sync: auto-sync from HOWARD-HOME at 2026-06-30 12:46:41

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-30 12:46:41
This commit is contained in:
2026-06-30 12:47:11 -07:00
parent f17d56d717
commit 2fc6afb121

View File

@@ -0,0 +1,53 @@
# Breach Re-Check — megan.hiatt@cascadestucson.com
**Date:** 2026-06-30 · **Performed by:** Howard Enos (ClaudeTools session)
**Tenant:** Cascades of Tucson (cascadestucson.com, `207fa277-e9d8-4eb7-ada1-1064d2221498`)
**Object ID:** `ab306d53-6d6c-4f8f-a982-f4f571722178`
**Why:** Megan's account carried a `CREDENTIAL_STUFFING_ACTIVE` marker in the April tenant
inventory. This re-check verifies whether the April remediation held and whether the campaign is
still active. Read-only; no actions taken.
## Verdict — CLEAN. April remediation held; attack no longer active.
The April credential-stuffing campaign (119 malicious sign-in attempts over 30 days from 7
EU/UK IPs, all blocked at error 50053) has **ceased**, and the hardening applied in April is
**still in place**. No compromise indicators.
## April remediation — current status (did it hold?)
| April control | Current state (2026-06-30) | Held? |
|---|---|---|
| Disable SMTP AUTH on Megan's mailbox | `SmtpClientAuthenticationDisabled=true` | **Yes** |
| Disable IMAP | `ImapEnabled=false` | **Yes** |
| Disable POP | `PopEnabled=false` | **Yes** |
| Rotate password | Last change `2026-05-28` (post-April; rotated) | **Yes** |
| MFA = Authenticator (not SMS) | Methods: password + microsoftAuthenticator only; **no SMS**, no new method | **Yes** |
| Tenant anti-spam / anti-phish hardening (SPF hard-fail, mailbox-intelligence quarantine, first-contact tips) | Applied tenant-wide in April (Default policies) | (tenant-level, unchanged) |
EWS / ActiveSync / OWA / MAPI remain enabled — same as April; those are modern-auth capable, not
basic-auth bypass paths.
## Live breach check (10-point) — all clean
| # | Check | Result |
|---|---|---|
| Sign-ins (30d) | **0 interactive, 0 non-US** (was 119 malicious + 16 US-success in April) | No active attack; no foreign success ever |
| Account | `accountEnabled=true`, cloud-only | normal |
| Auth methods | password + Microsoft Authenticator (2) | no new/weak method |
| Inbox rules | 1 visible + 4 hidden — all benign (Junk default, 2 OOF system, user "Cascade of Tucson" move rule) | no forward/redirect/delete |
| Mailbox permissions | 0 non-SELF | no delegates |
| SendAs | 0 non-SELF | none |
| Forwarding | `ForwardingAddress=null`, `ForwardingSmtpAddress=null` | not forwarding |
| OAuth grants | 5 — Outlook Mobile ×2, third-party OIDC SSO, Contacts.Read (April set) **+ ALIS SSO SP `e1cae4ad…` User.Read** (expected, June 3 ALIS rollout) | benign |
| Directory audits (30d) | 0 | no admin tampering |
| Risk detections | 0 (risky-user read still `Forbidden` — known `IdentityRiskyUser.Read.All` consent gap, not a finding) | — |
## Notes
- **`CREDENTIAL_STUFFING_ACTIVE` is a stale April marker**, not a live signal — the campaign is no
longer hitting (0 attempts in 30d). It reflects April state captured in the tenant inventory.
- The only April recommendation not confirmed implemented is **C1 — Conditional Access US-only
geo-block** for office users. It is now **optional/low-urgency**: every stuffing attempt was
already blocked by MFA + MS IP-reputation, and the campaign has stopped. Worth scheduling as
baseline hardening but not an active risk.
- Raw artifacts: `/tmp/remediation-tool/207fa277-…/user-breach/megan_hiatt_cascadestucson_com/`.