sync: auto-sync from HOWARD-HOME at 2026-06-30 12:46:41
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-30 12:46:41
This commit is contained in:
@@ -0,0 +1,53 @@
|
||||
# Breach Re-Check — megan.hiatt@cascadestucson.com
|
||||
|
||||
**Date:** 2026-06-30 · **Performed by:** Howard Enos (ClaudeTools session)
|
||||
**Tenant:** Cascades of Tucson (cascadestucson.com, `207fa277-e9d8-4eb7-ada1-1064d2221498`)
|
||||
**Object ID:** `ab306d53-6d6c-4f8f-a982-f4f571722178`
|
||||
**Why:** Megan's account carried a `CREDENTIAL_STUFFING_ACTIVE` marker in the April tenant
|
||||
inventory. This re-check verifies whether the April remediation held and whether the campaign is
|
||||
still active. Read-only; no actions taken.
|
||||
|
||||
## Verdict — CLEAN. April remediation held; attack no longer active.
|
||||
|
||||
The April credential-stuffing campaign (119 malicious sign-in attempts over 30 days from 7
|
||||
EU/UK IPs, all blocked at error 50053) has **ceased**, and the hardening applied in April is
|
||||
**still in place**. No compromise indicators.
|
||||
|
||||
## April remediation — current status (did it hold?)
|
||||
|
||||
| April control | Current state (2026-06-30) | Held? |
|
||||
|---|---|---|
|
||||
| Disable SMTP AUTH on Megan's mailbox | `SmtpClientAuthenticationDisabled=true` | **Yes** |
|
||||
| Disable IMAP | `ImapEnabled=false` | **Yes** |
|
||||
| Disable POP | `PopEnabled=false` | **Yes** |
|
||||
| Rotate password | Last change `2026-05-28` (post-April; rotated) | **Yes** |
|
||||
| MFA = Authenticator (not SMS) | Methods: password + microsoftAuthenticator only; **no SMS**, no new method | **Yes** |
|
||||
| Tenant anti-spam / anti-phish hardening (SPF hard-fail, mailbox-intelligence quarantine, first-contact tips) | Applied tenant-wide in April (Default policies) | (tenant-level, unchanged) |
|
||||
|
||||
EWS / ActiveSync / OWA / MAPI remain enabled — same as April; those are modern-auth capable, not
|
||||
basic-auth bypass paths.
|
||||
|
||||
## Live breach check (10-point) — all clean
|
||||
|
||||
| # | Check | Result |
|
||||
|---|---|---|
|
||||
| Sign-ins (30d) | **0 interactive, 0 non-US** (was 119 malicious + 16 US-success in April) | No active attack; no foreign success ever |
|
||||
| Account | `accountEnabled=true`, cloud-only | normal |
|
||||
| Auth methods | password + Microsoft Authenticator (2) | no new/weak method |
|
||||
| Inbox rules | 1 visible + 4 hidden — all benign (Junk default, 2 OOF system, user "Cascade of Tucson" move rule) | no forward/redirect/delete |
|
||||
| Mailbox permissions | 0 non-SELF | no delegates |
|
||||
| SendAs | 0 non-SELF | none |
|
||||
| Forwarding | `ForwardingAddress=null`, `ForwardingSmtpAddress=null` | not forwarding |
|
||||
| OAuth grants | 5 — Outlook Mobile ×2, third-party OIDC SSO, Contacts.Read (April set) **+ ALIS SSO SP `e1cae4ad…` User.Read** (expected, June 3 ALIS rollout) | benign |
|
||||
| Directory audits (30d) | 0 | no admin tampering |
|
||||
| Risk detections | 0 (risky-user read still `Forbidden` — known `IdentityRiskyUser.Read.All` consent gap, not a finding) | — |
|
||||
|
||||
## Notes
|
||||
|
||||
- **`CREDENTIAL_STUFFING_ACTIVE` is a stale April marker**, not a live signal — the campaign is no
|
||||
longer hitting (0 attempts in 30d). It reflects April state captured in the tenant inventory.
|
||||
- The only April recommendation not confirmed implemented is **C1 — Conditional Access US-only
|
||||
geo-block** for office users. It is now **optional/low-urgency**: every stuffing attempt was
|
||||
already blocked by MFA + MS IP-reputation, and the campaign has stopped. Worth scheduling as
|
||||
baseline hardening but not an active risk.
|
||||
- Raw artifacts: `/tmp/remediation-tool/207fa277-…/user-breach/megan_hiatt_cascadestucson_com/`.
|
||||
Reference in New Issue
Block a user