MEDIUM · education

Petroleum Conservation Research Association

Missing SPF and DMARC; Cloudflare-fronted

pcra.orgbaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 70

Availability

HTTP 200

TLS

2026-07-25 · 42d

Headers

5 missing · 0 permissive

Email auth

SPF missing · DMARC absent

Security score

Watch

Headline findings

01SPF and DMARC entirely missing — anyone can spoof @pcra.org
02Cloudflare-fronted origin (good)
03OWA endpoint exposed in CT
04Missing CSP and Referrer-Policy

TLS security

warn

Issuer: Let's Encrypt
Expires: 2026-07-25(42d)

certificate expires in 42 days

Email authentication

SPF

missing

DKIM

unknown

DMARC

absent

Hardening headers

1 / 0 / 5present/permissive/missing

HSTSpresent
CSPmissing
X-Framemissing
X-Content-Typemissing
Referrer-Policymissing
Permissions-Policymissing

Lookalike domains

pcra.net→ 207.148.248.143 (third-party)
pcra.in→ 76.223.67.189 (third-party)

Public topology · CT logs

12 total

pcra.org

Authentication

owa.pcra.org

Infrastructure

webmail.pcra.org
mail.pcra.org

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

PCRA lacks email authentication entirely (no SPF/DMARC) and exposes multiple mail endpoints (owa.pcra.org) potentially vulnerable to CVE-2024-21410 NTLM relay. What is the Exchange Server patch status, and is the SPF/DMARC deployment hours or days away?

Active fingerprints · per host

www.pcra.orgEOL × 1
Cloudflare-fronted WordPress on Nginx
- ⚠ SPF and DMARC entirely absent — open spoofing surface
owa.pcra.org / webmail.pcra.org / mail.pcra.org / email.pcra.orgEOL × 1
Multiple mail endpoints; OWA suggests Microsoft Exchange Server
- ⚠ 12 subdomains in CT — multiple mail systems suggest distributed mail infra

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

Path A: Email spoofing via absent SPF/DMARC

effort hours

detect low (bad)

Entry

Zero SPF, zero DMARC.

→

Pivot

Spoof @pcra.org to industry stakeholders who trust public-information PCRA.

→

Objective

High-yield phishing on trusted petroleum-conservation entity.

Path B: OWA exposure → CVE-2024-21410 NTLM relay (if Exchange Server)

effort days

detect medium

Entry

owa.pcra.org publicly named in CT. OWA suggests on-prem Exchange Server.

→

Pivot

If Exchange 2016/2019 without Feb 2024+ patches, NTLM relay → priv esc → RCE as domain admin.

→

Objective

Domain compromise via OWA endpoint.

Path C: Subdomain proliferation → dangling DNS (takeover risk)

effort hours

detect low (bad)

Entry

12 subdomains including wildcard. Some likely point to deprovisioned cloud services.

→

Pivot

Subdomain takeover on dangling CNAME → phishing with valid TLS.

→

Objective

Trusted-domain phishing.

Path D: Cloudflare bypass via mail-server MITM (SMTP/IMAP/POP3)

effort days

detect medium

Entry

Cloudflare proxies HTTP/S only. Mail protocols on mail.pcra.org bypass WAF.

→

Pivot

Direct connection to mail server; if unpatched, RCE without WAF visibility.

→

Objective

Mail-server compromise.

Path E: Missing CSP → reflected XSS on WordPress

effort hours

detect medium

Entry

WordPress identified via /wp/v2/ link headers; CSP absent.

→

Pivot

Plugin/theme XSS executes without CSP sandbox.

→

Objective

Admin account takeover via XSS.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · Email spoofing via absent SPF/DMARC

factor ~5–7×

pre-AI

Absent SPF/DMARC enables open spoofing on a high-trust public-information entity

Mythos

AI-augmented lure crafting with petroleum-conservation register accelerates social engineering

Path B · OWA exposure → CVE-2024-21410 NTLM relay (if Exchange Server)

factor ~10–15×

pre-AI

OWA + CVE-2024-21410 NTLM relay → domain admin RCE

Mythos

AI-augmented adversary prioritises Exchange version probe; relay automation reduces effort to hours

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

critical
Publish SPF and DMARC records
Host
pcra.org (email)
Fix
SPF: 'v=spf1 include:_spf.google.com ~all' (adjust to actual provider). DMARC: 'v=DMARC1; p=quarantine; rua=mailto:dmarc@pcra.org; fo=1'. Monitor 2 weeks → p=reject.
Owner
PCRA IT / Email Security
Validation
dig +short TXT pcra.org shows v=spf1; dig +short TXT _dmarc.pcra.org shows DMARC1
critical
Patch Exchange Server for CVE-2024-21410 (if applicable)
Host
owa.pcra.org
CVE
CVE-2024-21410
Fix
Confirm Exchange version on owa.pcra.org. If on-prem 2016/2019, apply Feb 2024+ Cumulative Update. Enable Extended Protection for Authentication (EPA) on OWA, ECP, ActiveSync.
Owner
PCRA Exchange Admin
Validation
Exchange CU verified post-patch; EPA enabled on all virtual directories
critical
Subdomain inventory + dangling DNS audit
Host
*.pcra.org
Fix
For each of 12 CT-logged subdomains, verify (a) DNS active (b) service running or intentionally disabled (c) if disabled, remove DNS. Remove dangling CNAMEs to deprovisioned cloud.
Owner
PCRA Infrastructure
Validation
Subdomain register filed; CT monitoring active

Tier 2 · within 30 days

high
Add CSP and Referrer-Policy headers
Host
www.pcra.org
Fix
Cloudflare Workers or Nginx config: add CSP (nonce-based) + Referrer-Policy: strict-origin-when-cross-origin.
Owner
PCRA Web Ops
Validation
curl -i shows CSP and Referrer-Policy
high
Secure mail servers behind reverse proxy or cloud gateway
Host
mail.pcra.org / webmail.pcra.org
Fix
Move mail-server SMTP/IMAP/POP3 behind Mimecast / Proofpoint / Cloudflare Email Routing. Reduces direct attack surface.
Owner
PCRA Mail / IT Ops
Validation
External SMTP scan no longer reaches origin
high
WordPress security + plugin audit
Host
www.pcra.org
Fix
wp-cli plugin audit; update all. Remove unmaintained plugins. Wordfence/Sucuri scan.
Owner
PCRA Web Ops
Validation
WPScan; plugin status all-current
high
Exchange Server hardening
Host
owa.pcra.org
CVE
CVE-2024-21410
Fix
EPA enforced. SMB signing required. NTLM auth restricted. Conditional Access via Azure AD if hybrid.
Owner
PCRA Exchange Admin
Validation
EPA active on all virtual dirs; SMB signing required

Tier 3 · within 90 days

medium
Email security gateway / advanced threat protection
Host
pcra.org email
Fix
Microsoft Defender for Office 365 or equivalent. URL scanning, attachment sandboxing.
Owner
PCRA Email Security
Validation
Defender alerts active; quarantine working
medium
DMARC failure monitoring + alerting
Host
pcra.org
Fix
Subscribe to DMARC aggregator (DMARCIAN, EasyDMARC). Weekly digest; alert on misalignment.
Owner
PCRA Email Security
Validation
Weekly DMARC reports received and reviewed

Petroleum Conservation Research Association

Path A: Email spoofing via absent SPF/DMARC

Path B: OWA exposure → CVE-2024-21410 NTLM relay (if Exchange Server)

Path C: Subdomain proliferation → dangling DNS (takeover risk)

Path D: Cloudflare bypass via mail-server MITM (SMTP/IMAP/POP3)

Path E: Missing CSP → reflected XSS on WordPress

Publish SPF and DMARC records

Patch Exchange Server for CVE-2024-21410 (if applicable)

Subdomain inventory + dangling DNS audit

Add CSP and Referrer-Policy headers

Secure mail servers behind reverse proxy or cloud gateway

WordPress security + plugin audit

Exchange Server hardening

Email security gateway / advanced threat protection

DMARC failure monitoring + alerting