RED × BLUE

Threat Playbook

Adversary vectors paired with the defensive controls that close them. Read top-to-bottom — engagements are sorted by severity. Baseline controls below apply across the surface.

Severe

Moderate

Low

Baseline

Severe · Act Now

3 engagements

SEVERE R-01 ↔ B-01 Email spoofing of the firm's domain — dual SPF + DMARC=none High confidence

Red · Adversary Vector R-01

Email spoofing of the firm's domain — dual SPF + DMARC=none

Headline finding. The technical conditions for inbox-grade spoofing are present on the domain today: a permissive primary SPF (Mailchimp ?all), a dual-record violation that makes the strict Outlook SPF unenforceable in practice, and no DMARC enforcement to compensate at the receiver. A targeted phishing campaign against the firm's insurance-agency client base — using a forged Greg/Adrianne/Richard pretext and a benefits-renewal or policy-update lure — is very likely operationally available with no prior reconnaissance beyond what this investigation surfaced. Remediation (b_01) is a DNS change measured in minutes.

Blue · Defensive Control B-01

Consolidate SPF to a single record and escalate DMARC to p=reject

Merge the two SPF records on alliedadvisorsgroup.com into one — keep the Microsoft and WordPress.com includes, drop the Mailchimp ?all include and add include:servers.mcsv.net with a strict -all qualifier. After a 2–4 week observation period using DMARC rua aggregate reports, escalate DMARC from p=none to p=quarantine, then to p=reject. This single change closes r_01 — the highest-impact finding in the report — and degrades r_02/r_06 because spoofed mail from arbitrary infrastructure stops being deliverable.

SEVERE R-02 ↔ B-02 Spear-phishing roster built from Wayback first-name slugs + NAHU directories High confidence

Red · Adversary Vector R-02

Spear-phishing roster built from Wayback first-name slugs + NAHU directories

Combines two findings: the first-name URL slugs that name staff individually (ent_019–024), and the NAHU industry-association membership (ent_025) that provides the public-records path to last-name resolution. Spear-phishing with the firm's actual partner-org branding (Cary Insurance Group, Hampton Companies, Pelnik Insurance, Peel Holland, Preferred Benefits, NavMD) raises the believability ceiling because the lures look like ordinary cooperative-network communication. Combined with r_01, the adversary gets to send spoofed mail from real staff to real partners with real institutional vocabulary.

Blue · Defensive Control B-02

Spear-phish defense: out-of-band verification protocol for financial requests + targeted awareness for named staff

Establish a documented out-of-band verification process (phone call to a known number, not a callback to a number in the email) for any financial request, client-data request, or policy-change request received over email. Train the staff named in r_02 (Greg, Adrianne, Richard, Josh, Sandy, Cari) specifically on the spear-phishing scenarios identified — including the NAHU/Ascend-Award angle and partner-firm impersonation patterns. Awareness training alone is weak; the verification protocol is the load-bearing control.

SEVERE R-03 ↔ B-03 Domain hijack at expiry (62 days out) — low-probability, catastrophic-impact tail risk Moderate confidence

Red · Adversary Vector R-03

Domain hijack at expiry (62 days out) — low-probability, catastrophic-impact tail risk

The probability of renewal failure given the four EPP locks observed is low. Why include this anyway: the downside is total. If renewal lapses, the firm loses email continuity, the WordPress.com TLS chain rotates to whoever re-registers, and 9 years of accumulated client-relationship trust route to the new operator. Operator confirmation of renewal status (and multi-year prepay) is a 30-minute task with effectively-unlimited upside.

Blue · Defensive Control B-03

Domain renewal: confirm auto-renew, prepay multi-year, verify registrar-lock state

Log in to the GoDaddy account, confirm auto-renew is enabled, and prepay the registration through 2031 or longer. Confirm the four EPP locks observed in RDAP remain active. Add the domain to a tertiary monitoring service (e.g., a calendar reminder owned by a second principal) so a single-person account-access failure cannot cause silent expiry. This closes the catastrophic tail of r_03.

Moderate · Plan Mitigation

3 engagements

MODERATE R-04 ↔ B-04 Divi theme / Builder exploitation against marketing site Moderate

Red R-04

Divi theme / Builder exploitation against marketing site

Divi has a long CVE tail. WordPress.com manages the core CMS patch cadence but does not own the theme-update cadence on customer instances. The exploitation surface here is limited because the site has no authenticated visitor flow — practical impact is defaced content or stored XSS against visitors of the firm's own pages. Lower priority than r_01–r_03 but worth tracking because Divi updates are routinely ignored by small firms who set up the theme once and never revisit it.

Blue B-04

Audit and update the Divi theme; subscribe to Elegant Themes security advisories

Log into the WordPress.com / Divi admin panel and confirm the theme is on the current major release. Apply any pending Divi Builder updates. Subscribe to the Elegant Themes security advisory feed so future CVEs are not silently ignored. This is the lowest-priority server-side control in this report but the right closure for r_04.

MODERATE R-05 ↔ B-05 M365 tenant credential / OAuth phishing → mailbox takeover Moderate

Red R-05

M365 tenant credential / OAuth phishing → mailbox takeover

GoDaddy-bundled M365 tenants (NETORGFT prefix) are common at firms of this scale and are likely not on a custom security baseline. OAuth consent phishing is the higher-yield variant — it survives MFA when the user is convinced to grant app consent rather than enter credentials. The compromise of even one mailbox at a firm whose business is correspondence with insurance agencies and financial practices unlocks the wire-fraud / EFT-redirect playbook directly.

Blue B-05

M365: enforce MFA on all mailboxes, apply a conditional-access baseline, audit OAuth app consents

In the NETORGFT3468830 tenant, enforce MFA for every user (no exceptions), apply a Microsoft-baseline conditional-access policy, and review the OAuth-app consent grant list. Disable user-level consent for non-Microsoft applications so future OAuth-consent phishing requires explicit admin approval. This closes the late-stage compromise path in r_05 and is the single highest-yield identity-control change available to a firm of this scale.

MODERATE R-06 ↔ B-06 Mailchimp credential compromise → SPF-passing phish from legitimate sender Moderate

Red R-06

Mailchimp credential compromise → SPF-passing phish from legitimate sender

Mailchimp account takeover is one of the higher-leverage moves an adversary can make against an SMB that relies on it. The firm's permissive Mailchimp SPF include means hostile mail from a compromised account passes SPF cleanly. Mitigation is straightforward (b_06) but routinely neglected at firms of this scale.

Blue B-06

Mailchimp: enforce MFA on the account, restrict campaign-send to specific operators, enable login alerts

Enable Mailchimp's two-factor authentication on every administrator account. Restrict campaign-send permissions to a named individual (not a shared marketing account). Turn on login-from-new-device alerts. Combined with b_01's SPF tightening, this closes r_06.

Low · Monitor

1 engagement

LOW R-07 ↔ B-07 Unsigned DNS zone — low-probability cache poisoning Low

Red R-07

Unsigned DNS zone — low-probability cache poisoning

Listed for completeness rather than priority. Practical attacker payoff in 2026 is small relative to r_01–r_06. Remediation (b_07) is a registrar-side toggle plus a WordPress.com DNS zone signing step.

Blue B-07

Enable DNSSEC at GoDaddy and sign the WordPress.com DNS zone

Toggle DNSSEC on at the GoDaddy registrar and follow the WordPress.com guidance for publishing DS records. Practical risk reduction in 2026 is small (see r_07 rationale) but the change is a one-time configuration and contributes to overall hygiene.

Baseline · Surface-Wide

2 controls

B-08 Baseline

Lift Mozilla Observatory grade to B/A: add HSTS, CSP, X-Frame-Options, Referrer-Policy at strict values

From the WordPress.com admin panel (or via a hosted-site security plugin), publish HSTS with a 1-year max-age and preload-eligible flag, a Content-Security-Policy that restricts script sources to 'self' plus the WordPress.com asset CDN, X-Frame-Options SAMEORIGIN, and a strict Referrer-Policy. Brings the headline Observatory grade out of C- territory and adds defense-in-depth against any successful Divi-XSS chain (r_04).

B-09 Baseline

Subscribe to domain & brand monitoring for typosquats and impersonation

Set up monitoring for newly-registered domains lexically similar to alliedadvisorsgroup.com (free tools include certstream + dnstwist; paid: Recorded Future, ZeroFox). For a firm whose entire identity hinges on the domain (see r_03) and whose clients communicate primarily over email (see r_01/r_02), early warning on typosquats is high-leverage. Combine with a documented response process so a flagged registration triggers a same-day investigation.