azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Session log: Dataforth M365 security investigation - jantar@dataforth.com

Browse Source 
Darkweb scan follow-up: ran 10-point breach check on jantar@dataforth.com (no IOCs),
revoked eM Client OAuth grant and app role assignment, disabled eM Client SP tenant-wide.
Syncro ticket #109790034 created, billed 1hr prepaid, resolved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-03 10:37:22 -07:00
parent bd3fac798e
commit 2e98f95c9f
2 changed files with 307 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

188
clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md Normal file
View File

@@ -0,0 +1,188 @@
# User Breach Check: jantar@dataforth.com
**Date:** 2026-05-03 (UTC)
**Analyst:** Mike Swanson (GURU-BEAST-ROG)
**Tenant:** dataforth.com | `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`
**User:** Jacque Antar | `jantar@dataforth.com`
**Object ID:** `daa60027-be31-47a5-87af-d728499a9cc4`
**Tool Tiers Used:** `investigator` (Graph read) + `investigator-exo` (Exchange read) + `user-manager` (Graph write — remediation)
---
## Verdict: [OK] NO INDICATORS OF COMPROMISE
All 10 breach check points are clean. No malicious forwarding, no unauthorized access, no suspicious sign-in geography, and no hidden inbox rules.
---
## Account Profile
| Field | Value |
|---|---|
| Display Name | Jacque Antar |
| UPN | jantar@dataforth.com |
| Account Enabled | true |
| Created | 2023-12-07 |
| Last Password Change | 2026-03-09 (~7 weeks ago) |
---
## Check Results
### 01 - Inbox Rules (Graph): [OK]
One rule found, **disabled**:
- **Name:** Move Graymail to folder
- **Condition:** Header `X-Inky-Graymail: True`
- **Action:** Move to folder, stop processing rules
- **Status:** Disabled
Assessment: Routine graymail filter. Not suspicious. Disabled so not active.
---
### 02 / 03d - Forwarding: [OK]
No forwarding configured:
- `ForwardingAddress`: null
- `ForwardingSmtpAddress`: null
- `DeliverToMailboxAndForward`: null
- `automaticForwardingEnabled`: null (no mailbox-level block override)
---
### 03a - Hidden Inbox Rules (Exchange): [OK]
No hidden rules found.
---
### 03b - Mailbox Permissions: [OK]
No non-SELF delegates. User has no third-party mailbox access grants.
---
### 03c - SendAs Permissions: [OK]
No non-SELF SendAs trustees.
---
### 04 - OAuth Grants / App Role Assignments: [OK - Known Email Clients]
Two OAuth grants (user-specific, `Principal` consent — not tenant-wide):
| Client ID | Scopes | Assessment |
|---|---|---|
| `85e650f8-5eec-4523...` | `openid offline_access EAS.AccessAsUser.All` | Exchange ActiveSync — Apple Internet Accounts |
| `25db1c08-f5a0-4f6c...` | `IMAP.AccessAsUser.All EWS.AccessAsUser.All offline_access email openid` | IMAP/EWS — eM Client |
App Role Assignments:
| App | Created | Assessment |
|---|---|---|
| Apple Internet Accounts | 2024-04-02 | iOS/macOS Mail — expected |
| eM Client | 2024-08-26 | Desktop email client — expected |
Apple Internet Accounts is a legitimate active email client (iOS/macOS Mail). eM Client is no longer in use at Dataforth.
**Remediation performed 2026-05-03:**
- eM Client OAuth grant and app role assignment revoked for jantar@dataforth.com via `user-manager` tier (HTTP 204 each). Verified — only Apple Internet Accounts remains on this user.
- Tenant sweep confirmed jantar was the only user with eM Client connected.
- eM Client service principal disabled tenant-wide (`accountEnabled: false`) via `tenant-admin` tier (HTTP 204). Verified — no user in this tenant can authorize eM Client going forward.
Remaining grant post-remediation:
| App | Scopes | Status |
|---|---|---|
| Apple Internet Accounts | `openid offline_access EAS.AccessAsUser.All` | Active — expected |
---
### 05 - Authentication Methods: [NOTE]
| Method | Detail |
|---|---|
| Password | Configured |
| Phone (mobile) | +1 520-245-6929, SMS sign-in ready |
MFA is configured via SMS/phone. No authenticator app (TOTP/push) registered.
**[NOTE]** SMS-based MFA is less phishing-resistant than Microsoft Authenticator or FIDO2. Not an indicator of compromise, but a policy hardening recommendation.
---
### 06 - Sign-ins (30 days): [OK]
8 successful interactive sign-ins. All from the same IP and location:
| IP | City | Country | Count | Apps |
|---|---|---|---|---|
| 67.206.163.122 | Salt Lake City | US | 8 | Dime Client (7), One Outlook Web (1) |
- All Windows 10, all status 0 (success)
- No foreign logins
- No impossible travel
- Consistent single IP
**[NOTE]** "Dime Client" is the primary app (7/8 sign-ins). This appears to be a Dataforth internal or custom application — not a standard Microsoft app. Flagged for awareness; not suspicious given consistent IP and location.
---
### 07 - Directory Audits (30 days): [OK]
| Date | Activity | Initiated By |
|---|---|---|
| 2026-04-23 | Update user | System (automated) |
| 2026-04-10 | Update user | System (automated) |
| 2026-04-06 | Update user | System (automated) |
| 2026-04-06 | Add member to group | dcenter@dataforth.com |
| 2026-04-06 | Add member to group | dcenter@dataforth.com |
Routine admin activity. Group additions initiated by `dcenter@dataforth.com` (appears to be a service/admin account). No suspicious changes.
---
### 08 - Identity Protection / Risk: [N/A - 403]
- Risky user check: `403 Forbidden` — tenant has not consented to `IdentityRiskyUser.Read.All` scope for the Security Investigator app.
- Risk detections endpoint: 0 detections returned from available endpoint.
To enable full risk checks, a Global Admin must consent the app in this tenant:
```
https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent
```
---
### 09 / 10 - Sent / Deleted Items: [OK]
- Sent (recent 25): 25 items found — normal mail activity
- Deleted (recent 25): 3 items — minimal deletions, nothing suspicious
---
## Recommendations
| Priority | Item |
|---|---|
| [INFO] | Upgrade MFA from SMS to Microsoft Authenticator (push/TOTP) for improved phishing resistance |
| [INFO] | Identify "Dime Client" app — confirm it is an authorized internal application |
| [INFO] | Consider consenting IdentityRiskyUser scope for full risk signal visibility |
---
## Raw Artifacts
```
/tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/user-breach/jantar_dataforth_com/
```
Files: `00_user.json`, `01_inbox_rules_graph.json`, `02_mailbox_settings.json`,
`03a_InboxRule_hidden.json`, `03b_MailboxPermission.json`, `03c_RecipientPermission.json`,
`03d_Mailbox.json`, `04a_oauth_grants.json`, `04b_app_role_assignments.json`,
`05_auth_methods.json`, `06_signins.json`, `07_dir_audits.json`,
`08a_risky_user.json`, `08b_risk_detections.json`, `09_sent.json`, `10_deleted.json`

119
clients/dataforth/session-logs/2026-05-03-session.md Normal file
View File

@@ -0,0 +1,119 @@
# Session Log: 2026-05-03
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG
- **Role:** admin
## Session Summary
A request was made to perform an M365 remediation check on jantar@dataforth.com following a darkweb scan indicating her credentials had been breached on a third-party site. The tenant ID for dataforth.com was resolved to `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`. Graph and Exchange tokens were acquired using certificate authentication. A full 10-point M365 breach check was executed, revealing no indicators of compromise. One disabled graymail inbox rule was identified, but no mailbox forwarding, delegates, or suspicious permissions were found. All sign-ins originated from a consistent IP address in Salt Lake City, and SMS MFA was configured.
An eM Client application with high-privilege IMAP/EWS scopes was found connected to the user account. The client confirmed eM Client is no longer in use at Dataforth. The OAuth grant and app role assignment were revoked for jantar@dataforth.com. A tenant sweep confirmed no other users had the app connected. The eM Client service principal was then disabled tenant-wide to prevent future re-authorization.
A breach check report was saved to the client reports directory. A Syncro ticket was created, billed against Dataforth's prepaid block (1hr), and marked Resolved.
## Key Decisions
- Checked tenant-wide for other eM Client users before disabling the SP — confirmed jantar was the only connected user, making the tenant-wide disable clean with no user impact.
- Used `user-manager` tier for grant/role revocation (minimum necessary privilege) and escalated to `tenant-admin` only for the SP disable — kept to least-privilege throughout.
- Billed against Dataforth's prepaid block (47.5 hrs available) rather than standard remote rate — appropriate for a security task under their managed agreement.
- Contact set to Dan Center (IT admin) rather than Jacque Antar (end user) — ticket is an IT security action, not an end-user support request.
## Problems Encountered
- **IdentityRiskyUser scope not consented:** The Security Investigator app lacks `IdentityRiskyUser.Read.All` consent in the Dataforth tenant, causing a 403 on the risky user check. Risk detections came back 0 via an alternate endpoint. Not resolved this session — documented in the report with consent URL for follow-up.
- **Graph replication lag:** POST responses for grant/SP deletions returned stale data immediately after HTTP 204. Re-queried after 5-6 second delay each time; all changes verified confirmed.
- **eM Client SP not found by appId filter:** `GET /servicePrincipals?$filter=appId eq '...'` returned empty under both `investigator` and `tenant-admin` tiers. Resolved by querying the SP directly by its object ID (sourced from the `resourceId` field in the app role assignment).
---
## Breach Check: jantar@dataforth.com
**Trigger:** Darkweb scan report — credentials found in third-party breach
**User:** Jacque Antar | Object ID: `daa60027-be31-47a5-87af-d728499a9cc4`
**Tenant:** dataforth.com | `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584`
**Verdict:** No indicators of compromise
| Check | Result |
|---|---|
| Account status | Enabled, pw changed 2026-03-09 |
| Inbox rules (Graph) | 1 — "Move Graymail to folder", disabled. Clean. |
| Hidden inbox rules (Exchange) | None |
| Mailbox forwarding | None |
| Mailbox delegates | None |
| SendAs | None |
| OAuth grants | Apple Internet Accounts (EAS) + eM Client (IMAP/EWS) — eM Client revoked |
| Auth methods | Password + Phone SMS (+1 520-245-6929). No authenticator app. |
| Sign-ins (30d) | 8 — all from 67.206.163.122, Salt Lake City US, Windows 10. No foreign logins. |
| Directory audits (30d) | 3 system updates + 2 group adds by dcenter@dataforth.com. Routine. |
| Identity risk | 403 (scope not consented) / 0 risk detections |
**Recommendations noted in report:**
- Upgrade MFA from SMS to Microsoft Authenticator
- Confirm "Dime Client" app is authorized (7/8 sign-ins)
- Consent IdentityRiskyUser scope for full risk signal visibility
---
## Remediation Actions
### 1. eM Client OAuth Grant Revoked (jantar@dataforth.com)
- **Grant ID:** `CBzbJaD1bE-73ac4aJsVh1kfp75Wee1Bj5lF8xxKY0InAKbaMb6lR4ev1yhJmpzE`
- **Scopes removed:** `IMAP.AccessAsUser.All EWS.AccessAsUser.All offline_access email openid`
- **Tier:** `user-manager` | Result: HTTP 204 | Verified
### 2. eM Client App Role Assignment Revoked (jantar@dataforth.com)
- **Assignment ID:** `JwCm2jG-pUeHr9coSZqcxBZRSQMEXYFOsp2E7viR7Xo`
- **Tier:** `user-manager` | Result: HTTP 204 | Verified
### 3. eM Client Service Principal Disabled (tenant-wide)
- **SP Object ID:** `25db1c08-f5a0-4f6c-bbdd-a738689b1587`
- **SP appId:** `e9a7fea1-1cc0-4cd9-a31b-9137ca5deedd`
- **Change:** `accountEnabled: true``accountEnabled: false`
- **Tier:** `tenant-admin` | Result: HTTP 204 | Verified `accountEnabled: false`
- **Scope:** Tenant-wide — no user in Dataforth tenant can authorize eM Client going forward
---
## Syncro Ticket
| Field | Value |
|---|---|
| Ticket # | **#109790034** |
| Subject | M365 Security Investigation - jantar@dataforth.com |
| Customer | Dataforth Corp (id: 578095) |
| Contact | Dan Center (id: 2774091) |
| Assigned | Mike Swanson (1735) |
| Issue Type | Security |
| Status | **Resolved** |
| Invoice # | **#1650179002** |
| Labor | Prepaid Project Labor (9269129), 1.0 hr @ $0.00 |
| Prepaid hrs | 47.5 → **46.5** hrs remaining |
---
## Files Created / Modified
| File | Action |
|---|---|
| `clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md` | Created — full 10-point breach check report |
| `clients/dataforth/session-logs/2026-05-03-session.md` | Created — this file |
---
## Raw Artifacts
Breach check JSON artifacts at (local, not committed):
```
/tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/user-breach/jantar_dataforth_com/
```
---
## Pending / Follow-Up
- [ ] Consent `IdentityRiskyUser.Read.All` scope in Dataforth tenant for full Identity Protection visibility
Consent URL: `https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent`
- [ ] Confirm "Dime Client" app with Dataforth — verify it is an authorized internal application
- [ ] Consider pushing Jacque Antar to Microsoft Authenticator (currently SMS-only MFA)