.dery, Kitchenipad, nick.pavloff, Stephanie.Devin, sysadmin. Low likelihood of being targets (shared/legacy/disabled) but not verified.

Unblock path (repeat of earlier recommendation)

To close the Exchange-side gaps on future Cascades investigations:

Consent ComputerGuru Security Investigator in Cascades: send Global Admin this URL --

https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent

Run onboard-tenant.sh cascadestucson.com from Mike's box (which has Tenant Admin secret) to assign Exchange Administrator + required directory roles.
Mike syncs new-suite SOPS files to shared vault repo so Howard can acquire tokens from Howard-Home.

Once done, Howard can run the full inbound message trace / anti-phishing / transport-rule audit without relying on the deprecated app.

Data artifacts

All raw scan data under /tmp/cascades_recheck/:

users_all.json -- raw Graph /v1.0/users dump (54 records)
users.tsv -- filtered internal mailboxes (46)
hits.jsonl -- 3 signature-matching messages with metadata
headers/accounting.json -- full message (incl. headers) for hit #2
headers/jd_martin.json -- full message (incl. headers) for hit #3
headers/john_trozzi.json -- context for the user's forward

Sweep script: C:/tmp-scripts/cascades_scan.sh

Remediation actions taken

2026-04-21 20:32:52Z — Howard authorized by Mike in chat. Both missed phishes purged via Graph permanentDelete (hard delete, not recoverable by user):

Mailbox	Message ID (prefix)	Folder at delete	Graph response	Timestamp
accounting@cascadestucson.com	`AQMkAGRjNzE5NDUw...`	Inbox	HTTP 204	2026-04-21 20:32:52Z
jd.martin@cascadestucson.com	`AAMkADk0YjhmY2Vi...`	Deleted Items	HTTP 204	2026-04-21 20:32:53Z

Delete log: /tmp/cascades_recheck/delete_log/20260421T203252Z_deletions.jsonl

IP block list update: SKIPPED. Per Howard's decision — DMARC enforcement has eliminated new spoofs for 26+ hours; additive IP blocks deferred unless / until DMARC proves insufficient.

12 KiB Raw Blame History