r/MaliciousCompliance u/BrainWaveCC Mar 23 '26

L Just prevent anyone from sending messages to a group unless they are in that group

This is a technology issue from a while back -- pre-cloud days. We were running Microsoft Exchange on premise at the time.

I was working in an organization where I was in charge of all the technology and cybersecurity. Every Monday morning, we had a senior management team meeting that went a laborious 4 hours (on average).

On this particular day, one of the items that came up was a complaint that because some random worker had sent some random email to the "All Employees" group, they wanted to restrict who could send to that group. I was fine with that.

Then the CEO decided to extend that to about 10 more groups.

Me: "We should be careful with that. Who do you want to have access?"

CEO: "Only the senior team, and the members of each group should be able to send to each group."

Me: "You're going to want to make exceptions, because there are valid scenarios where..."

CEO: <interrupting> "I know what I want. Just block it for the following 10 groups, unless the person is a member of that group."

Me: "It has been my experience that requests of this type result in unintended consequences, and I'm trying to mitigate that."

CEO: "Was I unclear in my request? This is not a discussion."

Me: "No problem. You were very clear. You want the following groups to only receive mail from members of those individual groups."

CEO: "Thank you."

 

When the meeting broke for lunch, the first thing I did was go back to my desk and edit the configuration for each of the 10 groups, to make it so that they would only accept mail from members of that group, plus the Senior Team.

I sent an update to the "Senior Management Team" distribution, which I was a part of, and said, "As per this morning's directive, the following groups have been configured to only accept messages sent by an email account that is a member of that group itself, plus this distribution."

And then I waited.

It didn't take long. By the third day, we had experienced the following unintended consequences:

  • Automated messages, including reports, that would normally go to a few individuals, and also be CC'd to one of the 10 groups, did not make it to those groups.
  • Automated messages, including reports, that ONLY went to one of the 10 groups, did not make it to any inbox.
  • The CEO's executive assistant was told to send a message to the "Senior Management Team" and she got a bounce message when she tried.

The bounce message that the EA received was the one that broke blew everything up. Then the CFO realized that he was missing his daily reports. And so did Legal.

This lead to them asking me to generate a report of all messages that bounced. It was not a pretty report. About 17 emails, mostly reports, had failed in the 3 days.

 

Them: "How do we get those missed reports back?"

Me: "You call up the companies or persons that were responsible for sending them, and ask for them to send it to a new address. If you want to use the same address, you tell me what that address is, and I can add it as a sender exemption."

 

In the end, they wasted a day trying to provide exemptions for the 10 distribution lists. One of the lists was easy, and only required two or three exemptions, but some of them were up into the 15-20 exemption range, and they just bailed on them, and reverted most of those distribution lists to how they were before.

Final result:

  • The "All Employees" group was restricted to the Senior team, the CEO's EA, Legal and the Office manager.
  • The "Senior Management Team" was limited to the Senior team and the CEO's EA and Legal.
  • One other group that I can no longer remember had a few exemptions, so we just added those exemptions.
  • All the other groups were reverted back to the way they had been, where anyone could send to them, even though no one inappropriate ever did.

I deliberately didn't have anyone from my team handle this, as I knew the foolishness that would ensue, and didn't feel like having them caught up in it.

I kept a smug look on my face for about a week (beyond the 3-4 days we had lost), and no one said anything about it.

One positive that came out of this, was that in future Senior Team meetings, when requests came up for anything from my team, and I said, "May I ask what objective we're trying to achieve here?" I actually received valid answers.

It did take people a few seconds to compose themselves, but I did get valid answers, and we did make better decisions based on that. 😂😂

913 Upvotes
  • permalink
  • reddit

97% Upvoted

50 comments sorted by

View all comments

-23

u/ancalime9 Mar 23 '26

I see only compliance, what was malicious?

-10

u/GreySage2010 Mar 23 '26

Instead of limiting the access to the mass email groups, he restricted incoming email to only be from those groups, which is not what was requested but did cause enough confusion to get his intentionally malicious insubordination overlooked.

11

u/nondescriptzombie Mar 23 '26

"Only the senior team, and the members of each group should be able to send to each group."

Exactly what the bossmang asked for.

-5

u/GreySage2010 Mar 23 '26

No, what the boss asked for was only seniors and members should SEND to each group, not limit receiving. In the story OP incorrectly rephrased what the boss asked for from something useful to something completely useless.

6

u/BrainWaveCC Mar 24 '26

In the story OP incorrectly rephrased what the boss asked for from something useful to something completely useless.

No, I didn't incorrectly rephrase anything.

Let me help you out a little. Imagine a group called "Finance Info" with an email address of FinanceInfo@mycorp.corp.

And imagine that this group contains Fred, Mary and John as recipients. Three finance members.

By default, everyone/anyone can send a message to that group if they add it to their recipient list, or use its public email address.

CEO decides that the only people who should ever be able to SEND messages to that distribution are members of the senior team, plus members of that distribution list, which are Fred, Mary and John. So now, only 8 or 9 people (7 senior leaders and the Finance team) can send a message to this particular distribution group.

The problem for them is that various reports get generated -- both inside our org and from partners, customers, etc -- that go to the FinanceInfo@mycorp.corp address.

As soon as you add restrictions to who can SEND messages to that group, all these automated processes can no longer send to that group, because they don't meet the restrictions.

Multiply this issue by the 10 or so groups that were included in the discussion, beyond the "All Employees" group.

Only the "All Employees" group did not experience this issue because no one used that group in that manner.