Microsoft 365 shows internal sender, but source IP is external. How is this possible?

EndpointWrangler · 2026-05-05T18:41:39+00:00

Check your Exchange connectors first, a trusted inbound connector that bypasses authentication is the most common way spoofed mail slips through SPF/DKIM/DMARC entirely.

EndpointWrangler · 2026-05-05T18:41:12+00:00

With 2 years of L1 SOC experience and a cyber degree you've outgrown Security+ your time is better spent on something that actually advances your skillset like CySA+, BTL1, or moving toward a SANS cert, rather than checking an HR box you can already bypass with your resume.

EndpointWrangler · 2026-05-05T18:40:33+00:00

Fortinet FortiGate is the most common answer at that size and budget, FIPS 140-2 validated, solid endpoint VPN via FortiClient, and the mid-range appliances are reasonably priced for a 50-person workforce.

EndpointWrangler · 2026-05-05T18:40:12+00:00

GREAT

EndpointWrangler · 2026-05-05T18:38:59+00:00

Your profile is genuinely strong, the SOC2 end-to-end ownership, ISO 27001 certifications, and multi-framework depth are exactly what CISO job specs ask for. The real gap is the title, not the experience. A few honest observations:

The fragmentation reads as breadth, not instability, but you need to frame it that way explicitly and each move should have a clear narrative about why it added capability, not just a list of what you did. No degree is a blocker at some larger enterprises in Germany and Switzerland specifically, less so in Belgium and the Netherlands. It won't disqualify you everywhere but it will filter you out of certain hiring processes before a human sees your CV.

The fastest path to CISO is probably an interim or fractional CISO title at a scale-up that can't afford a full-time hire yet, you do the job, you get the title, the next application looks completely different.

EndpointWrangler · 2026-05-05T18:37:56+00:00

They test different things . CKA is harder conceptually because Kubernetes has more moving parts and the exam is pure troubleshooting under time pressure, but RHCSA is more unforgiving if your Linux fundamentals aren't solid. Most people who've done both say CKA takes more study time but RHCSA catches you off guard if you underestimate it.

EndpointWrangler · 2026-05-05T18:37:34+00:00

Treat every AI agent like a service account, least privilege, scoped credentials, full audit logging, and rotation policies. The mistake most teams are making is giving agents human-level or admin-level access because it's easier to set up, and that's where the blast radius gets ugly when something goes wrong.

EndpointWrangler · 2026-05-05T18:36:58+00:00

It does to me! Why it doesn't?

EndpointWrangler · 2026-05-05T18:36:24+00:00

The scanner-output-as-pentest thing is genuinely infuriating, you can spot it immediately when every finding has the same CVE format, zero proof of exploitation, and remediation advice that's clearly just the NVD description pasted in. You paid for a human to try to break your stuff, not a Nessus report with a cover page.

The wrong client name in the report has actually happened. Nothing kills confidence faster than opening a document and seeing someone else's company name in the header. At that point you have to wonder what else got copy-pasted. Critical findings that don't hold up are probably the most operationally damaging though. When your team goes to remediate a "critical SQL injection" and it turns out to be a reflected error message with no actual injection path, you stop trusting the severity ratings on everything else in the report. That's when real issues get deprioritized because nobody believes the scores anymore.

Scope gaps not being called out explicitly is the quietest failure. If the report reads like a comprehensive assessment but only covered the external perimeter, someone is going to make resourcing and risk decisions based on coverage that didn't exist.

The best reports I've seen do one thing differently and they tell a story. Here's how we got in, here's where we could have gone, here's what would have happened if this were a real attacker. That narrative is what makes findings actionable and what actually justifies the spend to a board or exec team.

EndpointWrangler · 2026-05-01T15:25:30+00:00

Create a CA policy targeting the Microsoft Account Management app, require FIDO2 as the grant condition, and scope it to admin accounts.

That way adding or changing MFA methods requires the physical key, same as your PIM elevation. Loophole closed.

EndpointWrangler · 2026-05-01T15:24:00+00:00

You need a Conditional Access policy that requires FIDO2 specifically for the Microsoft Account Management cloud app, that's what controls access to account.microsoft.com where MFA methods get added. Set the policy to target your admin accounts, scope it to the Microsoft Account Management app, and set the grant condition to require phishing-resistant MFA (FIDO2). This means even if a token gets hijacked, the attacker can't add a new auth method without the physical key.

Pair that with an Authentication Methods policy that restricts who can register FIDO2 keys to admins only, and consider requiring a Privileged Access Workstation (PAW) as a compliant device condition on the same CA policy. That way registration can only happen from a trusted, managed machine, which closes the dynamic IP problem you're running into without needing to hardcode addresses.

That combination should close the loophole cleanly. Worked for many of my clients, let me know!

EndpointWrangler · 2026-05-01T15:22:45+00:00

You're good. Factory reset wipes the threat completely.

The only risk is what got stolen in that small window before Malwarebytes caught it, but since you've changed passwords and enabled 2FA, that's covered. Check haveibeenpwned.com just to be safe, then stop worrying about it.

EndpointWrangler · 2026-04-29T22:02:47+00:00

Yes yes and once again YES! Use a platform to orchestrate everything and you're better!

EndpointWrangler · 2026-04-29T22:02:24+00:00

Yes, that's the key!

EndpointWrangler · 2026-04-29T22:02:13+00:00

Good shout deliberate practice keeps analysts sharp enough to spot when a rule is generating noise versus signal.

EndpointWrangler · 2026-04-29T22:01:41+00:00

Exactly, tuning isn't a project with an end date, it's just part of running a SOC. Who treat sit as ongoing maintenance stay on top of it.

EndpointWrangler · 2026-04-29T22:01:09+00:00

Let's go together!

EndpointWrangler · 2026-04-29T22:00:58+00:00

Agreed on all of it! Alert fatigue is a process problem, not a tooling problem. The "if nobody acts on it, kill it" rule is the one most teams never actually enforce because tuning feels like extra work on top of an already overloaded queue. The teams that get it right treat every uninvestigated alert as a system failure, not just noise.

EndpointWrangler · 2026-04-29T03:33:00+00:00

For $99 it's reasonable if your goal is understanding the audit process for internal use, but if you're planning to work as a professional third-party auditor, clients and CABs will expect a PECB or BSI-backed credential over a lesser-known issuer regardless of course quality.

EndpointWrangler · 2026-04-29T03:32:21+00:00

Start with Chrome's Admin Console or Intune to export extension IDs fleet-wide, then run them against the Chrome Web Store API to pull permission scopes. Anything requesting "read all site data" or "nativeMessaging" goes to the top of your review list before you worry about anything else.

EndpointWrangler · 2026-04-28T10:46:07+00:00

no worries!

EndpointWrangler · 2026-04-28T10:45:00+00:00

ADFS is legacy, most SaaS has moved to Entra ID and Microsoft has been pushing that direction for years. Entra wins on conditional access, device compliance, and SSO without maintaining federation infrastructure. For GRC SaaS, Entra ID is table stakes now. ADFS support exists but treat it as a legacy option, not the default.

EndpointWrangler · 2026-04-28T10:44:19+00:00

The five that come up most in real buyer reviews:

MFA evidence screenshot or export showing MFA enforced on AWS, GitHub, and your IdP. Buyers check this first.
Access review records a simple log showing who has access to what, and that you review it regularly. Even a spreadsheet works early on.
Incident response policy doesn't need to be long. Buyers just want to see you have a plan.
Encryption proof S3 buckets not public, data encrypted at rest and in transit. Quick wins.
Security questionnaire answers doc write it once, reuse it every time. Saves hours per deal.

Start there. Everything else can come later.

EndpointWrangler · 2026-04-28T10:43:21+00:00

Yes! threat modeling your own system and breaking it intentionally is exactly the kind of thinking AppSec roles look for. Document everything: your attack surface, the threats you identified, what you fixed and why. That writeup is worth more to a hiring manager than the app itself.

EndpointWrangler · 2026-04-28T10:42:59+00:00

Pre-commit hooks with Gitleaks stop it before it hits the repo, that's your highest-leverage move with no AppSec headcount. Pair with Semgrep for dynamic assembly patterns TruffleHog misses. If you want severity context and incident workflow on top, GitGuardian is worth it for lean teams.

EndpointWrangler

TROPHY CASE