a92d2d3f2c162e569314777e1514f9ef059fd07e
Triggered by John Trozzi reporting a spoof email. Single-user check confirmed him clean (reported, not compromised). Tenant-wide sweep found a sustained ~1 month campaign from 4 external IPs (UA/US/DE/AT - deltahost + ColoCrossing) plus a compromised-M365-tenant relay vector. Deleted 14 messages (Groups A+B) per Mike's explicit authorization. Preserved legitimate HR thread (HRPYDBRUN xlsx) and user outbound forwards as evidence. Recommendations in report: DMARC p=quarantine/reject for cascadestucson.com (biggest leverage), TABL IP blocks, zoom.nl URL block, Defender impersonation protection. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Description
Custom Claude Code behaviors and workflows - Multi-mode operation system
Languages
Python
30.2%
QuickBASIC
14.4%
PowerShell
14.3%
JavaScript
11.6%
omnetpp-msg
10.8%
Other
18.7%