Allied Advisors Group, LLC

Four independent subdomain enumeration corpora (Certificate Transparency via certspotter, HackerTarget hostsearch, AnubisDB passive DNS, and Common Crawl) converge on the same answer: the apex alliedadvisorsgroup.com plus www and nothing else. The shared Let's Encrypt certificate 14537423605 bundles the target with 44 unrelated WordPress.com customer domains, which is the expected pattern for Automattic-managed hosting and not an indicator of intentional concealment. Combined with the WordPress.com nameservers and Automattic /24 IP range, the recon evidence is very likely a complete picture of the firm's internet-exposed infrastructure. The competing hypothesis that the firm operates additional private infrastructure (cloud accounts, vendor portals, internal SaaS) is not refuted by recon but produces no exposed surface in passive collection.

DNS authoritatively returns two SPF records on alliedadvisorsgroup.com: v=spf1 include:servers.mcsv.net ?all and v=spf1 include:spf.protection.outlook.com include:_spf.wpcloud.com -all. RFC 7208 §3.2 requires exactly one; receiving MTAs handle the violation inconsistently — some select the first record (the permissive Mailchimp-include with neutral ?all) and others reject SPF entirely. DMARC is configured at p=none, so even when SPF fails, spoofed mail is delivered rather than quarantined. For a firm whose business is sending policy advice to insurance agencies and financial practices, this is very likely a high-payoff lure: a spoofed message from a trusted Greg/Adrianne/Richard with a renewal-cycle attachment routes around the headline technical control. The vector is operationally available today and requires only commodity infrastructure to exploit.

RDAP records four GoDaddy-applied EPP status codes — clientDeleteProhibited, clientRenewProhibited, clientTransferProhibited, clientUpdateProhibited — which indicate the registrant is actively managing the registration and has applied registrar-level locks. Renewal is very likely to proceed routinely. The reason this still appears as a key judgment despite that: the alternative outcome is catastrophic for a firm whose entire identity is the domain (email continuity, NAHU/BAN identity, archived content). If renewal does lapse, a typosquatter or BEC operator would almost certainly register the domain inside the standard 30-day redemption-grace closeout. The mitigation (multi-year renewal, registrar lock confirmation) costs minutes; the downside cost is total.

Wayback CDX returns 200 archived URLs for the domain matchtype query, including personal-profile slugs /greg/, /greg-working-1/, /ascend-award-greg/, /adrianne/, /final-richard/, /josh1/, /sandy/, and /cari2/. Greg's slug pattern (multiple revisions, a named industry award) is consistent with a principal or founder-level role. The roster is likely current — the WordPress.com site shows no signs of major rebrand or staff turnover in archived URLs — but Wayback captures URL existence at point-in-time, not present occupancy. The premortem failure mode here is acquiring last names from external sources (NAHU directories, state insurance department licensing rosters, BAN membership lists) to assemble a full spear-phishing roster, which is very likely achievable for an attacker with public-records access.

WordPress.com is a managed hosting product where Automattic owns core WordPress patching and infrastructure security — eliminating the historical wp-admin-credential-stuffing and wp-login.php brute-force vectors that plague self-hosted WordPress. The Divi theme path /wp-content/themes/Divi/includes/builder/feature/dynamic-assets/ visible in Wayback confirms the active theme has a documented CVE history (Elegant Themes Divi has shipped multiple authenticated XSS, stored XSS, and authorization-bypass issues over the last 5 years). The exposure is likely latent rather than active because the marketing website carries no authenticated user surface beyond standard contact forms, so the practical exploitability ceiling is defaced-content or stored-XSS staged against the firm's own visitors.

Mozilla Observatory scans for HTTP security headers — typically CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. A C-/45 with 4 failures on a WordPress.com-hosted marketing site is likely the result of platform defaults (WordPress.com applies a baseline header set but does not enforce strict CSP or HSTS preload by default for shared-cert customer domains). The presence of an HSTS preload or strict CSP would harden against the email-spoofing-routed-to-WP-content drive-by chain, but the headline-impact reduction is small compared to the SPF/DMARC fix. There is a roughly even chance the operator can configure these from the WordPress.com admin panel; some headers require a paid plan tier.

The evidence pattern would warrant deception flagging only if it were suspiciously clean for an entity of this stated scope. Allied Advisors Group's combination of (a) WordPress.com managed hosting consistent with sub-25-employee firms, (b) M365 / Mailchimp email stack consistent with small-business norms, (c) NAHU industry-association membership consistent with the advertised advisory role, and (d) seven partner-firm logos suggesting a small advisory cooperative is internally consistent and matches the surface that a real small firm produces. The premortem failure mode where Allied Advisors Group is a shell for a larger operating entity is not supported by any evidence and would require positive evidence (M&A filings, parent-org references in regulatory data) to elevate above its current very unlikely baseline.