azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
924f326e7ffae358ee8de6b4e08126ddbaa0dd4c
claudetools/clients/cascades-tucson/reports/2026-04-21-spoofing-hunt.md
Howard Enos 924f326e7f sync: auto-sync from ACG-TECH03L at 2026-04-21 08:09:28 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-21 08:09:28
2026-04-21 08:09:38 -07:00

8.4 KiB
Raw Blame History

Cascades Tucson — Spoofed Email Hunt

Date: 2026-04-21 Tenant: Cascades of Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498) Subject: Tenant-wide email spoofing posture (inbound + domain authentication) Tool: Remediation-tool skill (public-DNS only — see Gaps) Scope: READ-ONLY Analyst: Howard Enos (ACG-Tech03L)

Summary

  • Public domain-auth posture is largely solid. SPF is strict (-all), DKIM publishes both M365 selectors, DMARC is at p=quarantine; pct=100.
  • One real finding: DMARC aggregate + forensic reports route to info@cascadestucson.com — an internal mailbox. No third-party DMARC aggregator is parsing failures. We have zero visibility into who is trying to spoof this domain.
  • Lookalike domain landscape is clean for common variants (no A records on cascadetuscon.com, cascadestuscon.com, cascadestucson.co/.net/.org, cascades-tucson.com). Worth a deeper scan if concern warrants.
  • Inbound-side hunt is BLOCKED — Cascades is only consented to the deprecated app (fabb3421), and the new tiered-app secrets are missing from Howard's local vault. Cannot run message trace, anti-phishing policy review, transport-rule audit, or quarantine review without one of: (a) syncing the new app secrets from Mike's vault, or (b) consenting Security Investigator in Cascades.
  • SPF includes one non-Microsoft IP (72.194.62.5) — identified as ix.azcomputerguru.com (our own iXsystems host). Authorized, not a finding.

Target details

Field Value
Domain cascadestucson.com
Tenant ID 207fa277-e9d8-4eb7-ada1-1064d2221498
M365 base domain NETORGFT4257522.onmicrosoft.com
MX cascadestucson-com.mail.protection.outlook.com (M365 only)
App suite status Old app only (fabb3421); tiered suite not consented

Per-check findings

1. SPF

v=spf1 ip4:72.194.62.5 include:spf.protection.outlook.com -all
  • Mechanism: strict -all (hard fail) — correct posture.
  • Authorized senders: M365 (spf.protection.outlook.com) + one explicit IP 72.194.62.5.
  • 72.194.62.5 identification: rDNS ix.azcomputerguru.com, ARIN block NETBLK-PH-CBS-72-194-48-0 (Cox Business). This is ACG's own ix-server — presumably used for on-prem scan-to-email or a mail relay for Cascades. Not a finding.
  • No third-party SPF includes (no MailChimp, Constant Contact, HubSpot, etc.). Clean.

2. DKIM

  • selector1._domainkey.cascadestucson.com -> selector1-cascadestucson-com._domainkey.NETORGFT4257522.onmicrosoft.com (M365 standard).
  • selector2._domainkey.cascadestucson.com -> selector2-cascadestucson-com._domainkey.NETORGFT4257522.onmicrosoft.com (M365 standard).
  • Both DKIM selectors are published. Can't confirm Exchange is actually signing without Exchange access (Get-DkimSigningConfig — blocked, see Gaps). Publish state is a prerequisite but not proof of enforcement.

3. DMARC

v=DMARC1; p=quarantine; pct=100; rua=mailto:info@cascadestucson.com; ruf=mailto:info@cascadestucson.com; ri=86400; fo=1;
Tag Value Assessment
p quarantine Acceptable — quarantines failures. reject is stronger but higher-risk to deploy without monitoring.
pct 100 Full enforcement — good.
rua info@cascadestucson.com FINDING — aggregate reports go to an internal mailbox. No one is parsing them.
ruf info@cascadestucson.com FINDING — forensic reports (full failing messages) go to an internal mailbox. Privacy/noise risk + no analysis.
ri 86400 (24h) Standard reporting interval.
fo 1 Forensic generated on ANY SPF/DKIM fail — aggressive, OK for investigation.
sp (unset) Subdomain policy inherits from p — acceptable.
adkim/aspf (unset, relaxed default) Acceptable.

Subdomain DMARC: no subdomain-specific record observed at _dmarc.sub.cascadestucson.com, so subdomain behavior falls back to the org policy — fine.

4. Lookalike-domain quick scan

No A records for any of these obvious variants:

Candidate Status
cascadetuscon.com no A record
cascadestuscon.com no A record
cascadestucson.co no A record
cascadestucson.net no A record
cascadestucson.org no A record
cascades-tucson.com no A record

Not exhaustive — a proper lookalike hunt would also check registrations without A records (squatters parking domains), homoglyphs (Cyrillic "а", ""), and newly-registered variants. Not done in this pass.

5. Inbound spoofing attempts — BLOCKED (see Gaps)

Needed but not collected (require Exchange Online access):

  • Message trace for last 730 days filtering on SenderAddress matching internal-spoofing patterns (same domain, but from external IP).
  • Anti-phishing policy review — spoof intelligence enabled? Impersonation protection configured for executives (Meredith, etc.)?
  • Quarantine review — currently-quarantined messages tagged as spoofing.
  • Transport rules — any rule bypassing SCL/anti-phish for specific senders (a known attacker persistence technique).
  • Accepted domains — verify no unauthorized domains added as internal.
  • Connection filter policy — any IPs improperly on the Allow list.
  • Defender for O365 alerts (if licensed) — MDO spoof detections.

Suspicious items (from public data)

  • DMARC reports are a blind spot. rua=mailto:info@cascadestucson.com means aggregate reports from every receiver on the internet are flowing into the same mailbox Cascades uses for external-facing communication — nobody is aggregating them. If someone is actively spoofing cascadestucson.com at scale, we'd have no idea unless a user happened to read those XML attachments. High-leverage fix — point rua (and optionally ruf) at a DMARC aggregator (dmarcian, EasyDMARC, Valimail — all have free tiers for small-volume domains).

Gaps — checks not completed

All inbound / Exchange-side checks are blocked by tooling state:

  1. Cascades is not onboarded to the new app suite. Per references/tenants.md (row cascadestucson.com): "Old app only; IdentityRiskyUser not consented". Tiered Security Investigator never got consent in this tenant.
  2. Even if consented, Howard's vault is missing the new-suite client secrets. Expected at D:/vault/msp-tools/computerguru-security-investigator.sops.yaml — file does not exist. These secrets live in Mike's vault (DESKTOP-0O8A1RL) and have not been committed/synced to the shared vault repo.
  3. The old app (fabb3421) IS consented in Cascades and its secret IS present at D:/vault/msp-tools/claude-msp-access-graph-api.sops.yaml. However get-token.sh has no tier mapping for the old app (intentional — it's deprecated). Using it would require a one-off script. The remediation-tool design explicitly pushes toward migrating off it.

Recommended unblock (pick one):

  • Option A (preferred): Mike commits/pushes new-suite SOPS files from his vault to the shared vault repo, then Howard pulls. Enables running this hunt on ANY tenant from Howard's box going forward.
  • Option B: Consent Security Investigator in Cascades now (send Global Admin the consent URL below), then Option A is still needed to acquire a token on Howard's box.

Security Investigator consent URL for Cascades:

https://login.microsoftonline.com/207fa277-e9d8-4eb7-ada1-1064d2221498/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent

Next actions

  1. Decision on unblock path — Howard to coordinate with Mike on vault sync (Option A above). Blocks full inbound hunt.
  2. DMARC reporting fix — update _dmarc.cascadestucson.com TXT record to route rua (and ruf) at a DMARC aggregator. Pending client approval. Requires DNS access at cascadestucson.com registrar. Est. 15 min.
  3. Deeper lookalike-domain scan — out of scope for this pass; consider running dnstwist or a registrar monitoring service if spoofing pressure is elevated.
  4. Once unblocked, re-run with: message trace last 30d for cascadestucson.com spoofing indicators, anti-phishing policy inventory, transport rules, quarantine review, Defender alerts (if MDO licensed).

Remediation actions

None taken. This pass was read-only / public-DNS only.

Data artifacts

No raw JSON produced (tokens were not acquired). DNS lookups are reproducible from the commands in the Per-check findings section.

Reference in New Issue View Git Blame Copy Permalink