azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bardach: M365 account investigation + Security Defaults MFA enforcement

Browse Source 
Investigated barbara@bardach.net login issues (account-locked message, INKY SSL
errors). Finding: active distributed password-spray against the tenant (also
hitting admin@), NOT a breach — no successful attacker sign-in, no mailbox/rule/
forwarding changes. Root exposure: MFA not enforced (no Entra P1 -> no CA).

Remediation (Mike confirmed): enabled Security Defaults tenant-wide. Both active
accounts MFA-ready (Authenticator) -> no lockout; legacy auth now blocked.

- 2026-06-05-account-investigation-mfa-enforcement.md (full report)
- 2026-06-05-barbara-note-draft.md (client note, for Mike to send)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-05 11:52:46 -07:00
parent 51b3d799f5
commit 08e194f592
2 changed files with 106 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
clients/bardach/reports/2026-06-05-account-investigation-mfa-enforcement.md Normal file
View File

@@ -0,0 +1,76 @@
# Bardach — M365 account investigation + MFA enforcement
**Date:** 2026-06-05
**Tenant:** bardach.net (`dd4a82e8-85a3-44ac-8800-07945ab4d95f`)
**Trigger:** Barbara reported odd Outlook/MS login behavior — an "account locked" message when
signing in on her phone, and brief SSL errors on her computer when authenticating with INKY to
mark an item safe.
**Posture:** read-only investigation (ComputerGuru Security Investigator), then one remediation
write (enable Security Defaults) on Mike's explicit confirmation.
## Verdict
**Active password-spray / brute-force attack against the tenant — NOT a breach.** No attacker
sign-in succeeded; no malicious changes to mailbox, rules, forwarding, or delegates. The "account
locked" messages were Entra **Smart Lockout** tripping from the spray (her own attempts get the same
lockout message while lockout is active). The INKY SSL errors were collateral of the lockout state.
The real exposure was that **MFA was not being enforced** — both active accounts had MFA methods
registered, but nothing required a second factor. Fixed by enabling Security Defaults.
## Evidence (barbara@bardach.net, 30-day sign-in window)
- **111 interactive sign-ins, 14 non-US.** Result-code breakdown:
- 61x `50053` — "account is locked, too many incorrect attempts" (Smart Lockout)
- 37x `50053` — "blocked, came from an IP with malicious activity"
- 1x `50126` — invalid username or password
- 12x `0` — successful, **all legitimately hers**
- **Foreign source IPs:** BE, LU, DE, SE, GB, NO, NL — distributed spray. Every foreign attempt failed.
- **All 12 successful sign-ins are hers:** US only (Phoenix/Tucson), normal apps (Windows Sign In,
One Outlook Web, Inky Dashboard SSO), consistent ISP ranges (192.145.119.x, 45.86.210.x, 76.159.202.44).
- **No persistence/compromise indicators:** no mail forwarding (Graph + Get-Mailbox both clean),
no SendAs/RecipientPermission, no hidden inbox rules; the single inbox rule is INKY's disabled
"Move Graymail to folder" (benign). Password last changed 2026-01-18 (not altered by attacker).
Directory audits in window are only Microsoft-backend "Update user" (Substrate Management) events.
Identity Protection risky-user read returned Forbidden (no Entra P2 in tenant).
- **`conditionalAccessStatus = notApplied`, `authenticationRequirement = null` on every sign-in** —
confirming no MFA enforcement was in place.
## admin@bardach.net is also under attack
`admin@bardach.net` showed the same spray pattern (Germany, `50053`/`50126`); recent interactive
sign-ins in the sample were all failures/lockouts. Account has Authenticator + phone registered
(MFA-ready). This is a whole-tenant target, not just Barbara.
## Tenant facts
- **Users:** `admin@bardach.net` (enabled), `barbara@bardach.net` (enabled), `stuart@bardach.net` (disabled).
- **Licensing:** O365_BUSINESS (Office 365 Business), EXCHANGEENTERPRISE (Exchange Online Plan 2),
EXCHANGEARCHIVE. **No Entra ID P1** -> Conditional Access not available; Identity Protection not available.
- **MFA methods registered:** barbara@ = password, phone, Authenticator, Windows Hello (x3 devices).
admin@ = password, email, phone, Authenticator. Both MFA-ready.
- **Security Defaults:** was `isEnabled=false`. No Conditional Access policies (no P1).
## Action taken
- **Enabled Security Defaults** (`PATCH /policies/identitySecurityDefaultsEnforcementPolicy`
`{isEnabled:true}` via ComputerGuru Tenant Admin SP). First read-back lagged (`false`); confirmed
`isEnabled=true` on re-read and via re-PATCH returning the full policy object. Effective immediately.
- **Effect:** MFA enforced for all users tenant-wide; legacy/basic auth blocked (also closes a common
spray entry point). Both active accounts have Authenticator -> no lockout. Security Defaults is
all-or-nothing (no per-user/break-glass exclusions — that is a CA-only capability).
- **Password:** NOT rotated (Mike's call — MFA now gates the account).
## Follow-ups (optional)
- Consider rotating `admin@bardach.net`'s password — high-value target, recently all-failed sign-ins.
MFA now mitigates, so no urgency.
- For finer control (named-location blocking, break-glass exclusions, risk-based MFA), Bardach would
need **Microsoft 365 Business Premium / Entra ID P1** — an upsell conversation, not a current need.
- Smart Lockout messages for Barbara should taper as the spray ages out. If lockouts persist, it is
the ongoing spray, not her credentials.
## Raw artifacts
`/tmp/remediation-tool/dd4a82e8-85a3-44ac-8800-07945ab4d95f/user-breach/barbara_bardach_net/`
(00_user .. 10_deleted JSON — sign-ins, rules, mailbox, auth methods).

30
clients/bardach/reports/2026-06-05-barbara-note-draft.md Normal file
View File

@@ -0,0 +1,30 @@
# Draft note to Barbara (2026-06-05) — plain, reassuring, non-technical
**Channel:** email or text to Barbara. Tone: calm, "we looked, you're fine, here's the one change."
---
Hi Barbara,
We took a look at your Microsoft account. The short version: your account is fine and nobody got into it. What you ran into was someone out on the internet repeatedly trying to guess the password to email accounts on your domain — Microsoft was blocking every one of those attempts, and that's what triggered the "account locked" message you saw on your phone. The brief INKY/SSL hiccup on your computer was just a side effect of that same lockout, not a separate problem.
To shut this down for good, we turned on an extra layer of protection: from now on, signing in will also ask you to approve it on your phone (the Microsoft Authenticator app you already have set up). So the next time you sign in — phone or computer — you'll get a quick approval prompt. Just tap approve, and you're in. After that it's business as usual.
This is a good thing: even if someone ever did guess a password, they still couldn't get in without your phone.
A couple of things to expect:
- You may still see a "locked" message once or twice over the next day or so as the leftover attempts die down — that's them, not you. It'll clear up.
- If you use any older email program or device that connects to your mail, it might ask you to sign in again or stop working — if anything like that comes up, just let us know and we'll sort it.
Nothing you need to do right now. If you have any trouble signing in or approving on your phone, call or email us and we'll walk you through it.
Best,
Mike
Arizona Computer Guru
---
### Notes for Mike
- Kept it non-technical: no error codes, no "password spray," no mention of the admin account.
- Sets the expectation of the Authenticator prompt + the residual lockout messages so she isn't alarmed.
- Flags the legacy-auth caveat softly ("older email program... let us know").