azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: Dataforth M365 security investigation - jantar@dataforth.com

Browse Source 
Darkweb scan follow-up: ran 10-point breach check on jantar@dataforth.com (no IOCs),
revoked eM Client OAuth grant and app role assignment, disabled eM Client SP tenant-wide.
Syncro ticket #109790034 created, billed 1hr prepaid, resolved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-03 10:37:22 -07:00
parent bd3fac798e
commit 2e98f95c9f
2 changed files with 307 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

188
clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md Normal file
View File

@@ -0,0 +1,188 @@
# User Breach Check: jantar@dataforth.com
**Date:** 2026-05-03 (UTC)
**Analyst:** Mike Swanson (GURU-BEAST-ROG)
**Tenant:** dataforth.com | `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`
**User:** Jacque Antar | `jantar@dataforth.com`
**Object ID:** `daa60027-be31-47a5-87af-d728499a9cc4`
**Tool Tiers Used:** `investigator` (Graph read) + `investigator-exo` (Exchange read) + `user-manager` (Graph write — remediation)
---
## Verdict: [OK] NO INDICATORS OF COMPROMISE
All 10 breach check points are clean. No malicious forwarding, no unauthorized access, no suspicious sign-in geography, and no hidden inbox rules.
---
## Account Profile
| Field | Value |
|---|---|
| Display Name | Jacque Antar |
| UPN | jantar@dataforth.com |
| Account Enabled | true |
| Created | 2023-12-07 |
| Last Password Change | 2026-03-09 (~7 weeks ago) |
---
## Check Results
### 01 - Inbox Rules (Graph): [OK]
One rule found, **disabled**:
- **Name:** Move Graymail to folder
- **Condition:** Header `X-Inky-Graymail: True`
- **Action:** Move to folder, stop processing rules
- **Status:** Disabled
Assessment: Routine graymail filter. Not suspicious. Disabled so not active.
---
### 02 / 03d - Forwarding: [OK]
No forwarding configured:
- `ForwardingAddress`: null
- `ForwardingSmtpAddress`: null
- `DeliverToMailboxAndForward`: null
- `automaticForwardingEnabled`: null (no mailbox-level block override)
---
### 03a - Hidden Inbox Rules (Exchange): [OK]
No hidden rules found.
---
### 03b - Mailbox Permissions: [OK]
No non-SELF delegates. User has no third-party mailbox access grants.
---
### 03c - SendAs Permissions: [OK]
No non-SELF SendAs trustees.
---
### 04 - OAuth Grants / App Role Assignments: [OK - Known Email Clients]
Two OAuth grants (user-specific, `Principal` consent — not tenant-wide):
| Client ID | Scopes | Assessment |
|---|---|---|
| `85e650f8-5eec-4523...` | `openid offline_access EAS.AccessAsUser.All` | Exchange ActiveSync — Apple Internet Accounts |
| `25db1c08-f5a0-4f6c...` | `IMAP.AccessAsUser.All EWS.AccessAsUser.All offline_access email openid` | IMAP/EWS — eM Client |
App Role Assignments:
| App | Created | Assessment |
|---|---|---|
| Apple Internet Accounts | 2024-04-02 | iOS/macOS Mail — expected |
| eM Client | 2024-08-26 | Desktop email client — expected |
Apple Internet Accounts is a legitimate active email client (iOS/macOS Mail). eM Client is no longer in use at Dataforth.
**Remediation performed 2026-05-03:**
- eM Client OAuth grant and app role assignment revoked for jantar@dataforth.com via `user-manager` tier (HTTP 204 each). Verified — only Apple Internet Accounts remains on this user.
- Tenant sweep confirmed jantar was the only user with eM Client connected.
- eM Client service principal disabled tenant-wide (`accountEnabled: false`) via `tenant-admin` tier (HTTP 204). Verified — no user in this tenant can authorize eM Client going forward.
Remaining grant post-remediation:
| App | Scopes | Status |
|---|---|---|
| Apple Internet Accounts | `openid offline_access EAS.AccessAsUser.All` | Active — expected |
---
### 05 - Authentication Methods: [NOTE]
| Method | Detail |
|---|---|
| Password | Configured |
| Phone (mobile) | +1 520-245-6929, SMS sign-in ready |
MFA is configured via SMS/phone. No authenticator app (TOTP/push) registered.
**[NOTE]** SMS-based MFA is less phishing-resistant than Microsoft Authenticator or FIDO2. Not an indicator of compromise, but a policy hardening recommendation.
---
### 06 - Sign-ins (30 days): [OK]
8 successful interactive sign-ins. All from the same IP and location:
| IP | City | Country | Count | Apps |
|---|---|---|---|---|
| 67.206.163.122 | Salt Lake City | US | 8 | Dime Client (7), One Outlook Web (1) |
- All Windows 10, all status 0 (success)
- No foreign logins
- No impossible travel
- Consistent single IP
**[NOTE]** "Dime Client" is the primary app (7/8 sign-ins). This appears to be a Dataforth internal or custom application — not a standard Microsoft app. Flagged for awareness; not suspicious given consistent IP and location.
---
### 07 - Directory Audits (30 days): [OK]
| Date | Activity | Initiated By |
|---|---|---|
| 2026-04-23 | Update user | System (automated) |
| 2026-04-10 | Update user | System (automated) |
| 2026-04-06 | Update user | System (automated) |
| 2026-04-06 | Add member to group | dcenter@dataforth.com |
| 2026-04-06 | Add member to group | dcenter@dataforth.com |
Routine admin activity. Group additions initiated by `dcenter@dataforth.com` (appears to be a service/admin account). No suspicious changes.
---
### 08 - Identity Protection / Risk: [N/A - 403]
- Risky user check: `403 Forbidden` — tenant has not consented to `IdentityRiskyUser.Read.All` scope for the Security Investigator app.
- Risk detections endpoint: 0 detections returned from available endpoint.
To enable full risk checks, a Global Admin must consent the app in this tenant:
```
https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent
```
---
### 09 / 10 - Sent / Deleted Items: [OK]
- Sent (recent 25): 25 items found — normal mail activity
- Deleted (recent 25): 3 items — minimal deletions, nothing suspicious
---
## Recommendations
| Priority | Item |
|---|---|
| [INFO] | Upgrade MFA from SMS to Microsoft Authenticator (push/TOTP) for improved phishing resistance |
| [INFO] | Identify "Dime Client" app — confirm it is an authorized internal application |
| [INFO] | Consider consenting IdentityRiskyUser scope for full risk signal visibility |
---
## Raw Artifacts
```
/tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/user-breach/jantar_dataforth_com/
```
Files: `00_user.json`, `01_inbox_rules_graph.json`, `02_mailbox_settings.json`,
`03a_InboxRule_hidden.json`, `03b_MailboxPermission.json`, `03c_RecipientPermission.json`,
`03d_Mailbox.json`, `04a_oauth_grants.json`, `04b_app_role_assignments.json`,
`05_auth_methods.json`, `06_signins.json`, `07_dir_audits.json`,
`08a_risky_user.json`, `08b_risk_detections.json`, `09_sent.json`, `10_deleted.json`