azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0b98f769ea97f103e85d48e3fa3fa42e45f577d
claudetools/clients/cascades-tucson/docs/cloud/m365-impersonation-protection.md
Howard Enos d2e375df8a sync: auto-sync from ACG-TECH03L at 2026-04-18 10:17:42 
Author: Howard Enos
Machine: ACG-TECH03L
Timestamp: 2026-04-18 10:17:42
2026-04-18 10:17:45 -07:00

7.2 KiB
Raw Blame History

M365 Anti-Impersonation Protection — Cascades

Status: Documentation only — policy not yet configured. Requires Business Premium (Defender for Office 365 Plan 1) or equivalent Defender for O365 add-on; Business Standard alone does not include the anti-impersonation engine. Trigger: follow-up to Megan Hiatt's phishing email incident, 2026-04-17. Last updated: 2026-04-18 (Howard)

What this covers

Microsoft 365 Defender anti-phishing impersonation protection has two lists that need to be curated per tenant:

  1. Trusted senders / domains — partners we actually do business with. Adding them prevents legitimate mail from being caught by anti-impersonation rules (which flag lookalikes of these names/domains). This is NOT an allowlist that bypasses spam/malware scanning — it just tells the impersonation engine "yes, this one is the real one, anything that resembles it is suspect."
  2. Protected users — internal accounts that are high-value impersonation targets (executives, finance, anyone who can approve money or PHI disclosure). Inbound mail that mimics their display name from outside the tenant gets flagged.

For Cascades we're also protecting the domain cascadestucson.com itself so lookalike domains (e.g., cascadestucsom.com, cascadestuscon.com) get flagged as impersonation attempts.

Currently configured (per Howard's 2026-04-17 email)

Protected domains

  • cascadestucson.com
  • azcomputerguru.com

Protected users

  • Megan Hiatt
  • John Trozzi
  • Crystal Rodriguez
  • Meredith Kuhn
  • Tamra Matthews
  • "accounting" (presumably the accounting@cascadestucson.com shared mailbox / anything with that display name)

Verify on next portal visit: double-check the exact protected-users list in Defender → Policies → Anti-phishing → Impersonation. Howard's email lists "Megan, John, crystal, Meredith, accounting, crystal and tamra" — the duplicate "crystal" is probably a typo.

Trusted partners to add (from Megan Hiatt, 2026-04-17)

Megan's "top domains I regularly do business with" reply. Preferred configuration: add the domain where we want any sender on that domain trusted; add the specific email where we only want that one person trusted.

Add as Value Business purpose
User Matt Hermes — Matt.Hermes@kold.com KOLD-TV — local media
User SoAPRA — soapra.npra@gmail.com State senior-living industry assoc (individual Gmail — user, not domain)
User Lovely Laurence Garcia — partnersuccess@caring.com Caring.com partner success
User Caring Leads Team — leadsteam@caring.com Caring.com lead routing
User Assisted Living Locators (N. Tucson) — sheril@assistedlivinglocators.com Senior-living placement agency
User Angel Ramirez — angel@placitacare.com PlacitaCare — referral partner
User Anne Connell — AnneC@cascadeliving.com Cascade Living (parent / affiliated property — verify relationship)
User A Place for Mom AR — ar@aplaceformom.com APFM accounts receivable — referral fees
User BillingWO@gray.tv Gray Television — ad billing
User 8x8 Support — noreply@8x8.com VoIP vendor no-reply (may not need impersonation protection since it's already an automated sender — include per Megan)
User C.J. Duque — cjduque@trucraftdesign.com Tru Craft Design — vendor
User compressionprinting@gmail.com Compression Printing — vendor
User Lisa Burns — lisab4421@gmail.com Personal/individual partner contact
User jbuenafe-leads@caring.com Caring.com lead contact (one of many)

Domain-level adds to consider (Howard to decide): because Cascades gets mail from many different addresses at Caring.com and aplaceformom.com, adding caring.com and aplaceformom.com as trusted domains instead of individual addresses saves constant curation. Megan explicitly called out that Caring.com contacts "are changing all the time." Adding the domain once covers them all. Only risk: if a domain itself is spoofed, any sender claiming to be from it will be trusted — but the anti-impersonation engine is specifically about lookalike sender domains, so this is the correct use case.

Recommended domain-level trusted partners:

  • caring.com — multiple contacts, constantly rotating
  • aplaceformom.com — same pattern (APFM has many reps)
  • kold.com — news media
  • assistedlivinglocators.com — agency with multiple reps
  • cascadeliving.comconfirm this is a legitimate affiliated property before trusting the whole domain
  • gray.tv — billing automation from multiple accounts

Individual addresses to keep as user-level entries (not domain):

  • The two gmail.com partners (Lisa Burns, Compression Printing) — cannot trust gmail.com as a domain, obviously
  • soapra.npra@gmail.com — same
  • angel@placitacare.com — small vendor, domain-level overkill
  • cjduque@trucraftdesign.com — same
  • noreply@8x8.com — utility address, not a lookalike impersonation target anyway; Megan may have listed it for general allowlisting rather than anti-impersonation — revisit

Outstanding / awaiting input

  • John Trozzi (per 2026-04-17 email, bottom of thread): "I will gather this information for you tomorrow." → follow up for his partners list.
  • Meredith Kuhn — did not respond yet on impersonation list; she's the one most likely to be impersonated in a wire-fraud attack as Executive Director. Follow up.
  • Ashley Jensen (Assistant ED, Accounting) — same; likely overlaps with Meredith's list heavily.
  • Cascade Living affiliation — Anne Connell at cascadeliving.com. Verify with Meredith whether Cascades of Tucson is owned/affiliated with Cascade Living properties before trusting the domain wholesale. If affiliated, add as trusted domain; if arm's-length, keep as user-level.

Implementation notes (when ready)

  1. Purchase Business Premium or Defender for O365 P1 add-on (impersonation engine lives in Defender, not EOP baseline)
  2. Defender portal → Email & collaboration → Policies & rules → Threat policies → Anti-phishing → edit the Standard preset or create CSC - Anti-Phishing Standard
  3. Impersonation tab:
    • Add protected users (Meredith, Megan, John, Crystal, Tamra, Ashley — anyone who can approve money/PHI)
    • Add protected domains: cascadestucson.com, azcomputerguru.com, and any affiliated properties verified above
    • Add trusted senders/domains (sections above)
    • Action when user is impersonated: Quarantine message (not just "move to Junk" — attackers test Junk-only delivery)
    • Mailbox intelligence: On, with "impersonated users" action = Quarantine
  4. Spoof intelligence: On, with action Quarantine
  5. Turn on Safety Tips
  6. Review quarantine daily for first 2 weeks — tune the trusted list based on false positives
  7. Document in this file any legitimate senders we have to add mid-operation so the list stays authoritative

Related docs

  • docs/cloud/m365.md — overall M365 state
  • docs/cloud/p2-staff-candidates.md — staff P2 rollout (overlapping stakeholders)
  • docs/cloud/caregiver-m365-p2-rollout.md — phone-side rollout (different user population)
  • docs/security/hipaa.md — HIPAA program this feeds into
Reference in New Issue View Git Blame Copy Permalink