9.8 KiB
title, slug, type, project_key, last_updated
| title | slug | type | project_key | last_updated |
|---|---|---|---|---|
| Quantum WMS | quantumwms | client | clients/quantumwms | 2026-06-01 |
Quantum WMS
Overview
| Field | Value |
|---|---|
| Company | Quantum Wealth Management |
| Primary domain | quantumwms.com |
| Personal domain | sheilaperess.com |
| M365 tenant (CURRENT) | quantumwms.onmicrosoft.com / 2fd0092b-e9b7-474c-ad73-301f34dd6b64 — Pax8-provisioned 2026-05-27 |
| Old tenants (bypassed) | 8f7eaff4-... (NETORGFT2570783, GoDaddy/johnvelez) and dormant ddf3d2c9-... (netorg18235235) — NOT in use |
| GoDaddy admin | plan@johnvelez.com (John Velez) — ACG has delegate access |
| Project key | clients/quantumwms |
2026-07-08 GPS-RMM reconciliation
GPS 4 billed (matches RMM 4) (Winter/Mike, 2026-07-08).
Current Status (2026-06-01)
- 6/03 license-lapse deadline: RESOLVED. Both firm users are M365 Business Premium licensed AND have activated Office (John + Sheila both signed into Microsoft Office from the Tucson office 2026-05-27). They will not lose Office apps when M365 Personal lapses 2026-06-03.
- Mail still on Intermedia (HEX). MX cutover to Exchange Online not yet done; mailboxes in the new tenant are still empty.
- Migration remainder pending: PST backups (pre-cutover), MX/mail cutover, CA enforcement, Defender for Business onboarding, DMARC/SPF/DKIM, DNS -> Cloudflare, Exchange Online Plan 1 for personal-domain accounts, GoDaddy/Intermedia cancellation.
[WARNING] Security: active password-spray on john@quantumwms.com
Read-only review 2026-06-01 (see clients/quantumwms/reports/2026-06-01-m365-review.md):
john@quantumwms.comhit by a distributed password-spray — 98 failed sign-ins from 98 unique IPs (datacenter/proxy IPv6 + Amsterdam NL malicious-flagged IP + Praha CZ password guess). 0 successful malicious logins — account NOT breached (Entra blocked the IPs; password guesses failed).- Exposure: John is NOT MFA-registered, his initial password is weak/OSINT-guessable, and the protective CA policies (require-MFA, block-non-US) are report-only. Security Defaults is ON but only protects users who have registered MFA — neither John nor Sheila has.
- Recommended (not yet done): force-reset John's password; drive both users through MFA registration; enforce CA001 (MFA) + CA003 (block non-US) now (break-glass already excluded).
Contacts
| Name | Role | Notes |
|---|---|---|
| John Velez | Primary / M365 global admin | plan@johnvelez.com; GoDaddy account owner for both domains |
| Sheila Peress | Owner/principal | sheilaperess.com personal domain; compliance decision-maker; final say on license tier |
Current Email Infrastructure
- Registrar: GoDaddy (quantumwms.com + sheilaperess.com) — ACG has delegate access
- DNS: GoDaddy DomainControl (NS03/NS04.DOMAINCONTROL.COM) — no DNSSEC
- Mail routing: Intermedia hosted Exchange —
exch090.serverdata.netcluster (east/west)- IP:
64.78.25.106(Intermedia data center) - Autodiscover:
ar-east.exch090.serverdata.net - This is Exchange Server software hosted by Intermedia, NOT Exchange Online
- IP:
- Intermedia setup: Appears hybrid on-premises Exchange — carries full Exchange Server CVE exposure
DNS / Email Security Gaps (CRITICAL)
| Record | Status | Impact |
|---|---|---|
| DMARC | MISSING | Anyone can spoof @quantumwms.com with no enforcement |
| SPF | TWO RECORDS (misconfiguration) | RFC 7208 allows only one; causes unpredictable SPF evaluation and deliverability failures |
| DKIM | Not found on standard selectors | Outbound mail not cryptographically signed |
| DNSSEC | Not signed | Domain hijack risk |
SPF records found (conflict):
v=spf1 include:spf.intermedia.net -allv=spf1 include:_spf-usg1.ppe-hosted.com include:secureserver.net ~all
M365 Tenant (CURRENT — 2fd0092b)
- Tenant:
2fd0092b-e9b7-474c-ad73-301f34dd6b64("Quantum Wealth Management"), Pax8-provisioned 2026-05-27 - Domains:
quantumwms.onmicrosoft.com(initial),quantumwms.com(primary, verified) - Management: Pax8 GDAP "Default_Ariz_Quantum Weal_704149625747913" (180 days). All 5 ComputerGuru remediation apps consented w/ directory roles.
- Email: still on Intermedia HEX — MX not yet cut to Exchange Online.
Users (verified 2026-06-01)
| UPN | Display | License | MFA registered | Notes |
|---|---|---|---|---|
john@quantumwms.com |
John Velez | Business Premium (SPB) | No | Office activated 5/27; under password-spray (see Security) |
sheila@quantumwms.com |
Sheila Peress | Business Premium (SPB) | No | Office activated 5/27; 8 clean sign-ins |
sysadmin@quantumwms.com |
Mike Swanson | none | Yes (Authenticator + TOTP) | Global Admin (daily) |
breakglass@quantumwms.onmicrosoft.com |
Break Glass | none | No (by design) | Emergency GA, CA-excluded, vaulted at clients/quantumwms/m365-breakglass.sops.yaml |
Conditional Access (all report-only as of 2026-06-01 — enforcing nothing)
- CA001 Require MFA (all users), CA002 Block legacy auth, CA003 Block sign-in outside US — each excludes break-glass. Security Defaults is ON (interim MFA).
Consent URL (Tenant Admin tier)
https://login.microsoftonline.com/8f7eaff4-f913-4d3f-b8b9-92e695d987c6/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
Post-consent onboard command:
bash onboard-tenant.sh 8f7eaff4-f913-4d3f-b8b9-92e695d987c6
Compliance Context: Broker/Dealer Requirements
John and Sheila believe Intermedia is mandated by their Broker/Dealer. This is almost certainly incorrect.
What SEC Rule 17a-4 / FINRA Rule 4511 actually require
- Electronic communication retention (3 years accessible, 6 years total for most records)
- Non-rewritable, non-erasable (WORM-compliant) archiving
- Supervisory review capability
- Ability to produce records on regulatory demand
What they do NOT require
- Intermedia specifically
- Any named third-party vendor
- Exchange Server or hosted Exchange
Microsoft 365 satisfies all FINRA/17a-4 requirements
Microsoft Purview (included in Business Premium) provides WORM-compliant archiving with a CFTC/SEC 17a-4 compliance attestation from Cohasset Associates. The majority of FINRA-registered broker/dealers run on Exchange Online. FINRA has published guidance explicitly endorsing cloud-based recordkeeping.
Action item (BLOCKER)
Sheila has been asked to produce written policy from the Broker/Dealer that explicitly names Intermedia as the required platform. This policy is expected not to exist — the B/D policy will require compliant archiving, not a specific vendor. Resolution expected before meeting 2026-05-27 14:00.
Recommended Architecture: M365 Business Premium + Mailprotector
License Plan
| Account | License | Domain |
|---|---|---|
| John (firm) | M365 Business Premium | quantumwms.com |
| Sheila (firm) | M365 Business Premium | quantumwms.com |
| Sheila (personal) | Exchange Online Plan 1 | sheilaperess.com |
| Others TBD | Exchange Online Plan 1 | TBD |
What Business Premium provides over Intermedia
| Capability | Intermedia Hosted Exchange | M365 Business Premium |
|---|---|---|
| Exchange Server (hosted) | Exchange Online (Microsoft cloud) | |
| Exchange CVE exposure | YES — full Server CVE surface | No — Microsoft patches same-day |
| Spam/malware filtering | Basic | Defender for Office 365 Plan 1 (Safe Links, Safe Attachments) |
| Frontend filtering | None | Mailprotector (ACG-managed) |
| MFA enforcement | Manual | Entra ID P1 — Conditional Access |
| FINRA archiving | Intermedia archiver (extra cost) | Microsoft Purview — included |
| Desktop Office apps | No | Yes (Word, Excel, Outlook, etc.) |
| Mobile device management | No | Intune — included |
| DMARC/DKIM setup | Not managed | ACG-managed during migration |
Migration Steps
- [DONE] Get consent from John (2026-05-26)
- Obtain written B/D compliance policy from Sheila — confirm no Intermedia mandate
- Add quantumwms.com as verified domain to johnvelez.com tenant
- Purchase 2x Business Premium (direct or ACG CSP)
- Create firm mailboxes (john@quantumwms.com, sheila@quantumwms.com)
- Assign Business Premium licenses
- Set up Mailprotector frontend for quantumwms.com
- Configure DMARC, fix SPF (single record), configure DKIM
- Cut MX from Intermedia → Exchange Online
- Migrate existing mail from Intermedia → Exchange Online
- Activate Office apps on their machines
- Cancel Intermedia after cutover confirmed
- Move DNS (quantumwms.com + sheilaperess.com) to Cloudflare
- Purchase Exchange Online Plan 1 for personal domain accounts
- Cancel GoDaddy email hosting per account as each migrates
GoDaddy Decoupling Plan
- DNS: move both domains to Cloudflare (transfer locks must be removed in GoDaddy first)
- M365 licensing: swap GoDaddy-resold O365 Business Essentials → Business Premium
- Intermedia: cancel after mail cutover confirmed
Open Items
- RESOLVED: B/D compliance "Intermedia mandate" — IFG (Jen Curry) confirmed Intermedia HEX is being phased out and recommended the move to M365 (2026-05-27).
- DONE: 2x Business Premium licensed + Office activated for John & Sheila (2026-05-27) — 6/03 lapse risk cleared.
- SECURITY (new, 2026-06-01): force-reset John's password; get John + Sheila MFA-registered; enforce CA001 + CA003 (john@ under active password-spray, currently failing).
- PST backups of John + Sheila mailboxes before Intermedia cutover.
- Mail/MX cutover Intermedia HEX -> Exchange Online; then migrate existing mail.
- Defender for Business onboarding; DMARC, single SPF, DKIM.
- DNS for both domains -> Cloudflare.
- Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade; determine additional personal-domain accounts.
- Cancel GoDaddy email hosting + Intermedia per account as each migrates.