======================================================================
  VALLEY WIDE PLASTERING - BEC INVESTIGATION
  Date: 2026-03-05 15:50:52 UTC
======================================================================

[*] Acquiring access token...
[OK] Token acquired successfully

======================================================================
  STEP 1: ALL TENANT USERS
======================================================================
  [ENABLED] Accounts Payable | acctpay@valleywideplastering.com | ID: e70d7ec5-72f3-4b80-9614-e6bd5380b773 | Created: 2023-03-17T21:33:24Z
  [ENABLED] Adolfo Suarez | adolfos@valleywideplastering.com | ID: aff7fcb9-a0e6-4298-8abb-2f538aa95ac8 | Created: 2023-03-17T21:34:03Z
  [ENABLED] Billing Clerk | billing@valleywideplastering.com | ID: 4f708b80-e537-4f63-92d3-5feedfa28244 | Created: 2023-03-17T21:35:41Z
  [ENABLED] Toni | billing@valleywideplastering.onmicrosoft.com | ID: 9bf0abb0-b613-4e1d-ba4d-b4e51a69ca3f | Created: 2023-01-13T19:40:34Z
  [ENABLED] Brian | Brian@valleywideplastering.com | ID: 5555cf28-f669-40f2-8a87-7ef73861f2f7 | Created: 2024-08-23T16:30:32Z
  [ENABLED] Carlos Reyes | carlos@valleywideplastering.com | ID: 8709d6c8-48af-4b3c-acee-2f16bd60e3d8 | Created: 2023-03-17T21:36:05Z
  [ENABLED] Charlie Jones | charlie@valleywideplastering.com | ID: b494cc30-5fd5-446e-aa29-d6bc1c5df015 | Created: 2025-12-24T20:13:02Z
  [ENABLED] Chris Guerrero | chris@valleywideplastering.com | ID: 55464175-3426-448a-af92-a47ef64c5104 | Created: 2023-11-29T13:49:34Z
  [ENABLED] Customer Service | customerservice@valleywideplastering.com | ID: 85125767-037c-410e-bc79-ae6110eee8b4 | Created: 2023-03-17T21:36:34Z
  [ENABLED] Customer Service | customerservice@valleywideplastering.onmicrosoft.com | ID: 2dc7a257-f415-4f92-affa-a59fd51920fc | Created: 2023-01-30T18:32:45Z
  [ENABLED] Bart Graffin | estimating@valleywideplastering.com | ID: 115a1d25-ba9b-492d-b095-1b8f0207d0a5 | Created: 2023-03-17T21:35:18Z
  [ENABLED] Fax Inbox | faxinbox@valleywideplastering.com | ID: f19426ea-42df-40ab-a7b5-725a0a46e508 | Created: 2023-03-17T22:03:48Z
  [ENABLED] Fermin Matta | fermin@valleywideplastering.com | ID: 38c353d3-1667-463b-89ae-a9960175dbb3 | Created: 2025-12-24T20:16:00Z
  [ENABLED] Francisco Arias | franciscoa@valleywideplastering.com | ID: a90877f8-238d-478e-9c45-9090dfdba12f | Created: 2023-03-17T21:37:38Z
  [ENABLED] VWP Insurance | insurance@valleywideplastering.com | ID: 6d5ff148-9cb0-40ea-86b5-b725a0fbdcc8 | Created: 2024-08-14T14:27:41Z
  [ENABLED] Issac Chavez | isaacc@valleywideplastering.com | ID: af5519d2-d855-4b7b-8f57-85ee843f58ef | Created: 2023-03-17T21:38:40Z
  [ENABLED] JR Guerrero | j-r@valleywideplastering.com | ID: 0af923d0-48c5-4cc1-8553-c60625802815 | Created: 2023-03-17T21:51:35Z
  [ENABLED] Jaime Hernandez | jaimebh@valleywideplastering.com | ID: 16388457-2f1b-44d0-8fc6-a4343a779f80 | Created: 2023-03-17T21:39:14Z
  [ENABLED] Jesse Guerrero | jesse@valleywideplastering.com | ID: ac669421-ee6d-4ea3-a293-341cb93cb6fd | Created: 2023-03-17T21:39:40Z
  [ENABLED] JR Guerrero | jr@CASARICA.NET | ID: 330931be-21f2-41ca-872b-f883ebe4ec45 | Created: 2023-03-17T21:50:37Z
  [ENABLED] Juan Leal | juan@valleywideplastering.com | ID: 570d3e5c-515d-4bf5-bae6-2c9b816025fb | Created: 2023-03-17T21:52:04Z
  [ENABLED] Kayla Guerrero | kayla@valleywideplastering.com | ID: cf165bab-a876-4a8a-87b2-9a5a0de3cefe | Created: 2025-07-10T17:05:48Z
  [ENABLED] Orders VWP | orders@valleywideplastering.com | ID: 3739c527-f156-49b7-8779-a19033564a0f | Created: 2023-03-17T21:54:40Z
  [ENABLED] Payroll VWP | payroll@valleywideplastering.com | ID: 9671837f-eaf5-46aa-9677-dbed40f8517e | Created: 2023-03-17T21:55:29Z
  [ENABLED] Ron Winger | ron@valleywideplastering.com | ID: 779fc914-3053-47c2-b5b4-5696d4c40a2d | Created: 2024-10-17T23:22:37Z
  [ENABLED] Rose Guerrero | rose@valleywideplastering.com | ID: 8c1e798c-26d9-43aa-a129-573aad703e6f | Created: 2023-03-17T21:56:42Z
  [ENABLED] Ryan Guerrero | ryan@valleywideplastering.com | ID: f83d4a9e-e431-4e4f-ac4d-50bf10112e26 | Created: 2023-03-17T21:57:05Z
  [ENABLED] Sammy Montijo | sammy@valleywideplastering.com | ID: 690d7044-d0f5-44b7-9654-c39652de7973 | Created: 2023-03-17T21:57:49Z
  [ENABLED] Shelly Dooley | shelly@valleywideplastering.com | ID: da8f7037-450d-4631-8a9b-dace75772003 | Created: 2023-07-12T18:12:00Z
  [ENABLED] Spro VWP | spro@valleywideplastering.com | ID: 27e20a2c-3e79-45d8-8542-4f7e5f56003b | Created: 2023-03-17T21:58:52Z
  [ENABLED] Computer Guru | sysadmin@valleywideplastering.com | ID: 41810f2d-b674-47ee-9b6f-f3ba69a7703d | Created: 2024-05-10T18:26:04Z
  [ENABLED] Teresa Carpio | teresa@valleywideplastering.com | ID: 615d8ef9-e3cc-49a8-bd56-19921cafea4e | Created: 2023-03-17T21:59:28Z
  [ENABLED] Ty Fetters | Ty@CASARICA.NET | ID: 2e6e0a06-cb8a-4cc2-8870-9a87f202e635 | Created: 2023-03-17T22:01:54Z

[INFO] Exact match for 'jrguerrero' not found, searching by name...
  >>> TARGET USER FOUND: j-r@valleywideplastering.com (ID: 0af923d0-48c5-4cc1-8553-c60625802815)

======================================================================
  STEP 2: SIGN-IN LOGS (Last 14 Days)
======================================================================
  [WARNING] sign-ins v1.0: 
  [*] Trying beta endpoint...
  [WARNING] sign-ins beta: 
  No sign-in logs found (tenant may not have Azure AD P1/P2)

======================================================================
  STEP 3: RECENT SENT MAIL (Last 14 Days)
======================================================================
               2026-03-05T14:38:37Z | To: orders@valleywideplastering.com | Subject: RE: starlight - sunset farm
  [SUSPICIOUS] 2026-03-05T14:37:35Z | To: Pedro.Pagazani@umb.com, lauriemg943@gmail.com | Subject: RE: Account
               Preview: Pedro, I apologize I have not had a chance to stop by.  I will make time today.





From: Pagazani, Pedro <Pedro.Pagazani@umb.com>

Sent: Wednesday, 
               2026-03-04T21:06:31Z | To: orders@valleywideplastering.com | Subject: Re: starlight - sunset farm
               2026-03-04T21:04:59Z | To: Dan.Surek@Pulte.com | Subject: RE: Harvest lot 2724 [HAS ATTACHMENTS]
               2026-03-04T19:51:01Z | To: Dan.Surek@Pulte.com, Brian@valleywideplastering.com, customerservice@valleywideplastering.com | Subject: RE: Harvest lot 2724
               2026-03-04T19:21:33Z | To: billing@valleywideplastering.com, orders@valleywideplastering.com, teresa@valleywideplastering.com | Subject: RE: Stack
               2026-03-04T19:08:03Z | To: customerservice@valleywideplastering.com | Subject: RE: Harvest Lot 27-24
               2026-03-04T19:07:37Z | To: Dan.Surek@Pulte.com, Brian@valleywideplastering.com, customerservice@valleywideplastering.com | Subject: Harvest lot 2724
               2026-03-04T18:23:31Z | To: ccowley@senecaapi.com, fermin@valleywideplastering.com, carlos@valleywideplastering.com | Subject: RE: Drew Residence 
               2026-03-04T18:18:34Z | To: orders@valleywideplastering.com, teresa@valleywideplastering.com | Subject: FW: Legado West 4000
               2026-03-04T18:10:28Z | To: acctpay@valleywideplastering.com | Subject: FW: Pulte h.  Vistoso cayon lot 28 ( Jesus serna ( [HAS ATTACHMENTS]
               2026-03-04T18:06:19Z | To: jerry@cookarch.com, loon@cookarch.com | Subject: RE: FWD: RE: re[4]: FW: VW Plastering 257220
               2026-03-04T17:58:43Z | To: CamA@cameron-custom.com, fermin@valleywideplastering.com | Subject: RE: Dew Residence Mock Up (Exterior Scheme Expression)
  [SUSPICIOUS] 2026-03-04T17:49:05Z | To: mark@reliableglassaz.com, jr@CASARICA.NET, chris@valleywideplastering.com | Subject: RE: Office TI Estimate - Drawings Attached
               Preview: I have a 9am and it may run over an hour lets do10:30AM

Here at the location or your location.



JR



From: Mark Hoeffner <mark@reliableglassaz.co
               2026-03-04T16:17:37Z | To: franciscoa@valleywideplastering.com, teresa@valleywideplastering.com | Subject: HOUSES THAT WE ARE REDOING DUE TO CRACKS
               2026-03-04T13:23:16Z | To: acctpay@valleywideplastering.com | Subject: FW: Your Sunbelt Rental Statement [HAS ATTACHMENTS]
  [SUSPICIOUS] 2026-03-04T13:13:49Z | To: mark@reliableglassaz.com, chris@valleywideplastering.com | Subject: RE: Office TI Estimate - Drawings Attached
               Preview: Hi Mark what time on Thursday?



From: Mark Hoeffner <mark@reliableglassaz.com>

Sent: Tuesday, March 3, 2026 8:53 PM

To: Chris Guerrero <chris@vall
               2026-03-03T22:13:29Z | To: franciscoa@valleywideplastering.com | Subject: Re: Mattamy Homes Covena Pointe at Rocking K New Community Bid Invite - RFP - Please READ and RESPOND! 
               2026-03-03T18:44:01Z | To: billing@valleywideplastering.com | Subject: Fw: Mattamy Homes Covena Pointe at Rocking K New Community Bid Invite - RFP - Please READ and RESPOND! 
               2026-03-03T14:02:54Z | To: juan@valleywideplastering.com | Subject: Fw: 470 N. 56th st. Chandler AZ 85226
               2026-03-03T12:44:07Z | To: tkkossdevco@gmail.com | Subject: Re: 470 N. 56th st. Chandler AZ 85226
               2026-03-03T01:51:39Z | To: Heath.Thompson@Pulte.com, chris@valleywideplastering.com | Subject: Arrowhead rifles
               2026-03-03T01:31:01Z | To: Heath.Thompson@Pulte.com, chris@valleywideplastering.com | Subject: Tripod with magentic release
               2026-03-02T23:23:36Z | To: hunter@rbwilliams.com | Subject: Re: Valley-wide plastering
               2026-03-02T21:35:06Z | To: jesse@valleywideplastering.com | Subject: Fw: Walters Residence [HAS ATTACHMENTS]
               2026-03-02T18:24:42Z | To: ron@valleywideplastering.com, orders@valleywideplastering.com, teresa@valleywideplastering.com | Subject: Fw: Bid Invitation: Sunset Farms - Starlight Homes [HAS ATTACHMENTS]
               2026-03-02T16:47:02Z | To: ccowley@senecaapi.com, fermin@valleywideplastering.com, carlos@valleywideplastering.com | Subject: RE: Drew resindence
               2026-03-02T16:16:12Z | To: rose@valleywideplastering.com, lauriemg943@gmail.com | Subject: FW: 13632004 MULTI
               2026-03-02T13:56:05Z | To: loon@cookarch.com | Subject: FW: PROJECT SCOPING MEETING: T3709494 - VALLEY WIDE PLASTERING, INC. - LJ115024 - ZD281324 - 20 1/16E  4 13/16S [HAS ATTACHMENTS]
               2026-03-02T13:47:59Z | To: Derien.Runnels@catamountinc.com | Subject: Accepted: Flats at Ballpark - Valley Wide Plastering Site Visit
               2026-03-01T18:31:04Z | To: jr@CASARICA.NET | Subject: 
               2026-03-01T00:28:49Z | To: Elisa.Torresdeleon@srpnet.com, loon@cookarch.com | Subject: Re: Scheduling Project Scoping Meeting - T3709494 - VALLEY WIDE PLASTERING, INC.
               2026-03-01T00:23:41Z | To: jeff@rbwilliams.com, jesse@valleywideplastering.com, jarrington@yscpaving.com | Subject: Re: Request for Building Corner Offsets
               2026-02-28T14:02:02Z | To: Derien.Runnels@catamountinc.com, estimating@valleywideplastering.com | Subject: Re: Flats at Ballpark
               2026-02-28T13:55:43Z | To: Derien.Runnels@catamountinc.com, estimating@valleywideplastering.com | Subject: Re: Flats at Ballpark
               2026-02-27T21:55:12Z | To: michael.anaya@srpnet.com | Subject: RE: SRP Project Documents for SRP  WO# T3709494 - VALLEY WIDE PLASTERING, INC.
               2026-02-27T21:42:17Z | To: tkkossdevco@gmail.com | Subject: 470 N. 56th st.  Chandler AZ 85226 [HAS ATTACHMENTS]
               2026-02-27T20:07:36Z | To: rose@valleywideplastering.com | Subject: Fw: Noble Sea Warrior Feb 23 Expense Report [HAS ATTACHMENTS]
  [SUSPICIOUS] 2026-02-27T20:07:17Z | To: rose@valleywideplastering.com | Subject: Fw: Invoice #2061 From Jeanette Amacher Yacht Maintenance [HAS ATTACHMENTS]
               Preview: Get Outlook for iOS

________________________________

From: John Noble <johnsnoblejr@yahoo.com>

Sent: Monday, February 23, 2026 10:01:26 PM

To: JR 
               2026-02-27T20:06:23Z | To: Suzena.Breen@mattamycorp.com | Subject: Re: [EXTERNAL] RE: Mattamy Homes Covena Pointe at Rocking K New Community Bid Invite - RFP - Please READ and RESPOND! 
               2026-02-27T17:46:01Z | To: billing@valleywideplastering.com | Subject: Fw: Jzd Modera siding [HAS ATTACHMENTS]
               2026-02-27T16:42:55Z | To: sammy@valleywideplastering.com, franciscoa@valleywideplastering.com | Subject: FW: Mirador Point / Mirador Blossom / Mirador Skies Schedule 3-3-2026 [HAS ATTACHMENTS]
               2026-02-27T16:39:41Z | To: Suzena.Breen@mattamycorp.com | Subject: RE: Mattamy Homes Covena Pointe at Rocking K New Community Bid Invite - RFP - Please READ and RESPOND! 
               2026-02-27T13:01:13Z | To: isaacc@valleywideplastering.com, juan@valleywideplastering.com | Subject: 
  [SUSPICIOUS] 2026-02-26T23:09:26Z | To: rotm1969@gmail.com | Subject: Fw: Apartments invoice and contract [HAS ATTACHMENTS]
               Preview: Get Outlook for iOS

________________________________

From: Billing Clerk <billing@valleywideplastering.com>

Sent: Thursday, February 26, 2026 4:02 
  [SUSPICIOUS] 2026-02-26T22:59:18Z | To: billing@valleywideplastering.com | Subject: FW: Apartments invoice and contract [HAS ATTACHMENTS]
               Preview: From: Mark McKillip <rotm1969@gmail.com>

Sent: Thursday, December 11, 2025 8:07 PM

To: JR Guerrero <j-r@valleywideplastering.com>

Subject: Apartmen
               2026-02-26T22:12:42Z | To: Elisa.Torresdeleon@srpnet.com | Subject: RE: Scheduling Project Scoping Meeting - T3709494 - VALLEY WIDE PLASTERING, INC.
               2026-02-26T22:10:44Z | To: billing@valleywideplastering.com | Subject: FW: OH door In-Fill - Dates [Stucco - Valleywide] 
               2026-02-26T22:04:27Z | To: GAFlores@arizonatile.com, jr@CASARICA.NET, lamaro@arizonatile.com | Subject: RE: OA 14646360
               2026-02-26T21:51:41Z | To: estimating@valleywideplastering.com | Subject: RE: VWP - revised plans has been submitted to Chandler
               2026-02-26T21:49:33Z | To: sammy@valleywideplastering.com, franciscoa@valleywideplastering.com | Subject: FW: Mirador Point / Mirador Blossom / Mirador Skies Schedule 3-3-2026 [HAS ATTACHMENTS]
  [SUSPICIOUS] 2026-02-26T18:24:51Z | To: franciscoa@valleywideplastering.com, sammy@valleywideplastering.com, teresa@valleywideplastering.com | Subject: WIRE SHORTAGE
               Preview: Guys, we need to be checking lathers on wire .  The two houses we walked with Pulte, the wire had a minimum of 12 overlap X 3 runs on the perimeter o
               2026-02-26T18:13:08Z | To: sammy@valleywideplastering.com, franciscoa@valleywideplastering.com, teresa@valleywideplastering.com | Subject: SAND
               2026-02-26T14:43:18Z | To: ccowley@senecaapi.com, fermin@valleywideplastering.com, carlos@valleywideplastering.com | Subject: Drew resindence
               2026-02-26T02:08:21Z | To: chris@valleywideplastering.com | Subject: Fw: Extended Warranty Request & Follow up (Veridian Models) [HAS ATTACHMENTS]
               2026-02-25T22:42:22Z | To: patriotlanceaz@yahoo.com | Subject: RE: safety vests
               2026-02-25T21:42:09Z | To: robert@acsdoors.com, jesse@valleywideplastering.com | Subject: FW: VWP - revised plans has been submitted to Chandler
               2026-02-25T21:38:45Z | To: robert@acsdoors.com, jesse@valleywideplastering.com | Subject: FW: VWP - revised plans has been submitted to Chandler
               2026-02-25T21:37:22Z | To: robert@acsdoors.com, jesse@valleywideplastering.com | Subject: FW: VWP - revised plans has been submitted to Chandler
               2026-02-25T21:35:44Z | To: robert@acsdoors.com, jesse@valleywideplastering.com | Subject: FW: VWP - revised plans has been submitted to Chandler
               2026-02-25T21:24:42Z | To: estimating@valleywideplastering.com | Subject: FW: VWP - revised plans has been submitted to Chandler
               2026-02-25T21:21:26Z | To: justins@camelothomes.com | Subject: RE: Extended Warranty Request & Follow up (Veridian Models) [HAS ATTACHMENTS]
               2026-02-25T20:35:31Z | To: estimating@valleywideplastering.com, juan@valleywideplastering.com, jaimebh@valleywideplastering.com | Subject: Re: A2 East Elevation Metal Panel and MCRT Introduction
               2026-02-25T17:13:14Z | To: patriotlanceaz@yahoo.com, jesse@valleywideplastering.com | Subject: safety vests
               2026-02-25T16:35:43Z | To: jesse@valleywideplastering.com | Subject: king air
               2026-02-25T15:18:01Z | To: customerservice@valleywideplastering.com | Subject: RE: MVR 155 missing stucco
               2026-02-25T13:13:18Z | To: estimating@valleywideplastering.com | Subject: 10 year warranty
               2026-02-24T20:57:39Z | To: estimating@valleywideplastering.com, jesse@valleywideplastering.com, ron@valleywideplastering.com | Subject: RE: Homes to see finish
               2026-02-24T15:39:40Z | To: Heath.Thompson@Pulte.com, franciscoa@valleywideplastering.com, sammy@valleywideplastering.com | Subject: RE: Stucco in Tucson  BROWN COAT MONITORING PLAN
               2026-02-24T15:37:49Z | To: chris@valleywideplastering.com | Subject: FW: New vessel [HAS ATTACHMENTS]
               2026-02-24T15:36:46Z | To: jlfloden@cnicklausstarling.com, jesse@valleywideplastering.com, chris@valleywideplastering.com | Subject: USS SEA WARRIOR
               2026-02-24T15:00:43Z | To: capnjackv@hotmail.com, jesse@valleywideplastering.com | Subject: FW: New vessel [HAS ATTACHMENTS]
               2026-02-24T14:12:59Z | To: sammy@valleywideplastering.com, franciscoa@valleywideplastering.com, customerservice@valleywideplastering.com | Subject: BROWN COAT CRACK REPAIRS- ALL COMMUNITIES
               2026-02-24T13:12:34Z | To: gbonanni@mcrtrust.com, estimating@valleywideplastering.com, juan@valleywideplastering.com | Subject: RE: M10 Production
               2026-02-23T17:44:23Z | To: rfinn@ascentworks.com | Subject: Accepted: Valley Wide Pre-Renewal Meeting 
               2026-02-23T15:41:17Z | To: patriotlanceaz@yahoo.com | Subject: RE: Proofs
               2026-02-23T14:58:04Z | To: Heath.Thompson@Pulte.com, franciscoa@valleywideplastering.com, sammy@valleywideplastering.com | Subject: RE: Stucco in Tucson  BROWN COAT MONITORING PLAN
               2026-02-23T14:39:58Z | To: rfinn@ascentworks.com, jesse@valleywideplastering.com, shelly@valleywideplastering.com | Subject: RE: Valley Wide Plastering Pre Renewal Strategy Meeting 
               2026-02-23T14:20:55Z | To: chris@valleywideplastering.com, lauriemg943@gmail.com, jesse@nescoap.com | Subject: FW: Proofs [HAS ATTACHMENTS]
               2026-02-23T14:18:35Z | To: jeff@rbwilliams.com, jesse@valleywideplastering.com, jarrington@yscpaving.com | Subject: RE: Request for Building Corner Offsets
               2026-02-21T02:44:57Z | To: rtraica@ftlegal.com, Mike.George@opus-group.com, jr@CASARICA.NET | Subject: Re: Easement Closure Notification - Opus and Valley Wide Plastering
               2026-02-21T02:22:09Z | To: patriotlanceaz@yahoo.com | Subject: Re: Proof [HAS ATTACHMENTS]
               2026-02-20T05:08:53Z | To: patriotlanceaz@yahoo.com | Subject: Re: Hoodie Proof
               2026-02-19T23:19:39Z | To: ron@valleywideplastering.com | Subject: Fw: Bid Invite: Prasada East Shops and Whole Foods Project
               2026-02-19T19:46:04Z | To: patriotlanceaz@yahoo.com | Subject: Re: Hoodie Proof
               2026-02-19T19:36:46Z | To: billing@valleywideplastering.com, lauriemg943@gmail.com | Subject: Floor and Decor
               2026-02-19T14:20:14Z | To: billing@valleywideplastering.com | Subject: Carrie at Richmond 
               2026-02-18T22:43:50Z | To: customerservice@valleywideplastering.com | Subject: Re: Jemattel homes
               2026-02-18T22:37:31Z | To: customerservice@valleywideplastering.com | Subject: Jemattel homes
               2026-02-18T22:25:07Z | To: carlos@valleywideplastering.com | Subject: Fw: Pulte Homes Upper Canyon Trade Pre Construction Start Meeting Front End Trade Group [HAS ATTACHMENTS]
               2026-02-18T21:54:45Z | To: customerservice@valleywideplastering.com | Subject: Fw: Pulte Homes Upper Canyon Trade Pre Construction Start Meeting Front End Trade Group [HAS ATTACHMENTS]
               2026-02-18T19:43:50Z | To: chris@valleywideplastering.com, jr@CASARICA.NET | Subject: RE: [Reminder] Proposal for Valley Wide Plastering TI
               2026-02-18T19:41:30Z | To: joe.telles@jematellhomes.com, jdodson@ybcco.com, customerservice@valleywideplastering.com | Subject: RE: Crist Stucco/Door Punch
               2026-02-17T23:50:32Z | To: estimating@valleywideplastering.com, juan@valleywideplastering.com, jaimebh@valleywideplastering.com | Subject: Re: Faux Lintels at clubhouse
               2026-02-17T22:48:37Z | To: trent.jordan@aps.com, sara.foley@aps.com | Subject: RE: WA759416      370 N.  NEVADA ST
               2026-02-17T22:38:18Z | To: trent.jordan@aps.com, sara.foley@aps.com | Subject: WA759416      370 N.  NEVADA ST
               2026-02-17T21:33:09Z | To: estimating@valleywideplastering.com, juan@valleywideplastering.com, jaimebh@valleywideplastering.com | Subject: RE: Faux Lintels at clubhouse
               2026-02-17T21:16:08Z | To: sammy@valleywideplastering.com, franciscoa@valleywideplastering.com | Subject: FW: Mirador Point / Mirador Blossom / Mirador Skies Schedule 2-27-2026 [HAS ATTACHMENTS]
  [SUSPICIOUS] 2026-02-17T21:15:33Z | To: acctpay@valleywideplastering.com | Subject: FW: Invoice - Reminder: Your payment to SUNDANCE SWEEPING is due [HAS ATTACHMENTS]
               Preview: We need to pay this please.



From: SUNDANCE SWEEPING <sundancesweeping@gmail.com>

Sent: Tuesday, February 17, 2026 1:04 PM

To: JR Guerrero <j-r@va
               2026-02-17T18:36:31Z | To: Elisa.Torresdeleon@srpnet.com | Subject: RE: Scheduling Project Scoping Meeting - T3709494 - VALLEY WIDE PLASTERING, INC.

  --- Sent Mail Summary ---
  Total sent messages: 100
  Suspicious subjects: 8
  External recipients: 53
  External recipient list:
    - Brian.Davis@opus-group.com
    - CamA@cameron-custom.com
    - Cory.Garcia@Pulte.com
    - Dan.Surek@Pulte.com
    - David.Benjamin@opus-group.com
    - Derien.Runnels@catamountinc.com
    - Don.Vonderwell@opus-group.com
    - Elisa.Torresdeleon@srpnet.com
    - GAFlores@arizonatile.com
    - Heath.Thompson@Pulte.com
    - Jennifer.Moya@opus-group.com
    - Kallie.Tiller@srpnet.com
    - Lara.Bauerly@opus-group.com
    - Leo.Barros@Pulte.com
    - Luke.Eggers@opus-group.com
    - Matthew.Visnansky@opus-group.com
    - Mike.George@opus-group.com
    - OrderDeskTempe@arizonatile.com
    - Pedro.Pagazani@umb.com
    - Suzena.Breen@mattamycorp.com
    - capnjackv@hotmail.com
    - ccowley@senecaapi.com
    - david@jematellhomes.com
    - dprescott@ascentworks.com
    - gbonanni@mcrtrust.com
    - group-chandlerconstructiongroup@mcrtrust.com
    - hunter@rbwilliams.com
    - jarrington@yscpaving.com
    - jdodson@ybcco.com
    - jeff@rbwilliams.com
    - jerry@cookarch.com
    - jesse@nescoap.com
    - jlfloden@cnicklausstarling.com
    - jmarshall@marshallbrown.com
    - joe.telles@jematellhomes.com
    - jr@CASARICA.NET
    - justins@camelothomes.com
    - lamaro@arizonatile.com
    - lauriemg943@gmail.com
    - loon@cookarch.com
    - mark@reliableglassaz.com
    - mgittlein@ascentworks.com
    - michael.anaya@srpnet.com
    - patriotlanceaz@yahoo.com
    - rfinn@ascentworks.com
    - robert@acsdoors.com
    - rotm1969@gmail.com
    - rtraica@ftlegal.com
    - sara.foley@aps.com
    - shanrahan@ascentworks.com
    - tkkossdevco@gmail.com
    - trent.jordan@aps.com
    - tyler@jematellhomes.com

======================================================================
  STEP 4: INBOX RULES (CRITICAL CHECK)
======================================================================
  [OK] No inbox rules found

======================================================================
  STEP 5: MAILBOX SETTINGS (Forwarding & Auto-Reply)
======================================================================
  Auto-Reply Status: disabled
  [OK] Auto-replies are disabled
  Language: en-US
  Timezone: US Mountain Standard Time
  Date format: 

  Checking SMTP forwarding...
  Proxy addresses: ['smtp:jr@valleywideplastering.com', 'SMTP:j-r@valleywideplastering.com']
  Other emails: []

======================================================================
  STEP 6: AUTHENTICATION METHODS
======================================================================
  [passwordAuthenticationMethod] ID: 28c10230-6103-485e-b985-444c60001490
  [phoneAuthenticationMethod] ID: 3179e48a-750b-4051-897c-87b9720928f7 | Phone: +1 4807976102 (mobile)
  [microsoftAuthenticatorAuthenticationMethod] ID: eb72fea3-368c-4ac8-8bfa-fdc2d292a9cd | Device: iPhone 16 Pro Max | Created: None

======================================================================
  STEP 7: OAUTH PERMISSION GRANTS & THIRD-PARTY APPS
======================================================================
  [OK] No OAuth permission grants found for user

  Checking third-party service principals...
  [WARNING] service principals: Filter operator 'NotEqualsMatch' is not supported.
  No third-party service principals found or filter not supported

======================================================================
  STEP 8: DIRECTORY AUDIT LOGS (Recent Changes)
======================================================================
             2026-03-05T15:39:49.2102951Z | User deleted security info | Result: success | Actor: None
  [CRITICAL] 2026-03-05T15:39:49.1457845Z | Update user | Result: success | Actor: Azure Credential Configuration Endpoint Service
    Changed: StrongAuthenticationPhoneAppDetail: [{"DeviceName":"iPhone 12 Pro Max","DeviceToken":"apns2-bbdaed1230ccf93a47375c16 -> [{"DeviceName":"iPhone 16 Pro Max","DeviceToken":"apns2-cdb3e5cb2c5ce66a0a3fee50
    Changed: Included Updated Properties: None -> "StrongAuthenticationPhoneAppDetail"
    Changed: TargetId.UserType: None -> "Member"
  [CRITICAL] 2026-03-05T15:08:11.0443888Z | Update user | Result: success | Actor: sysadmin@valleywideplastering.com
    Changed: StsRefreshTokensValidFrom: ["2025-07-24T20:52:05Z"] -> ["2026-03-05T15:08:10Z"]
    Changed: Included Updated Properties: None -> "StsRefreshTokensValidFrom"
    Changed: TargetId.UserType: None -> "Member"
             2026-03-05T15:08:11.0433888Z | Update StsRefreshTokenValidFrom Timestamp | Result: success | Actor: sysadmin@valleywideplastering.com
             2026-03-05T15:08:04.9639776Z | Update StsRefreshTokenValidFrom Timestamp | Result: success | Actor: Microsoft password reset service
  [CRITICAL] 2026-03-05T15:08:04.9629772Z | Reset user password | Result: success | Actor: Microsoft password reset service
  [CRITICAL] 2026-03-05T15:08:04.9447954Z | Reset password (by admin) | Result: success | Actor: sysadmin@valleywideplastering.com
             2026-03-05T15:08:04.7639714Z | Update PasswordProfile | Result: success | Actor: Microsoft password reset service
  [CRITICAL] 2026-03-05T15:08:04.757972Z | Update user | Result: success | Actor: Microsoft password reset service
    Changed: StsRefreshTokensValidFrom: ["2025-07-24T20:52:05Z"] -> ["2026-03-05T15:08:04Z"]
    Changed: Included Updated Properties: None -> "StsRefreshTokensValidFrom"
    Changed: TargetId.UserType: None -> "Member"
             2026-03-05T15:08:04.5589806Z | Update PasswordProfile | Result: success | Actor: Microsoft password reset service
  [CRITICAL] 2026-03-04T18:56:23.1582355Z | Update user | Result: success | Actor: Azure MFA StrongAuthenticationService
    Changed: StrongAuthenticationPhoneAppDetail: [{"DeviceName":"iPhone 12 Pro Max","DeviceToken":"apns2-bbdaed1230ccf93a47375c16 -> [{"DeviceName":"iPhone 12 Pro Max","DeviceToken":"apns2-bbdaed1230ccf93a47375c16
    Changed: Included Updated Properties: None -> "StrongAuthenticationPhoneAppDetail"
    Changed: TargetId.UserType: None -> "Member"

======================================================================
  STEP 9: LATERAL MOVEMENT CHECK (All Users Risky Sign-ins)
======================================================================
  [OK] Accounts Payable (acctpay@valleywideplastering.com): No risky sign-ins detected
  [OK] Adolfo Suarez (adolfos@valleywideplastering.com): No risky sign-ins detected

  [SUSPICIOUS] Billing Clerk (billing@valleywideplastering.com):
    2026-03-04T11:24:04Z | IP: 69.49.112.75 | Country: CA | Risk: none | Protocol: Browser
    2026-03-03T15:22:58Z | IP: 141.8.200.245 | Country: AL | Risk: none | Protocol: Browser
  [OK] Toni (billing@valleywideplastering.onmicrosoft.com): No risky sign-ins detected
  [WARNING] risk check Brian@valleywideplastering.com: 
  [OK] Brian (Brian@valleywideplastering.com): No risky sign-ins detected

  [SUSPICIOUS] Carlos Reyes (carlos@valleywideplastering.com):
    2026-03-05T04:41:07Z | IP: 113.132.45.106 | Country: CN | Risk: none | Protocol: Browser
    2026-03-04T05:13:17Z | IP: 161.132.45.124 | Country: PE | Risk: none | Protocol: Browser
    2026-03-02T12:55:09Z | IP: 103.1.185.60 | Country: AU | Risk: none | Protocol: Browser
    2026-03-02T12:52:45Z | IP: 47.76.39.128 | Country: HK | Risk: none | Protocol: Browser
    2026-02-24T03:23:01Z | IP: 27.147.222.16 | Country: BD | Risk: none | Protocol: Browser
    2026-02-23T12:48:35Z | IP: 111.118.148.221 | Country: KH | Risk: none | Protocol: Browser
    2026-02-22T18:19:00Z | IP: 200.142.104.99 | Country: BR | Risk: none | Protocol: Browser
  [OK] Charlie Jones (charlie@valleywideplastering.com): No risky sign-ins detected

  [SUSPICIOUS] Chris Guerrero (chris@valleywideplastering.com):
    2026-03-04T08:37:18Z | IP: 46.243.3.58 | Country: NL | Risk: none | Protocol: Browser
    2026-03-04T05:03:58Z | IP: 64.188.124.97 | Country: DE | Risk: none | Protocol: Browser
    2026-03-04T04:48:48Z | IP: 103.178.194.93 | Country: ID | Risk: none | Protocol: Browser
    2026-03-02T23:31:12Z | IP: 65.20.149.252 | Country: IQ | Risk: none | Protocol: Browser

  [SUSPICIOUS] Customer Service (customerservice@valleywideplastering.com):
    2026-03-04T03:43:16Z | IP: 116.212.152.131 | Country: KH | Risk: none | Protocol: Browser
    2026-03-04T02:57:00Z | IP: 103.167.171.149 | Country: ID | Risk: none | Protocol: Browser
    2026-03-03T16:51:51Z | IP: 159.65.19.69 | Country: GB | Risk: none | Protocol: Browser
    2026-03-02T21:18:13Z | IP: 122.152.55.98 | Country: BD | Risk: none | Protocol: Browser
    2026-03-02T21:18:11Z | IP: 103.111.225.62 | Country: BD | Risk: none | Protocol: Browser
    2026-03-02T18:37:28Z | IP: 47.84.93.78 | Country: SG | Risk: none | Protocol: Browser
  [OK] Customer Service (customerservice@valleywideplastering.onmicrosoft.com): No risky sign-ins detected

  [SUSPICIOUS] Bart Graffin (estimating@valleywideplastering.com):
    2026-03-04T04:09:02Z | IP: 45.131.194.59 | Country: US | Risk: hidden | Protocol: Browser
  [WARNING] risk check faxinbox@valleywideplastering.com: 
  [OK] Fax Inbox (faxinbox@valleywideplastering.com): No risky sign-ins detected
  [OK] Fermin Matta (fermin@valleywideplastering.com): No risky sign-ins detected
  [OK] Francisco Arias (franciscoa@valleywideplastering.com): No risky sign-ins detected
  [OK] VWP Insurance (insurance@valleywideplastering.com): No risky sign-ins detected
  [OK] Issac Chavez (isaacc@valleywideplastering.com): No risky sign-ins detected
  [WARNING] risk check jaimebh@valleywideplastering.com: 
  [OK] Jaime Hernandez (jaimebh@valleywideplastering.com): No risky sign-ins detected

  [SUSPICIOUS] Jesse Guerrero (jesse@valleywideplastering.com):
    2026-03-04T18:25:09Z | IP: 157.90.211.189 | Country: DE | Risk: none | Protocol: Browser
    2026-03-04T11:59:08Z | IP: 212.172.50.128 | Country: DE | Risk: none | Protocol: Browser
    2026-03-04T06:40:42Z | IP: 159.65.19.147 | Country: GB | Risk: none | Protocol: Browser
    2026-03-04T05:31:39Z | IP: 103.56.163.133 | Country: VN | Risk: none | Protocol: Browser
    2026-03-03T10:10:49Z | IP: 45.87.251.172 | Country: NL | Risk: none | Protocol: Browser
    2026-03-02T19:07:45Z | IP: 179.189.233.174 | Country: BR | Risk: none | Protocol: Browser
    2026-03-02T15:33:42Z | IP: 125.213.199.22 | Country: AF | Risk: none | Protocol: Browser
    2026-03-01T03:26:43Z | IP: 202.62.39.221 | Country: KH | Risk: none | Protocol: Browser
    2026-03-01T02:08:20Z | IP: 119.94.113.81 | Country: PH | Risk: none | Protocol: Browser
  [OK] JR Guerrero (jr@CASARICA.NET): No risky sign-ins detected

  [SUSPICIOUS] Juan Leal (juan@valleywideplastering.com):
    2026-03-04T03:00:57Z | IP: 65.109.138.57 | Country: FI | Risk: none | Protocol: Browser
    2026-03-03T22:03:48Z | IP: 185.82.239.12 | Country: CZ | Risk: none | Protocol: Browser
    2026-03-03T14:13:20Z | IP: 177.234.208.59 | Country: EC | Risk: none | Protocol: Browser
    2026-03-03T10:53:28Z | IP: 95.107.173.106 | Country: AL | Risk: none | Protocol: Browser
    2026-03-02T20:03:11Z | IP: 118.179.175.158 | Country: BD | Risk: none | Protocol: Browser
    2026-03-02T19:07:39Z | IP: 220.87.3.141 | Country: KR | Risk: none | Protocol: Browser
    2026-03-02T16:06:16Z | IP: 157.254.20.246 | Country: HK | Risk: none | Protocol: Browser
    2026-03-02T15:33:28Z | IP: 3.38.214.6 | Country: KR | Risk: none | Protocol: Browser
    2026-02-24T05:29:55Z | IP: 161.117.183.222 | Country: SG | Risk: none | Protocol: Browser
  [OK] Kayla Guerrero (kayla@valleywideplastering.com): No risky sign-ins detected

  [SUSPICIOUS] Orders VWP (orders@valleywideplastering.com):
    2026-03-04T18:59:51Z | IP: 183.81.91.2 | Country: VN | Risk: none | Protocol: Browser
    2026-03-04T04:13:24Z | IP: 220.87.3.141 | Country: KR | Risk: none | Protocol: Browser
  [WARNING] risk check payroll@valleywideplastering.com: 
  [OK] Payroll VWP (payroll@valleywideplastering.com): No risky sign-ins detected

  [SUSPICIOUS] Ron Winger (ron@valleywideplastering.com):
    2026-03-04T13:38:09Z | IP: 170.246.176.222 | Country: AR | Risk: none | Protocol: Browser
    2026-03-04T04:39:21Z | IP: 138.252.89.1 | Country: AU | Risk: none | Protocol: Browser
    2026-03-04T02:12:09Z | IP: 117.121.202.245 | Country: ID | Risk: none | Protocol: Browser
    2026-03-03T12:58:26Z | IP: 54.179.157.31 | Country: SG | Risk: none | Protocol: Browser
    2026-03-03T12:58:05Z | IP: 190.122.145.20 | Country: AR | Risk: none | Protocol: Browser
    2026-03-02T12:58:20Z | IP: 103.244.107.140 | Country: ID | Risk: none | Protocol: Browser
    2026-03-01T17:21:23Z | IP: 189.32.23.70 | Country: BR | Risk: none | Protocol: Browser
    2026-02-28T21:18:40Z | IP: 211.226.137.4 | Country: KR | Risk: none | Protocol: Browser

  [SUSPICIOUS] Rose Guerrero (rose@valleywideplastering.com):
    2026-03-05T11:20:40Z | IP: 98.159.37.184 | Country: US | Risk: hidden | Protocol: Mobile Apps and Desktop clients
    2026-03-04T20:16:46Z | IP: 173.244.55.101 | Country: PE | Risk: hidden | Protocol: Mobile Apps and Desktop clients
    2026-03-04T17:16:14Z | IP: 2605:6400:c077:2126:aa5b:1086:fe18:8538 | Country: LU | Risk: none | Protocol: Mobile Apps and Desktop clients
    2026-03-04T14:53:32Z | IP: 2605:6400:c077:306e:9c9:c95e:c18a:6e43 | Country: LU | Risk: none | Protocol: Mobile Apps and Desktop clients
    2026-03-04T08:16:02Z | IP: 45.86.202.93 | Country: DE | Risk: hidden | Protocol: Mobile Apps and Desktop clients
    2026-03-04T07:46:16Z | IP: 152.70.56.243 | Country: NL | Risk: none | Protocol: Browser

  [SUSPICIOUS] Ryan Guerrero (ryan@valleywideplastering.com):
    2026-03-03T17:47:26Z | IP: 110.78.211.34 | Country: TH | Risk: none | Protocol: Browser
    2026-03-03T13:13:31Z | IP: 103.39.49.102 | Country: ID | Risk: none | Protocol: Browser
    2026-03-03T01:57:54Z | IP: 110.173.181.85 | Country: IN | Risk: none | Protocol: Browser
    2026-03-03T00:02:55Z | IP: 66.116.207.52 | Country: AE | Risk: none | Protocol: Browser
    2026-03-02T18:58:32Z | IP: 8.218.129.104 | Country: SG | Risk: none | Protocol: Browser
  [WARNING] risk check sammy@valleywideplastering.com: This request is throttled. Please try again after the value specified in the Retry-After header. CorrelationId: b25c6b25-5553-4ae7-aa4d-040acb94eb26
  [OK] Sammy Montijo (sammy@valleywideplastering.com): No risky sign-ins detected
  [OK] Shelly Dooley (shelly@valleywideplastering.com): No risky sign-ins detected
  [OK] Spro VWP (spro@valleywideplastering.com): No risky sign-ins detected
  [OK] Computer Guru (sysadmin@valleywideplastering.com): No risky sign-ins detected
  [OK] Teresa Carpio (teresa@valleywideplastering.com): No risky sign-ins detected
  [OK] Ty Fetters (Ty@CASARICA.NET): No risky sign-ins detected

======================================================================
  SAVING RESULTS
======================================================================
  Results saved to: D:/ClaudeTools/temp/vwp_bec_results.json

======================================================================
  INCIDENT REPORT SUMMARY
======================================================================

  Target: j-r@valleywideplastering.com (ID: 0af923d0-48c5-4cc1-8553-c60625802815)
  Investigation Date: 2026-03-05 16:18:22 UTC
  Tenant: Valley Wide Plastering (5c53ae9f-7071-4248-b834-8685b646450f)
  Total Users in Tenant: 33

  KEY FINDINGS:
  =============

  [SUSPICIOUS] 8 emails with suspicious subjects
  [SUSPICIOUS] 53 external recipients in sent mail
  [SUSPICIOUS] 11 other users show suspicious sign-in activity

  RECOMMENDED ACTIONS:
  ====================
  1. Reset JR Guerrero's password immediately
  2. Revoke all active sessions (Entra ID > Users > Revoke sessions)
  3. Enable MFA if not already enabled
  4. Remove any suspicious inbox rules
  5. Disable any unauthorized OAuth app grants
  6. Block legacy authentication via Conditional Access
  7. Review sent items for any phishing emails sent from this account
  8. Notify recipients of any suspicious emails
  9. Check for data exfiltration via OneDrive/SharePoint
  10. Monitor account for next 30 days

  Investigation script: D:/ClaudeTools/temp/vwp_bec_investigation.py
  Raw results: D:/ClaudeTools/temp/vwp_bec_results.json

