{"passed":{"dns":[{"id":"dangling_mx_record","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unregistered MX Domains","value":"[none]"}],"actual":[{"property":"Unregistered MX Domains","value":"[none]"}],"severity":4,"cloudscanCategory":"dns","prevCloudscanCategory":"email_sec","title":"No unregistered MX records detected","description":"No unregistered MX records that could lead to receiving mail on behalf of the target organization were detected.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The address specified as the mailbox in the MX record for this domain is unregistered, allowing an attacker to register that domain and gain control of this domain's mailbox.","riskDetails":"A mail exchange or MX record is a DNS record that indicates the address of the mail server that should receive mail for a domain. If ownership of that domain lapses, attackers may be able to gain control of the specified domain, and thereby gain control of its mailbox.","recommendedRemediation":"Removing the DNS record that links your subdomain to the third domain or IP address will resolve the ability of attackers to hijack the domain. Modifying these records can typically be done by logging into your domain registrar and deleting the appropriate line. If necessary, you can contact the third party service provider and attempt to regain control of the account used for the takeover.","knownExploitedVulnCount":0,"checkID":"dangling_mx_record","category":"dns","controlCheckID":"IM.DS.PM.PA","passTitle":"No unregistered MX records detected","passDescription":"No unregistered MX records that could lead to receiving mail on behalf of the target organization were detected.","passGroupDescription":"No applicable sites had unregistered domains in their MX records.","failTitle":"MX record with unregistered domain detected","failDescription":"This domain contains DNS MX records that point to an expired or unregistered domain. A bad actor could register the domain and receive mail on behalf of the target organization.","remediation":"Review the DNS records and remove all expired and unregistered MX records.","issue":"This domain contains DNS MX records that point to an expired or unregistered domain. A bad actor could register the domain and receive mail on behalf of the target organization.","recommendation":"Review the DNS records and remove all expired and unregistered MX records.","defaultSeverity":4,"categoryTotalCost":8,"overrideContext":null,"Deprecated":false,"ISOControls":null,"ISO2022Controls":null,"NISTControls":null,"ExcludeFromHardcodedPassedRisks":false,"Summary":"The address specified as the mailbox in the MX record for this domain is unregistered, allowing an attacker to register that domain and gain control of this domain's mailbox.","RiskDetails":"A mail exchange or MX record is a DNS record that indicates the address of the mail server that should receive mail for a domain. If ownership of that domain lapses, attackers may be able to gain control of the specified domain, and thereby gain control of its mailbox.","RecommendedRemediation":"Removing the DNS record that links your subdomain to the third domain or IP address will resolve the ability of attackers to hijack the domain. Modifying these records can typically be done by logging into your domain registrar and deleting the appropriate line. If necessary, you can contact the third party service provider and attempt to regain control of the account used for the takeover."}],"email_sec_v2":[{"id":"spf_enabled","pass":true,"meta":"v=spf1 a mx include:_spf.google.com ~all","vendorOnly":false,"expected":[{"property":"DNS > SPF","value":"v=spf1..."}],"actual":[{"property":"DNS > SPF","value":"v=spf1 a mx include:_spf.google.com ~all"}],"severity":4,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF enabled","description":"Sender Policy Framework (SPF) records prevent spammers from sending messages with forged addresses.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"When enabled, SPF (Sender Policy Framework) prevents fraudulent emails from being sent by unauthorized domains or IP addresses, which helps to stop spoofing and phishing attacks.","riskDetails":"Emails from unauthorized domains or IP addresses can be sent to employees or customers. These emails could contain malicious links, attachments, or fake domains that can trick employees into providing sensitive information or downloading malware.","recommendedRemediation":"To remediate this risk, add SPF authentication on all email-enabled domains. This can be done by creating a DNS TXT record that specifies which IP addresses are authorized to send emails from that domain.","knownExploitedVulnCount":0,"checkID":"spf_enabled","category":"email","controlCheckID":"IM.ES.EA.PA","passTitle":"SPF enabled","passDescription":"Sender Policy Framework (SPF) records prevent spammers from sending messages with forged addresses.","passGroupDescription":"All applicable sites have Sender Policy Framework (SPF) enabled. This prevents spammers from sending messages with forged addresses.","failTitle":"SPF not enabled","failDescription":"Sender Policy Framework (SPF) record is not present. This may allow spammers to send messages with forged addresses using this domain. The DNS record for the domain should be modified to include an SPF record.","remediation":"Add SPF record.","issue":"Impacted domains do not have a Sender Policy Framework (SPF) record. This allows spammers to send messages with forged addresses using the domain, which greatly improves phishing and other social engineering-based attacks.","recommendation":"To implement SPF, the domain owner will need to add a DNS TXT record that lists the IP addresses authorized to send emails on behalf of their domain. Each domain can have a maximum of one SPF record, defined as a TXT or SPF record type.","defaultSeverity":4,"categoryTotalCost":9,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"When enabled, SPF (Sender Policy Framework) prevents fraudulent emails from being sent by unauthorized domains or IP addresses, which helps to stop spoofing and phishing attacks.","RiskDetails":"Emails from unauthorized domains or IP addresses can be sent to employees or customers. These emails could contain malicious links, attachments, or fake domains that can trick employees into providing sensitive information or downloading malware.","RecommendedRemediation":"To remediate this risk, add SPF authentication on all email-enabled domains. This can be done by creating a DNS TXT record that specifies which IP addresses are authorized to send emails from that domain."},{"id":"spf_syntax_check","pass":true,"meta":"passes simple syntax check","vendorOnly":false,"expected":[{"property":"DNS > SPF > Syntax","value":"passes simple syntax check"}],"actual":[{"property":"DNS > SPF > Syntax","value":"passes simple syntax check"}],"severity":3,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF syntax correct","description":"Sender Policy Framework (SPF) record passes basic syntax checks.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"SPF (Sender Policy Framework) is a protocol used to protect against email spoofing, spam and phishing. An SPF syntax error occurs when the SPF record in a domain's DNS configuration is malformed, preventing the SPF mechanism from functioning properly.","riskDetails":"This type of error can cause email delivery failures, since email receivers may reject emails that appear to be from an unauthorized source due to incorrect SPF information. Additionally, an SPF syntax error can also make an email system more vulnerable to phishing and spam, since spammers can potentially send messages that appear to be from the affected domain.","recommendedRemediation":"To remediate an SPF syntax error, review the SPF record for your domain and correct any issues. The record can be validated using online tools or test emails. Finally, update the domain's DNS with the corrected SPF record. DNS propagation may take some time. Regular review of the SPF record is important to ensure that it remains effective in preventing email spoofing and protecting against phishing and spam. Update the record if changes are made to your email infrastructure.","knownExploitedVulnCount":0,"checkID":"spf_syntax_check","category":"email","controlCheckID":"IM.ES.EA.UQ","passTitle":"SPF syntax correct","passDescription":"Sender Policy Framework (SPF) record passes basic syntax checks.","passGroupDescription":"All applicable sites have Sender Policy Framework (SPF) records that pass a basic syntax check.","failTitle":"SPF syntax error","failDescription":"Sender Policy Framework (SPF) record fails a basic syntax check. Records with syntax errors result in the protection mechanisms associated with SPF not being enforced. To be properly protected the SPF record syntax errors should be corrected.","remediation":"Fix SPF record syntax.","issue":"Impacted domains have a Sender Policy Framework (SPF) record that has failed a basic syntax check.  Records with syntax errors result in the protection mechanisms associated with SPF not being enforced.","recommendation":"To be properly protected the SPF record syntax errors should be corrected. SPF records always start with the v= element. This indicates the SPF version that is used. One or more terms will follow the version indicator. These define the rules for which hosts are allowed to send mail from the domain, or provide additional information for processing the SPF record.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"SPF (Sender Policy Framework) is a protocol used to protect against email spoofing, spam and phishing. An SPF syntax error occurs when the SPF record in a domain's DNS configuration is malformed, preventing the SPF mechanism from functioning properly.","RiskDetails":"This type of error can cause email delivery failures, since email receivers may reject emails that appear to be from an unauthorized source due to incorrect SPF information. Additionally, an SPF syntax error can also make an email system more vulnerable to phishing and spam, since spammers can potentially send messages that appear to be from the affected domain.","RecommendedRemediation":"To remediate an SPF syntax error, review the SPF record for your domain and correct any issues. The record can be validated using online tools or test emails. Finally, update the domain's DNS with the corrected SPF record. DNS propagation may take some time. Regular review of the SPF record is important to ensure that it remains effective in preventing email spoofing and protecting against phishing and spam. Update the record if changes are made to your email infrastructure."},{"id":"spf_ptr_mechanism","pass":true,"meta":"SPF record does not contain a ptr mechanism","vendorOnly":false,"expected":[{"property":"DNS > SPF > ptr","value":"SPF record does not contain a ptr mechanism"}],"actual":[{"property":"DNS > SPF > ptr","value":"SPF record does not contain a ptr mechanism"}],"severity":2,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF ptr mechanism not used","description":"Sender Policy Framework (SPF) record does not include the ptr mechanism.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"An SPF (Sender Policy Framework) PTR (Pointer) mechanism is used in email authentication to detect and prevent email spoofing. The SPF PTR mechanism compares the domain name of the sending email address to the IP address of the server that sent the email, to ensure that the email was indeed sent from the domain it claims to be sent from.","riskDetails":"The SPF PTR mechanism relies on looking up a domain to check if it resolves to an SPF allowed IP address. This can be easily faked by someone who creates a fraudulent DNS record in their domain. This can allow unauthorized individuals to send emails that appear to come from a trusted domain, leading to the recipient being misled or giving sensitive information to an unauthorized source.","recommendedRemediation":"SPF should only rely on authorized IP addresses and domains. The PTR mechanism should be disabled. It is also recommended to implement a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy in conjunction with SPF. This allows domain owners to monitor the authentication of emails sent from their domain and to take action against any unauthorized activity. In addition, it is important to regularly review and update the SPF record to ensure that it accurately reflects the authorized mail servers for the domain.","knownExploitedVulnCount":0,"checkID":"spf_ptr_mechanism","category":"email","controlCheckID":"IM.ES.EA.VG","passTitle":"SPF ptr mechanism not used","passDescription":"Sender Policy Framework (SPF) record does not include the ptr mechanism.","passGroupDescription":"All applicable sites that have an SPF record do not include the ptr mechanism.","failTitle":"SPF ptr mechanism used","failDescription":"Sender Policy Framework (SPF) record contains the ptr mechanism. This mechanism is intended to be used temporarily to check that a domain resolves to itself via a known IP address. This should not be used permanently as it puts unnecessary burden on DNS servers and some mail checkers may drop the SPF record if this mechanism is found.","remediation":"Remove ptr mechanism from SPF record.","issue":"The impacted domains have Sender Policy Framework (SPF) records that contain the 'ptr' mechanism. This mechanism is intended to be used temporarily to check that a domain resolves itself via a known IP address. This should not be used permanently as it puts unnecessary burden on DNS servers and some mail servers may drop the SPF record.","recommendation":"The domain owner should remove the ‘ptr’ from all SPF records to ensure that mail servers do not drop the SPF records associated with the domain.","defaultSeverity":2,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"An SPF (Sender Policy Framework) PTR (Pointer) mechanism is used in email authentication to detect and prevent email spoofing. The SPF PTR mechanism compares the domain name of the sending email address to the IP address of the server that sent the email, to ensure that the email was indeed sent from the domain it claims to be sent from.","RiskDetails":"The SPF PTR mechanism relies on looking up a domain to check if it resolves to an SPF allowed IP address. This can be easily faked by someone who creates a fraudulent DNS record in their domain. This can allow unauthorized individuals to send emails that appear to come from a trusted domain, leading to the recipient being misled or giving sensitive information to an unauthorized source.","RecommendedRemediation":"SPF should only rely on authorized IP addresses and domains. The PTR mechanism should be disabled. It is also recommended to implement a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy in conjunction with SPF. This allows domain owners to monitor the authentication of emails sent from their domain and to take action against any unauthorized activity. In addition, it is important to regularly review and update the SPF record to ensure that it accurately reflects the authorized mail servers for the domain."}],"ip_domain_reputation":[{"id":"botnet_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Botnet Activity","value":"false"}],"actual":[{"property":"Botnet Activity","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of botnet activity in the last 30 days","description":"This IP/domain has not been reported as a source of botnet activity in the last 30 days.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","recommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"botnet_active","category":"malware","controlCheckID":"IM.IP.MA.KA","passTitle":"No reports of botnet activity in the last 30 days","passDescription":"This IP/domain has not been reported as a source of botnet activity in the last 30 days.","passGroupDescription":"No IPs/domains have been reported as a source of botnet activity in the last 30 days.","failTitle":"Suspected of botnet activity","failDescription":"This IP/domain has been reported as a source of botnet activity in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for botnet activity in the last 30 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","RecommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"brute_force_login_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":"false"}],"actual":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of brute force login attempts in the last 30 days","description":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence.","riskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","recommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"brute_force_login_active","category":"malware","controlCheckID":"IM.IP.MA.VG","passTitle":"No reports of brute force login attempts in the last 30 days","passDescription":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","passGroupDescription":"No IPs/domains appeared on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","failTitle":"Suspected of brute force login attempt","failDescription":"This IP/domain has appeared on a list of IPs and domains reported for performing brute force login attempts in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for brute force login attempts in the last 30 days. These reports can affect the reputation of the IP/domain and may be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence.","RiskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","RecommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"malware_server_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Malware Server","value":"false"}],"actual":[{"property":"Malware Server","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of malware distribution in the last 30 days","description":"This IP/domain has been reported for distributing malware in the last 30 days.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"malware_server_active","category":"malware","controlCheckID":"IM.IP.MA.KW","passTitle":"No reports of malware distribution in the last 30 days","passDescription":"This IP/domain has been reported for distributing malware in the last 30 days.","passGroupDescription":"No IPs/domains have been reported for distributing malware in the last 30 days.","failTitle":"Suspected of distributing malware","failDescription":"This IP/domain has been reported for distributing malware in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for distributing malware in the last 30 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"unsolicited_scanning_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Scanning","value":"false"}],"actual":[{"property":"Unsolicited Communication > Scanning","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of unsolicited scanning in the last 30 days","description":"This IP/domain has not been reported for performing unsolicited scanning in the last 30 days.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. This scanning activity can be detected by patterns in the requests sent, and the host performing the unwanted scanning is then reported to shared blocklists.","riskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","recommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"unsolicited_scanning_active","category":"malware","controlCheckID":"IM.IP.MA.XG","passTitle":"No reports of unsolicited scanning in the last 30 days","passDescription":"This IP/domain has not been reported for performing unsolicited scanning in the last 30 days.","passGroupDescription":"No IPs/domains have been reported for performing unsolicited scanning in the last 30 days.","failTitle":"Suspected of unsolicited scanning","failDescription":"This IP/domain has been reported for performing unsolicited scanning in the last 30 days. The server should be checked to ensure this behavior is intentional and not the result of malware.","remediation":"Check IP/domain for offending software.","issue":"IPs/domains have have been reported for performing unsolicited scanning in the last 30 days. This behavior could affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. This scanning activity can be detected by patterns in the requests sent, and the host performing the unwanted scanning is then reported to shared blocklists.","RiskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","RecommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"phishing_site_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Phishing Site","value":"false"}],"actual":[{"property":"Phishing Site","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of phishing activity in the last 30 days","description":"This IP/domain has not been reported as a phishing site in the last 30 days.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"phishing_site_active","category":"malware","controlCheckID":"IM.IP.MA.EA","passTitle":"No reports of phishing activity in the last 30 days","passDescription":"This IP/domain has not been reported as a phishing site in the last 30 days.","passGroupDescription":"No IPs/domains have been reported as a phishing site in the last 30 days.","failTitle":"Suspected phishing site","failDescription":"This IP/domain has been reported as a phishing site in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove phishing code.","issue":"IPs/domains have been reported for phishing sites in the last 30 days. These sites may be compromised and under the control of threat actors.","recommendation":"The owner of the identified IP/domains needs to check for any unwanted software and remove any phishing code.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"botnet_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Botnet Activity","value":"false"}],"actual":[{"property":"Botnet Activity","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of botnet activity in the last 90 days","description":"This IP/domain has not been reported as a source of botnet activity in the last 90 days.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","recommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"botnet_inactive","category":"malware","controlCheckID":"IM.IP.MA.TG","passTitle":"No reports of botnet activity in the last 90 days","passDescription":"This IP/domain has not been reported as a source of botnet activity in the last 90 days.","passGroupDescription":"No IPs/domains have been reported as a source of botnet activity in the last 90 days.","failTitle":"Suspected of botnet activity in last 90 days","failDescription":"This IP/domain appeared on a list of IPs and domains known as source botnet activity in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for botnet activity in the last 90 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","RecommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"brute_force_login_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":"false"}],"actual":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of brute force login attempts in the last 90 days","description":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence. Hosts observed attempting logins in the last 90 days may be compromised or on blocklists.","riskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","recommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"brute_force_login_inactive","category":"malware","controlCheckID":"IM.IP.MA.DQ","passTitle":"No reports of brute force login attempts in the last 90 days","passDescription":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","passGroupDescription":"No IPs/domains appeared on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","failTitle":"Suspected of brute force login attempt in the last 90 days","failDescription":"This IP/domain has appeared on a list of IPs and domains reported for performing brute force login attempts in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for brute force login attempts in the last 90 days. These reports can affect the reputation of the IP/domain and may be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence. Hosts observed attempting logins in the last 90 days may be compromised or on blocklists.","RiskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","RecommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"malware_server_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Malware Server","value":"false"}],"actual":[{"property":"Malware Server","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of malware distribution in the last 90 days","description":"This IP/domain has been reported for distributing malware in the last 90 days.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that have recently been used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"malware_server_inactive","category":"malware","controlCheckID":"IM.IP.MA.QG","passTitle":"No reports of malware distribution in the last 90 days","passDescription":"This IP/domain has been reported for distributing malware in the last 90 days.","passGroupDescription":"No IPs/domains have been reported for distributing malware in the last 90 days.","failTitle":"Suspected of distributing malware in last 90 days","failDescription":"This IP/domain has been reported for distributing malware in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for distributing malware in the last 90 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that have recently been used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"unsolicited_scanning_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Scanning","value":"false"}],"actual":[{"property":"Unsolicited Communication > Scanning","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of unsolicited scanning in the last 90 days","description":"This IP/domain has not been reported for performing unsolicited scanning in the last 90 days.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. Reports of unsolicited scanning in the last 90 days may indicate the host is infected or has been placed on blocklists that will affect availability.","riskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","recommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"unsolicited_scanning_inactive","category":"malware","controlCheckID":"IM.IP.MA.AA","passTitle":"No reports of unsolicited scanning in the last 90 days","passDescription":"This IP/domain has not been reported for performing unsolicited scanning in the last 90 days.","passGroupDescription":"No IPs/domains have been reported for performing unsolicited scanning in the last 90 days.","failTitle":"Suspected of unsolicited scanning in last 90 days","failDescription":"This IP/domain has been reported for performing unsolicited scanning in the last 90 days. The server should be checked to ensure this behavior is intentional and not the result of malware.","remediation":"Check IP/domain for offending software.","issue":"IPs/domains have have been reported for performing unsolicited scanning in the last 90 days. This behavior could affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. Reports of unsolicited scanning in the last 90 days may indicate the host is infected or has been placed on blocklists that will affect availability.","RiskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","RecommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"phishing_site_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Phishing Site","value":"false"}],"actual":[{"property":"Phishing Site","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of phishing activity in the last 90 days","description":"This IP/domain has not been reported as a phishing site in the last 90 days.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that have been reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"phishing_site_inactive","category":"malware","controlCheckID":"IM.IP.MA.LG","passTitle":"No reports of phishing activity in the last 90 days","passDescription":"This IP/domain has not been reported as a phishing site in the last 90 days.","passGroupDescription":"No IPs/domains have been reported as a phishing site in the last 90 days.","failTitle":"Suspected phishing site in last 90 days","failDescription":"This IP/domain has been reported as a phishing site in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove phishing code.","issue":"IPs/domains have been reported for phishing sites in the last 90 days. These sites may be compromised and under the control of threat actors.","recommendation":"The owner of the identified IP/domains needs to check for any unwanted software and remove any phishing code.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that have been reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed."}],"network_sec_v2":[{"id":"open_port","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Ports > Ports Open","value":"[all ports closed]"}],"actual":[{"property":"Ports > Ports Open","value":"[all ports closed]"}],"severity":3,"cloudscanCategory":"network_sec_v2","prevCloudscanCategory":"network_sec","title":"No ports are open","description":"No open ports were detected.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0}]},"failed":{"email_sec_v2":[{"id":"dmarc_enabled","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"DNS > DMARC","value":"v=DMARC1; p=reject; ..."}],"actual":[{"property":"DNS > DMARC","value":"[not set]"}],"severity":4,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"DMARC policy not found","description":"DMARC policy was not found. This makes it easier for attackers to send email from this domain. A DMARC policy should be deployed for this domain.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":"2019-01-24T01:14:47.526Z","sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether.","riskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. Users are much more likely to fall for phishing scams when the From: address appears legitimate. Phishing scams usually involve the harvesting of credentials and other information from victims who are directed to malicious websites. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain.","recommendedRemediation":"DMARC should be established on the email domain. To establish DMARC, you must already have SPF and/or DKIM in place on the email domain. Once one or both of those are ready, a TXT record named _DMARC should be created in DNS. There are several parameters for the _DMARC record, but the most important are to specify v=DMARC1; rua=yourpreferredaddress@yourdomain.com; and p= none, quarantine or reject. The v= value is constant. The rua= value allows you to specify the address to receive reports from DMARC. The p= value provides instructions on what to do with an email that fails DMARC alignment. The p= value should ultimately be set to reject for best security; however, the other options may be introduced first to ensure no false positives are being picked up by the DMARC policy.","knownExploitedVulnCount":0,"checkID":"dmarc_enabled","category":"email","controlCheckID":"IM.ES.EA.DQ","passTitle":"DMARC policy exists","passDescription":"DMARC protects against fraudulent emails being sent from a domain.","passGroupDescription":"All applicable sites have a DMARC policy deployed.","failTitle":"DMARC policy not found","failDescription":"DMARC policy was not found. This makes it easier for attackers to send email from this domain. A DMARC policy should be deployed for this domain.","remediation":"Add DMARC record.","issue":"We didn't find a DMARC policy associated with some domains. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise (BEC) attacks, phishing emails, email scams and other email threats.","recommendation":"The domain owner needs to add a DMARC policy to these domains. This will provide a mechanism to authenticate the domain in the From header based on their SPF and DKIM records.","defaultSeverity":4,"categoryTotalCost":7,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether.","RiskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. Users are much more likely to fall for phishing scams when the From: address appears legitimate. Phishing scams usually involve the harvesting of credentials and other information from victims who are directed to malicious websites. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain.","RecommendedRemediation":"DMARC should be established on the email domain. To establish DMARC, you must already have SPF and/or DKIM in place on the email domain. Once one or both of those are ready, a TXT record named _DMARC should be created in DNS. There are several parameters for the _DMARC record, but the most important are to specify v=DMARC1; rua=yourpreferredaddress@yourdomain.com; and p= none, quarantine or reject. The v= value is constant. The rua= value allows you to specify the address to receive reports from DMARC. The p= value provides instructions on what to do with an email that fails DMARC alignment. The p= value should ultimately be set to reject for best security; however, the other options may be introduced first to ensure no false positives are being picked up by the DMARC policy."},{"id":"spf_filter_check_soft","pass":false,"meta":"contains ~all","vendorOnly":false,"expected":[{"property":"DNS > SPF > Filter","value":"contains -all"}],"actual":[{"property":"DNS > SPF > Filter","value":"contains ~all"}],"severity":2,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF policy uses ~all","description":"Sender Policy Framework (SPF) record is too lenient as to which domains are allowed to send email on the domain's behalf. This record should preferably not use the ~all mechanism, as this does not instruct the mail receiver to reject messages from unauthorised sources. When DMARC is not being enforced, -all should be used on the SPF record.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":"2019-06-03T02:35:41.29008Z","sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Sender Policy Framework, or SPF, is a standard for specifying which domains and IP addresses can send email from a given domain. When SPF records are securely configured, email clients can validate that the sender is authorized to send mail from that domain and can filter out unwanted or malicious mail impersonating an organization. The ~all mechanism, or \"soft fail,\" is an instruction in an SPF record that mail sent from unauthorized senders should be delivered to the recipients spam folder.","riskDetails":"Email security is vital to preventing phishing attacks, malware delivery, and protecting against brand abuse. SPF records are one of the foundational tools for preventing those attacks. The soft fail ~all mechanism helps prevent email-based attacks by marking mail sent from unspecific senders as suspicious. These messages are still delivered, however, and can still be leveraged by attackers. The soft fail mechanism can be useful during testing of changes to mail system but should be configured to the hard fail -all mechanism to prevent delivery. ","recommendedRemediation":"The SPF record for the domain should be configured to only allow specified systems under your organization's control to send mail on behalf of the domain, and to prevent delivery of mail sent from other senders. Through your DNS provider you should be able to find and update the SPF record for the domain. The \"~all\" mechanism should be changed to \"-all\" to hard fail all mail sent from unauthorized systems, preventing any delivery of unauthorized mail. ","knownExploitedVulnCount":0,"checkID":"spf_filter_check_soft","category":"email","controlCheckID":"IM.ES.EA.AA","passTitle":"Strict SPF filtering - not using ~all","passDescription":"Sender Policy Framework (SPF) record strictly enforces specific domains allowed to send email on its behalf.","passGroupDescription":"All applicable sites have a strict Sender Policy Framework (SPF) record.","failTitle":"SPF policy uses ~all","failDescription":"Sender Policy Framework (SPF) record is too lenient as to which domains are allowed to send email on the domain's behalf. This record should preferably not use the ~all mechanism, as this does not instruct the mail receiver to reject messages from unauthorised sources. When DMARC is not being enforced, -all should be used on the SPF record.","remediation":"Use '-all' in SPF record.","issue":"We've identified domains with Sender Policy Framework (SPF) records that are too permissive (~all). This could result in fraudulent email being sent on the domain's behalf.","recommendation":"Change the SPF records associated with these domains and remove the ~all mechanism, as it does not instruct the mail receiver to reject messages from unauthorized sources. When DMARC is not being enforced, we suggest using '-all' on SPF records.","defaultSeverity":2,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Sender Policy Framework, or SPF, is a standard for specifying which domains and IP addresses can send email from a given domain. When SPF records are securely configured, email clients can validate that the sender is authorized to send mail from that domain and can filter out unwanted or malicious mail impersonating an organization. The ~all mechanism, or \"soft fail,\" is an instruction in an SPF record that mail sent from unauthorized senders should be delivered to the recipients spam folder.","RiskDetails":"Email security is vital to preventing phishing attacks, malware delivery, and protecting against brand abuse. SPF records are one of the foundational tools for preventing those attacks. The soft fail ~all mechanism helps prevent email-based attacks by marking mail sent from unspecific senders as suspicious. These messages are still delivered, however, and can still be leveraged by attackers. The soft fail mechanism can be useful during testing of changes to mail system but should be configured to the hard fail -all mechanism to prevent delivery. ","RecommendedRemediation":"The SPF record for the domain should be configured to only allow specified systems under your organization's control to send mail on behalf of the domain, and to prevent delivery of mail sent from other senders. Through your DNS provider you should be able to find and update the SPF record for the domain. The \"~all\" mechanism should be changed to \"-all\" to hard fail all mail sent from unauthorized systems, preventing any delivery of unauthorized mail. "}],"dns":[{"id":"dnssec_enabled","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"DNSSEC enabled","value":"true"}],"actual":[{"property":"DNSSEC enabled","value":"false"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"network_sec","title":"DNSSEC not enabled","description":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.","checkedAt":"2026-04-14T20:04:02.820504Z","dateDetected":"2019-01-24T01:14:47.526Z","sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain Name System (DNS) is the service that translates human-friendly names to IP addresses. When a URL is sent from the browser, it goes to a DNS server that references its database and returns an IP address for the browser to use. Domain Name System Security Extensions (DNSSEC) is an optional feature of DNS that authenticates (but does not encrypt) responses to DNS requests. DNSSEC uses certificates to ensure only authorized DNS translations are returned to a client.","riskDetails":"Without DNSSEC, domains are much more susceptible to DNS poisoning attacks. DNS poisoning is when a malicious actor manipulates the response to a DNS request in order to point the client to an IP address of their choosing. This allows them to then impersonate a valid website and capture any credentials or sensitive information given by the client.","recommendedRemediation":"Enable DNSSEC on the domain. This is a three step process that involves creating the necessary DNSSEC records in your domain, activating DNSSEC at your domain registrar and enabling DNSSEC signature validation on all DNS servers. The specifics of each step vary depending on the platforms and vendors in play.","knownExploitedVulnCount":0,"checkID":"dnssec_enabled","category":"dns","controlCheckID":"IM.DS.DA.PA","passTitle":"DNSSEC enabled","passDescription":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity.","passGroupDescription":"All applicable sites have DNSSEC enabled.","failTitle":"DNSSEC not enabled","failDescription":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.","remediation":"Configure DNSSEC for domain.","issue":"We've detected that DNSSEC is missing from some domains. DNSSEC provides DNS resolvers origin authentication of DNS data, authenticated denial of existence and data integrity but not availability or confidentiality.","recommendation":"The domain owner should turn on DNSSEC for all domains. This can generally be done at their domain name registrar.","defaultSeverity":2,"categoryTotalCost":2,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.2"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain Name System (DNS) is the service that translates human-friendly names to IP addresses. When a URL is sent from the browser, it goes to a DNS server that references its database and returns an IP address for the browser to use. Domain Name System Security Extensions (DNSSEC) is an optional feature of DNS that authenticates (but does not encrypt) responses to DNS requests. DNSSEC uses certificates to ensure only authorized DNS translations are returned to a client.","RiskDetails":"Without DNSSEC, domains are much more susceptible to DNS poisoning attacks. DNS poisoning is when a malicious actor manipulates the response to a DNS request in order to point the client to an IP address of their choosing. This allows them to then impersonate a valid website and capture any credentials or sensitive information given by the client.","RecommendedRemediation":"Enable DNSSEC on the domain. This is a three step process that involves creating the necessary DNSSEC records in your domain, activating DNSSEC at your domain registrar and enabling DNSSEC signature validation on all DNS servers. The specifics of each step vary depending on the platforms and vendors in play."}]},"cstarScore":855,"publicScore":558,"vendorName":"Hacktive","name":"Hacktive","display_name":"Hacktive","vendorId":4976283235844096,"business":{"employees":5},"address":{"city":"Sydney","state":"NSW","country":"Australia","countryCode":"AU"},"ceo":{},"primaryHostname":"hacktive.io"}