claudetools/clients/glaztech/reports/2026-04-17-phishing-incident-report.md

Glaztech Industries — Phishing Incident Report

Date: 2026-04-17 Reported by: Seastman (via support ticket) Investigated by: Mike Swanson (AZ Computer Guru) Tenant: glaztech.com (82931e3c-de7a-4f74-87f7-fe714be1f160)

---

Executive Summary

Multiple phishing emails bypassed Glaztech's MailProtector spam filter by connecting directly to Microsoft 365's mail endpoint. The messages spoofed internal Glaztech employees and were forwarded internally by multiple staff. Root cause was a secondary MX record in DNS that exposed the M365 endpoint, combined with a permissive DMARC policy (p=none) that allowed spoofed messages through.

All phishing messages have been purged. Three defensive layers have been applied to prevent recurrence.

---

Attack Details

Campaign 1: "Mailbox Password Expiry"

Field	Value
Subject	ATTN : MaiIbox Password Login Expire today, 4/17/2026 - 709f6f1afea353ee...
Spoofed From	alexander@glaztech.com
Actual Sender IP	23.94.30.18 (ColoCrossing VPS, 23-94-30-18-host.colocrossing.com)
Delivery Path	Direct to glaztech-com.mail.protection.outlook.com (bypassed MailProtector)
SPF	FAIL (23.94.30.18 not authorized)
DKIM	None (message not signed)
DMARC	FAIL (policy was p=none, no enforcement)
SCL	1 (M365 did not flag as spam)
Composite Auth	pass, reason=703
Content Language	Slovak (sk)
Obfuscation	"MaiIbox" — uppercase I instead of lowercase L

Internal spread: Alexander received the original → forwarded it → seastman replied → dominic replied. 5 total copies in Alexander's mailbox, 13 copies total across 3 users.

Campaign 2: "HR Paperwork Approval"

Field	Value
Subject	HR Paperwork – Awaiting Completion Approval Ref/ID#: <hash>
Spoofed From	enrique@glaztech.com
Actual Sender IP	86.38.225.18 (PTR: InfoDomainNonexistent)
Delivery Path	Direct to glaztech-com.mail.protection.outlook.com (bypassed MailProtector)
SPF	FAIL (86.38.225.18 not authorized)
DKIM	None (message not signed)
DMARC	FAIL (policy was p=none, no enforcement)
SCL	1 (M365 did not flag as spam)
Composite Auth	pass, reason=703
Content Language	English

Multiple unique Ref/ID hashes used across messages — each recipient received a unique tracking hash (phishing kit behavior). Heavily forwarded internally across 7 users.

---

Root Cause Analysis

Why the messages got through

1. Direct MX bypass. DNS had two MX records:

   • MX 5: glaztech-com.inbound.emailservice.io (MailProtector — correct)
   • MX 10: glaztech-com.mail.protection.outlook.com (M365 direct — the bypass)

   Spammers intentionally skipped MX 5 and connected directly to MX 10, completely bypassing MailProtector's spam filtering.

2. No DMARC enforcement. DMARC was set to p=none (monitor only). Despite SPF FAIL and no DKIM, M365's Exchange Online Protection (EOP) did not reject the messages because DMARC policy said "take no action."

3. Composite Authentication false positive. M365's compauth=pass reason=703 indicates "implicit allowed sender" heuristic — EOP trusted the messages despite explicit authentication failures. This is a known EOP behavior when DMARC policy is permissive.

4. Inbound connector misconfigured. The existing "Inbound Spam Filter" connector had no IP restrictions (SenderIPAddresses: [], RestrictDomainsToIPAddresses: false) and no Enhanced Filtering — EOP could not distinguish direct-to-M365 traffic from MailProtector-relayed traffic.

Why MailProtector didn't help

MailProtector was correctly configured as MX 5 and would have filtered these messages. The spammers simply bypassed it by connecting to MX 10 instead.

---

Remediation Actions

Immediate (completed 2026-04-17)

#	Action	Status	Effect
1	Removed MX 10 record from DNS (IX server)	Done	MailProtector is now the ONLY MX. Spammers cannot discover the M365 endpoint via DNS.
2	Updated DMARC from p=none to p=reject; sp=reject	Done	Spoofed glaztech.com messages are now rejected by any receiving server (including M365 itself).
3	Enabled Enhanced Filtering for Connectors (EFC) on inbound connector	Done	EOP now evaluates the original sender IP (not MailProtector's IP) for spam scoring.
4	Purged all phishing messages from all affected mailboxes	Done	32 messages deleted across 8 users.
5	Saved forensic copies of both campaigns	Done	.eml + .json in clients/glaztech/reports/.
6	Onboarded Glaztech to remediation tool (admin consent + Exchange Admin role)	Done	Future investigations/cleanups can be performed remotely via Graph API.

DNS changes (IX server, PowerDNS)

Zone file: /var/named/glaztech.com.db Backup: /var/named/glaztech.com.db.bak-20260417

Record	Before	After
MX	5 glaztech-com.inbound.emailservice.io + 10 glaztech-com.mail.protection.outlook.com	5 glaztech-com.inbound.emailservice.io only
_dmarc TXT	v=DMARC1;p=none;sp=none;...	v=DMARC1;p=reject;sp=reject;...
Serial	2026041001	2026041702

Exchange Online changes

Connector: "Inbound Spam Filter" (ID e868b1f3-e60b-40cf-b304-203d81eee6f5)

Setting	Before	After
SenderIPAddresses	[]	[] (unchanged — IP restriction causes calendar failures)
RestrictDomainsToIPAddresses	false	false
EFSkipIPs	[]	["162.248.93.233", "162.248.93.81", "65.113.52.82"]

Note: IP restriction on the connector was intentionally NOT applied because it blocks legitimate calendar invites from external M365 tenants (learned from Dataforth incident).

---

Messages Purged

Campaign 1: "ATTN Mailbox Password" — 13 messages

User	Copies	Types
alexander@glaztech.com	5	Original + Fw + RE + Fw + RE
seastman@glaztech.com	6	Fw + RE + FW + RE + Fw + RE
dominic@glaztech.com	2	Fw + RE

Campaign 2: "HR Paperwork Approval" — 19 messages

User	Copies
seastman@glaztech.com	7
jack@glaztech.com	4
dominic@glaztech.com	4
bryce@glaztech.com	1
cesar@glaztech.com	1
daryld@glaztech.com	1
holly@glaztech.com	1

Note: seastman@glaztech.com message from mike@azcomputerguru.com (our ticket reply) was NOT deleted.

---

Would the fixes have prevented these attacks?

Fix	Campaign 1 (Mailbox)	Campaign 2 (HR Paperwork)
MX removal	YES — spammer found endpoint via MX 10	YES — same bypass method
DMARC p=reject	YES — SPF failed, DKIM missing	YES — same auth failure
EFC	No (mail didn't flow through MailProtector)	No (same)
Both fixes together	Blocked at 2 independent layers	Blocked at 2 independent layers

---

Recommendations

Completed

• MX 10 removed
• DMARC tightened to p=reject
• Enhanced Filtering enabled on connector
• All phishing messages purged
• Remediation tool onboarded for future investigations

Recommended follow-up

• Security awareness training for staff — multiple employees forwarded and replied to obvious phishing
• Review if any user clicked links in the phishing messages (check sign-in logs for suspicious auth attempts)
• Consider adding DKIM signing (DKIM CNAME records exist for selector1/selector2 but should verify they're active in M365)
• Monitor DMARC aggregate reports (rua=noreply@glaztech.com — should be a monitored mailbox or DMARC reporting service)
• Verify MailProtector configuration is optimal (separate from this M365 investigation)

---

Forensic Evidence Preserved

File	Contents
2026-04-17-phishing-ATTN-mailbox-password.eml	Full MIME of Campaign 1 original (18,935 bytes)
2026-04-17-phishing-ATTN-mailbox-password.json	Headers + body of Campaign 1 as JSON
2026-04-17-phishing-HR-paperwork.eml	Full MIME of Campaign 2 original (11,392 bytes)
2026-04-17-phishing-incident-report.md	This report

---

Credentials / Access Used

• Remediation tool: ComputerGuru - AI Remediation (App ID fabb3421-8b34-484b-bc17-e46de9703418)
• Tenant: 82931e3c-de7a-4f74-87f7-fe714be1f160
• Roles granted: Exchange Administrator (on service principal)
• DNS: IX server (172.16.3.10), root access via SOPS vault

---

Report generated 2026-04-17 by Claude Code (AZ Computer Guru automated remediation tooling)