Posted on

Windows 11? Is Redmond Crazy?

Folks have gotten used to Windows 10. Now Microsoft is pulling out the rug with a new version of Windows. When I heard of Windows 11, my first thought was that the disbanded Vista product team had staged an armed coup in Bill Gates’ old office and regained control of Windows. I haven’t installed Windows 11, although grandson Christopher has. He doesn’t like it.

I think Microsoft has something cooking in Windows 11.

Microsoft releases

New releases of Windows are always fraught. Actually, new releases of anything from Microsoft get loads of pushback. Ribbon menu anxiety in Office, the endless handwringing over start menus moving and disappearing in Windows. Buggy releases. It goes on and on.

Having released a few products myself, I sympathize with Microsoft.

Developers versus users

A typical IT system administrator says “Change is evil. What’s not broke, don’t fix. If I can live with a product, it’s not broke.” Most computer users think the same way: “I’ve learned to work with your run down, buggy product. Now, I’m busy working. Quit bothering me.”

Those positions are understandable, but designers and builders see products differently. They continuously scrutinize customers using a product, and then ask how it might work more effectively, what users might want to do that they can’t, how they could become more productive and add new tasks and ways of working to their repertoire.

Designers and builders also are attentive to advances in technology. In computing, we’ve seen yearly near-doubling of available computing resources, instruction execution capacity, storage volume, and network bandwidth. In a word, speed. 2021’s smartphones dwarf super computers from the era when Windows, and its predecessor, DOS, were invented.

No one ever likes a new release

At its birth, Windows was condemned as a flashy eye candy that required then expensive bit-mapped displays and sapped performance with intensive graphics processing. In other words, Windows was a productivity killer and an all-round horrible idea, especially to virtuoso users who had laboriously internalized all the command line tricks of text interfaces. Some developers, including me, for some tasks, still prefer a DOS-like command line to a graphic interface like Windows.

However, Windows, and other graphic interfaces such as X on Unix/Linux, were rapidly adopted as bit-mapped displays proliferated and processing power rose. Today, character-based command line interface are almost always simulated in a graphical interface when paleolithic relics like me use them. Pure character interfaces still are around, but mostly in the tiny LCD screens on printers and kitchen appliances.

Designers and builders envisioned the benefits from newly available hardware and computing capacity and pushed the rest of us forward.

Success comes from building for the future, not doubling down on the past. But until folks share in the vision, they think progress is a step backwards.

Is the Windows 11 start menu a fiasco? Could be. No development team gets everything right, but I’ll give Windows 11 a spin and try not to be prejudiced by my habits.

Weird Windows 11 requirements

Something more is going on with Windows 11. Microsoft is placing hardware requirements on Windows 11 that will prevent a large share of existing Windows 10 installations from upgrading. I always expect to be nudged toward upgraded hardware. Customers who buy new hardware expect to benefit from newer more powerful devices. Requirements to support legacy hardware are an obstacle to exploiting new hardware. Eventually, you have to turn your back on old hardware and move on, leaving some irate customers behind. No developer likes to do this, but eventually, they must or the competition eats them alive.

Microsoft forces Windows 11 installations to be more secure by requiring a higher level of Trusted Platform Module (TPM) support. A TPM is microcontroller that supports several cryptographic security functions that help verify that users and computers are what they appear to be and are not spoofed or tampered with. TPMs are usually implemented as a small physical chip, although they can be implemented virtually with software. Requiring high level TPM support makes sense in our increasing cybersecurity compromised world.

But the Windows 11 requirements seem extreme. As I type this, I am using a ten-year-old laptop running Windows 10. For researching and writing, it’s more than adequate, but it does not meet Microsoft’s stated requirements for Windows 11. I’m disgruntled and I’m not unique in this opinion. Our grandson Christopher has figured out a way to install Windows 11 on some legacy hardware, which is impressive, but way beyond most users and Microsoft could easily cut off this route.

I have an idea where Redmond is going with this. It may be surprising.

Today, the biggest and most general technical step forward in computing is the near universal availability of high capacity network communications channels. Universal high bandwidth Internet access became a widely accepted national necessity when work went online through the pandemic. High capacity 5G cellular wireless network are beginning to roll out. (What passes for 5G now is far beneath the full 5G capacity we will see in the future.) Low earth orbit satellite networks promise to link isolated areas to the network. Ever faster Wi-Fi local area networks offer connectivity anywhere.

This is not fully real. Yet. But it’s close enough that designers and developers must assume it is already present, just like we had to assume bit-mapped displays were everywhere while they were still luxuries.

What does ubiquitous high bandwidth connection mean for the future? More streaming movies? Doubtless, but that’s not news: neighborhood Blockbuster Video stores are already closed.

Thinking it through

In a few years, every computer will have a reliable, high capacity connection to the network. All the time. Phones are already close. In a few years, the connection will be both faster and more reliable than today. That includes every desktop, laptop, tablet, phone, home appliance, vehicle, industrial machine, lamp post, traffic light, and sewer sluice gate. The network will also be populated with computing centers with capacities that will dwarf the already gargantuan capacities available today. Your front door latch may already have access to more data and computing capacity than all of IBM and NASA in 1980.

At the same time, ransomware and other cybercrimes are sucking the life blood from business and threatening national security.

Microsoft lost the war for the smartphone to Google and Apple. How will Windows fit in the hyperconnected world of 2025? Will it even exist? What does Satya Nadella think about when he wakes late in the night?

Windows business plan

The Windows operating system (OS) business plan is already a hold out from the past. IBM, practically the inventor of the operating system, de-emphasized building and selling OSs decades ago. Digital Equipment, DEC, a stellar OS builder, is gone, sunk into HP. Sun Microsystems, another OS innovator, is buried in the murky depths of Oracle. Apple’s operating system is built on Free BSD, an open source Unix variant. Google’s Android is a Linux. Why have all these companies gotten out of or never entered the proprietary OS development business?

Corporate economics

The answer is simple corporate economics: there’s no money in it. Whoa! you say. Microsoft made tons of money off its flagship product, Windows. The key word is “made” not “makes.” Making money building and selling operating systems was a money machine for Gates and company back in the day, but no longer. Twenty years ago, when Windows ruled, the only competing consumer OS was Apple, which was a niche product in education and some creative sectors. Microsoft pwned the personal desktop in homes and businesses. Every non-Apple computer was another kick to the Microsoft bottom line. No longer. Now, Microsoft’s Windows division has to struggle on many fronts.

Open source OSs— Android, Apple’s BSD, and the many flavors of Linux— are all fully competitive in ease of installation and use. They weren’t in 2000. Now, they are slick, polished systems with features comparable to Windows.

To stay on top, Windows has to out-perform, out-feature, and out secure these formidable competitors. In addition, unlike Apple, part of the Windows business plan is to run on generic hardware. Developing on hardware you don’t control is difficult. The burden of coding to and testing on varying equipment is horrendous. Microsoft can make rules that the hardware is supposed to follow, but in the end, if Windows does not shine on Lenovo, HP, Dell, Acer, and Asus, the Windows business plunges into arctic winter.

With all that, Microsoft is at another tremendous disadvantage. It relies on in house developers cutting proprietary code to advance Windows. Microsoft’s competitors rely on foundations that coordinate independent contributors to opensource code bases. Many of these contributors are on the payrolls of big outfits like IBM, Google, Apple, Oracle, and Facebook.

Rough times

Effectively, these dogs are ganging up on Microsoft. Through the foundations— Linux, Apache, Eclipse, etc.—these corporations cooperate to build basic utilities, like the Linux OS, instead of building them for themselves. This saves a ton of development costs. And, since the code is controlled by the foundation in which they own a stake, they don’t have to worry about a competitor pulling the rug out from under them.

Certainly, many altruistic independent developers contribute to opensource code, but not a line they write gets into key utilities without the scrutiny of the big dogs. From some angles, the opensource foundations are the biggest monopolies in the tech industry. And Windows is out in the cold.

What will Microsoft do? I have no knowledge, but I have a good guess that Microsoft is contemplating a tectonic shift.

Windows will be transformed into a service.

Nope, you say. They’ve tried that. I disagree. I read an article the other day declaring Windows 11 to be the end of Windows As A Service, something that Windows 10 was supposed to be, but failed because Windows 11 is projected for yearly instead of biannual or more frequent updates. Windows 11 has annoyed a lot of early adopters and requires hardware upgrades that a lot of people think are unnecessary. What’s going on?

Windows 10 as a service

The whole idea of Windows 10 as a service was lame. Windows 10 was (and is) an operating system installed on a customer’s box, running on the customer’s processor. The customer retains control of the hardware infrastructure. Microsoft took some additional responsibility for software maintenance with monthly patches, cumulative patches, and regular drops of new features, but that is nowhere near what I call a service.

When I installed Windows 10 on my ancient T410 ThinkPad, I remained responsible for installing applications and adding or removing memory and storage. If I wanted, I could rename the Program Files directory to Slagheap and reconfigure the system to make it work. I moved the Windows system directory to an SSD for a faster boot. And I hit the power switch whenever I feel like it.

Those features may be good or bad.

As a computer and software engineer by choice, I enjoy fiddling with and controlling my own device. Some of the time. My partner Rebecca can tell you what I am like when a machine goes south while I’m on a project that I am hurrying to complete with no time for troubleshooting and fixing. Or my mood when I tried to install a new app six months after I had forgotten the late and sporty night when I renamed the Program Files directory to Slagheap.

At times like those, I wish I had a remote desktop setup, like we had in the antediluvian age when users had dumb terminals on their desks and logged into a multi-user computer like a DEC VAX. A dumb terminal was little more than a remote keyboard with a screen that showed keystrokes as they were entered interlaced with a text stream from the central computer. The old systems had many limitations, but a clear virtue: a user at a terminal was only responsible for what they entered. The sysadmin took care of everything else. Performance, security, backups, and configuration, in theory at least, were system problems, not user concerns.

Twenty-first century

Fast forward to the mid twenty-first century. The modern equivalent of the old multi-user computer is a user with a virtual computer desktop service running in a data center in the cloud, a common set up for remote workers that works remarkably well. For a user, it looks and feels like a personal desktop, except it exists in a data center, not on a private local device. All data and configuration (the way a computer is set up) is stored in the cloud. An employee can access his remote desktop from practically any computing device attached to the network, if they can prove their identity. After they log on, they have access to all their files, documents, processes, and other resources in the state they left them, or in the case of an ongoing process, in the state their process has attained.

What’s a desktop service

From the employees point of view, they can switch devices with abandon. Start working at your kitchen table with a laptop, log out in the midst of composing a document without bothering to save. Not saving is a little risky, but virtual desktops run in data centers where events that might lose a document are much rarer than tripping on a cord, spilling a can of Coke, or the puppy doing the unmentionable at home. In data centers, whole teams of big heads scramble to find ways to shave off a minute of down time a month.

Grab a tablet and head to the barbershop. Continue working on that same document in the state you left it instead of thumbing through old Playboys or Cosmos. Pick up again in the kitchen at home with fancy hair.

Security

Cyber security officers have nightmares about employees storing sensitive information on personal devices that fall into the hands of a competitor or hacker. Employees are easily prohibited from saving anything from their virtual desktop to the local machine where they are working. With reliable and fast network connections everywhere, employees have no reason to save anything privately.

Nor do security officers need to worry about patching vulnerabilities on employee gear. As long as the employee’s credentials are not stored on the employee’s device, which is relatively easy to prevent, there is nothing for a hacker to steal.

The downside

What’s the downside? The network. You have to be connected to work and you don’t want to see swirlies when you are in the middle of something important while data is buffering and rerouted somewhere north of nowhere.

However. All the tea leaves say those issues are on the way to becoming as isolated as the character interface on your electric teapot.

The industry is responding to the notion of Windows as a desktop service. See Windows 365 and a more optimistic take on Win365.

Now think about this for a moment: why not a personal Windows virtual desktop? Would that not solve a ton of problems for Microsoft? With complete control of the Windows operating environment, their testing is greatly simplified. A virtual desktop local client approaches the simplicity of a dumb terminal and could run on embarrassingly modest hardware. Security soars. A process running in a secured data center is not easy to hack. The big hacks of recent months have all been on lackadaisically secured corporate systems, not data centers.

It also solves a problem for me. Do I have to replace my ancient, but beloved, T410? No, provided Microsoft prices personal Windows 365 reasonably, I can switch to Windows 365 and continue on my good old favorite device.

Marv’s note: I made a few tweeks to the post based on Steve Stroh’s comment.

Posted on

More on Colonial Pipeline Ransomware

Yesterday, I predicted that slugging taxpayers in the wallet would inspire some action against cybercrime. I may have been right.

Score 1 far Colonial Pipeline’s competent IT department, rotten tomatoes to the management team that decided to knuckle under.

First, Bloomberg reported that the ransom had been paid, but the decryption tool, which was bought with a nearly $5 million ransom, was slower than restoring the system from backups. Score 1 far Colonial Pipeline’s competent IT department, rotten tomatoes to the management team that decided to knuckle under.

I must note that Bloomberg’s statement that the backups were faster has not been confirmed that I can find in other sources. Bloomberg has argued that paying ransomware pirates is bad policy. I agree.

Paying ransoms encourages criminals to go back for more. Recovering from backups is often cheaper and more effective.

A well-prepared IT department that encourages good security practices, like strong passwords and phishing awareness, is stronger enterprise protection than funds set aside to pay ransoms.

Think about this: after the ransom is paid, what incentive does a hacker have to develop a quick and efficient tool to reverse the damage? I expect hacking shops have a quality assurance program as good as any development shop for the shut down side of the business, but I’ll also bet that untested code straight from a developer’s desk is good enough for a recovery tool. That buggy recovery tool is what the ransom pays for. Doesn’t sound like a good deal to me.

Solid basic IT administration is based on disaster preparedness. A well-prepared IT department that encourages good security practices, like strong passwords and phishing awareness, is stronger enterprise protection than funds set aside to pay ransoms.

“We’re also going to pursue a measure to disrupt their ability to operate. And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”

President Joe Biden, remarks on pipeline incident, 5/13/21

The news I found most interesting came from Bruce Krebs (no connection with the former homeland security cybersecurity policy director, Christopher Krebs.) Krebs was not the only source of the information, but he gathered up the reports from several sources.

Apparently, DarkSide, the outfit behind the Colonial hack, has been closed. The story is a bit confused yet, but it starts with DarkSide posting on their site or the dark web that they will be nicer in the future. Right. Not long after, their bitcoin account was emptied and several of their servers were shut down, effectively putting them out of business.

Who shut DarkSide down is not clear. They may have done it themselves out of fear of government reprisals. Or the shutdown may have been a government reprisal. If it was a reprisal, previously unknown techniques were used.

We will have to wait to find out. However, I note this line in President Biden’s remarks Thursday on the incident: “We’re also going to pursue a measure to disrupt their ability to operate.  And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”

If the shutdown of DarkSide was in fact the result of U.S. Department of Justice actions, we are finally seeing a serious federal response to cybercrime.

Posted on

Serious Ransomware: Colonial Pipeline

Last Friday, Colonial Pipeline, the operator of the largest petroleum pipeline between Texas and New Jersey, was struck with ransomware. Today, U.S. gasoline prices are the highest since 2016 and pumps are empty on the east coast; a direct consequence of the hack.

If you have followed my posts on ransomware and cybersecurity in general, you know that I rant on the dangerous condition of industrial cybersecurity in the U.S. Maybe Cassandras like me will get some attention now that disregard for cybersecurity has slugged the average taxpayer in the wallet.

When the Space Force was established, I didn’t sleep any sounder, but I know my nights will be better when U.S. cyber defense policies are as coherently and vigorously executed as our conventional defenses.

Colonial Pipeline

Colonial says they will be back in operation by the end of the week. We will see. The average ransomware recovery time is over 15 days, which predicts another week of disruption. Time to recover depends on a number of things. The size of the enterprise matters; the more complex and extended the system, the longer it takes to bring the system back. Recovery also depends on how prepared Colonial’s IT team is for a ransomware attack. I notice the Dow is dropping today, probably due to gas shortage jitters, which suggests that the smart guys on Wall Street are not confident of a quick recovery from Colonial.

Colonial is big and complex. It is not clear whether Colonial’s pipeline supervisory control and data acquisition (SCADA) was penetrated by the hack, but the pipeline was forced to shut down, which suggests the attack went beyond the usual accounting and HR systems.

Here in Whatcom County, we had some experience with a pipeline SCADA failure in 1999 when 200,000 gallons of gasoline flowed into Whatcom Creek and caught fire. A fisherman and two boys playing along the creek died. Property damage was at least $45 million. The direct cause was accidental damage to the pipe from excavation years earlier, but National Transportation Board investigation concluded that the spill could have been prevented if the SCADA had functioned properly. There were clues that the SCADA system had been hacked, but not enough evidence to be certain. (I discuss SCADA vulnerabilities in some detail in my book, Personal Cybersecurity.)

DarkSide

The FBI reports that the attack came from a Russian group called DarkSide. The group is not known to be directly affiliated with the Russian government, but the government turns a blind eye to DarkSide attacks on non-Russian interests. Effectively, DarkSide operates like a 18th century privateer on the high seas marauding foreign shipping with royal protection. The DarkSide group offers ransomware software for use by others. Who else may be involved has not been reported.

Who’s to blame?

Blaming Colonial for the breach may come easy. My personal experience with industrial cybersecurity is not good. Industries with high fences and tight physical security, like energy corporations, are often dismissive of cybersecurity threats, preferring to rely on their raw physical defenses. Colonial may be the exception, but I’m reminded of the recent SolarWinds hack that was the result of a totally avoidable bonehead password mistake. If something similar emerges, Colonial’s IT department will be roasted on a spit.

Nevertheless, I am sympathetic. Colonial Pipeline and many other ransomware victims are being attacked with the aid of a foreign government. Of course they bear some responsibility for their own security, but when a foreign government attacks, they should reasonably expect that government resources will lead the defense.

If a refinery were threatened by incoming ballistic missiles from North Korea, we would look to the Department of Defense to deflect the attack. We would see the missiles as an attack on our nation. Would anyone fault a corporation for building a refinery without an anti-missile defense system? They would be in trouble if they tried!

When the Space Force was established, I didn’t sleep any sounder, but I know my nights will be better when U.S. cyber defense policies are as coherently and vigorously executed as our conventional defenses. Today, responsibility for cyber defense is divided between the Department of Defense, Homeland Security, and other agencies, including the National Institute of Standards and Technology (NIST) in the Department of Commerce.

How we lose

This is the way to lose. Ransomware is just one manifestation of the ways in which nations are attacking on the cyber front. North Korea steals cash. China steals intellectual property on covid-19. Russia disrupts pipelines. These are existential threats. A disconnected defense is suicide by disorganization.

Posted on

Detecting Bogus Email

I’ve noticed from the flood of complaints in the news, on social media, and talking to friends, that dangerous email is worse than ever. The pandemic has shifted the bad hackers into high gear. I can help stem the flood.

I don’t have a special talent, only a suspicious character and a bit of technical knowledge.

I may be struck down for this hubris, but I’ve never been tricked by a bogus email, even though I’ve sent and received email almost from the day it was invented. I don’t have a special talent, only a suspicious character and a bit of technical knowledge. I’ve evolved some robust techniques for weeding out the bad emails.

I’m not talking about spam. Spam is unrequested commercial email, which is annoying, but not vicious. I’ll even admit that a few times, I’ve welcomed a spam message that brought me something new. The stuff I’m concerned with today is fraudulent and malicious email that is intended to do harm rather than legitimately sell a product or service you don’t want.

These emails are often called “phishing,” a term that is a little too cute for a farm boy who shoveled chicken droppings every Saturday morning until he left the farm for college.

Email is convenient. I remember when we had only a few choices for communicating: go to see the person, call them on the telephone, or send them a letter. Each method was useful, charming, and pestilential at times, sometimes all at once. I gripe about my overflowing email inbox but clicking away the chaff is a lark compared to a line up at my desk or a phone ringing constantly. Writing letters was, and still is, an art, but it’s called snail mail for a reason. As annoying as it can be, and handy as Slack and other messaging style services are, email is still a communications workhorse.

Mail, telephone, and in-person fraud, harassment, and other scatter-shot deviltry abounded long before email. The worst of us never tire of devising new mischief to soil other peoples’ lives, but the rest of us have developed instincts, habits, customs, and laws that civilize our lives and tamp down the shenanigans that plague us.

Here, I’ll explain how I keep up with the email crooks.

However, instincts, habits, customs, and laws have not kept up with electronic innovation. Here, I’ll explain how I keep up with the email crooks.

I have a series of steps I go through with email. I divide the process into three phases: suspicion, confirmation, and reaction.

Suspicion

Do I expect this email? Do I know the sender?

If it’s Tuesday and I always get an email from my friend Peter on Tuesday, I feel safe reading it. Actually, at least half of my inbox is expected email from known senders. Faking a phone call or handwritten letter is more difficult than faking an email because voices and handwriting are laden with familiar clues to identity, but faking an email from a friend, outside of spy fiction, is still extremely difficult. Trust your intuition, it’s more powerful than you may think. If something feels off, check it out.

However, intuition breaks down as relationships get more remote, especially in impersonal business email, but you have a great advantage: criminals are seldom as fastidious as legitimate email users. They’re in it for easy money and they usually don’t care about the impression they make or attracting return customers.

As a consequence, they don’t pay proofreaders and formatting professionals to ensure that their emails are perfect. Few businesses will send out emails with misspellings or sloppy formatting, but criminals often do. At best, they will copy an existing piece of legitimate email and make a few changes. If you spot misspellings, grammatical errors, misalignment of type, uneven borders, colors that are not quite right, be suspicious.

Why was this email sent? What’s its point? Does the sender want me to do something? Is there money
involved?

Always be suspicious of any transaction you did not initiate. People and businesses are like slugs. They almost always react to stimulus from their friends and customers, but they seldom reach out unless they have something new to sell to you. Whenever there is money involved, be certain you understand exactly what the transaction is and why you are engaged in it.

Confirmation

If suspicion has set off alarm bells, check it out.

Uniform resource identifiers

Every savvy computer user should know a little about the Uniform Resource Identifiers, or URLs. Although URI is technically correct, everyone calls them URLs (Uniform Resource Locators.) Computing and network engineers have been evolving and improving the concept for over thirty years. They are a formal way of unambiguously naming almost anything and a key to computer based communication.

We are all familiar with them, whether we realize it or not. We all know web addresses like https://example.com. And email addresses like mailto://marv@marvinwaschke.com . Librarians know ISBN (International Standard Book Numbers). Even telephone numbers are now examples of naming systems that follow the URL standard.

Well. That’s fine for engineers and librarians, but what about ordinary users? Why should they know about URLs? Because knowing what a legitimate URL looks like often makes a fraud stand out like a black eye.

In another post, I’ve detailed reading URLs. Check out how here.

Recent hacker tricks

Lately, I’ve noticed that hackers have gotten very fancy with the characters in their URLs. I could indulge in a technical discussion of fonts versus character sets at this point, but I will simply say, look carefully at the characters in URLs. If I see an accent, squiggle, superscript, or an extra curlicue anywhere, I assume I am under criminal attack. Legitimate URLs and text avoid this. Hackers love it.

Circle back

Legitimate businesses have no problem confirming their enquiries. For example, if you get a question about your account with XYZ company, call their publicly listed number— not the one a hacker gives you— and ask for an explanation. You may be bounced from desk to desk and have to wait on hold, but eventually you will get an answer. Either a confirmation of a legitimate issue, or a statement that you can ignore the bogus email.

If XYZ is a company I would continue to deal with, the answer will be prompt, courteous, and helpful. If the process is difficult or the responses are impolite, I would look for an alternate for my future business. However, I always wade through to the end before accepting a hack. Personally, I will tolerate drek to deal with a situation, but I will take steps to avoid future drek.

Reaction

Two main routes can be used to report cybercrimes. I use both.

I am stubborn. I won’t knuckle under to cybercrime. When I am subjected to cyber assault, I report it and do my best to stop it. Frankly, with the state of cyber crime laws and enforcement, I don’t expect to see immediate results. I seldom anticipate that the criminal who assaulted me or my equipment will be punished, but I want to see cyber laws and enforcement strengthened. I hope international organizations will be formed or strengthened to punish or neutralize off-shore criminals. Nothing will change if crimes go unreported.

Two main routes can be used to report cybercrimes. I use both.

You can report crimes to law enforcement. I went into the details of reporting to local and federal law enforcement here. The Federal Trade Commission has a site for reporting identity theft and aids in recovery. They also have a site for reporting fraud.

Another way to report cybercrime is to report it to the organization that is affected. For example, if I received an email about Microsoft Office from m1crosoft.com (notice the “one” instead of an “i”), I would forward the message to phish@office365.microsoft.com . Many companies, especially tech-oriented companies, have facilities for reporting fraudulent emails. I use Google to find the proper procedure. American Express, as another example, requests fraudulent mail be forwarded to spoof@americanexpress.com.

Tedious, but worth it.

Our local, state, and federal governments and these companies all want to shut down the criminals. But they can’t unless we refuse to tolerate this form of crime and report it. Tedious, but worth it.