From 2fc6afb1215ad83b717b315286b980b14b8ad952 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Tue, 30 Jun 2026 12:47:11 -0700 Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-30 12:46:41 Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-30 12:46:41 --- .../2026-06-30-breach-recheck-megan-hiatt.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 clients/cascades-tucson/reports/2026-06-30-breach-recheck-megan-hiatt.md diff --git a/clients/cascades-tucson/reports/2026-06-30-breach-recheck-megan-hiatt.md b/clients/cascades-tucson/reports/2026-06-30-breach-recheck-megan-hiatt.md new file mode 100644 index 00000000..56797e73 --- /dev/null +++ b/clients/cascades-tucson/reports/2026-06-30-breach-recheck-megan-hiatt.md @@ -0,0 +1,53 @@ +# Breach Re-Check — megan.hiatt@cascadestucson.com + +**Date:** 2026-06-30 · **Performed by:** Howard Enos (ClaudeTools session) +**Tenant:** Cascades of Tucson (cascadestucson.com, `207fa277-e9d8-4eb7-ada1-1064d2221498`) +**Object ID:** `ab306d53-6d6c-4f8f-a982-f4f571722178` +**Why:** Megan's account carried a `CREDENTIAL_STUFFING_ACTIVE` marker in the April tenant +inventory. This re-check verifies whether the April remediation held and whether the campaign is +still active. Read-only; no actions taken. + +## Verdict — CLEAN. April remediation held; attack no longer active. + +The April credential-stuffing campaign (119 malicious sign-in attempts over 30 days from 7 +EU/UK IPs, all blocked at error 50053) has **ceased**, and the hardening applied in April is +**still in place**. No compromise indicators. + +## April remediation — current status (did it hold?) + +| April control | Current state (2026-06-30) | Held? | +|---|---|---| +| Disable SMTP AUTH on Megan's mailbox | `SmtpClientAuthenticationDisabled=true` | **Yes** | +| Disable IMAP | `ImapEnabled=false` | **Yes** | +| Disable POP | `PopEnabled=false` | **Yes** | +| Rotate password | Last change `2026-05-28` (post-April; rotated) | **Yes** | +| MFA = Authenticator (not SMS) | Methods: password + microsoftAuthenticator only; **no SMS**, no new method | **Yes** | +| Tenant anti-spam / anti-phish hardening (SPF hard-fail, mailbox-intelligence quarantine, first-contact tips) | Applied tenant-wide in April (Default policies) | (tenant-level, unchanged) | + +EWS / ActiveSync / OWA / MAPI remain enabled — same as April; those are modern-auth capable, not +basic-auth bypass paths. + +## Live breach check (10-point) — all clean + +| # | Check | Result | +|---|---|---| +| Sign-ins (30d) | **0 interactive, 0 non-US** (was 119 malicious + 16 US-success in April) | No active attack; no foreign success ever | +| Account | `accountEnabled=true`, cloud-only | normal | +| Auth methods | password + Microsoft Authenticator (2) | no new/weak method | +| Inbox rules | 1 visible + 4 hidden — all benign (Junk default, 2 OOF system, user "Cascade of Tucson" move rule) | no forward/redirect/delete | +| Mailbox permissions | 0 non-SELF | no delegates | +| SendAs | 0 non-SELF | none | +| Forwarding | `ForwardingAddress=null`, `ForwardingSmtpAddress=null` | not forwarding | +| OAuth grants | 5 — Outlook Mobile ×2, third-party OIDC SSO, Contacts.Read (April set) **+ ALIS SSO SP `e1cae4ad…` User.Read** (expected, June 3 ALIS rollout) | benign | +| Directory audits (30d) | 0 | no admin tampering | +| Risk detections | 0 (risky-user read still `Forbidden` — known `IdentityRiskyUser.Read.All` consent gap, not a finding) | — | + +## Notes + +- **`CREDENTIAL_STUFFING_ACTIVE` is a stale April marker**, not a live signal — the campaign is no + longer hitting (0 attempts in 30d). It reflects April state captured in the tenant inventory. +- The only April recommendation not confirmed implemented is **C1 — Conditional Access US-only + geo-block** for office users. It is now **optional/low-urgency**: every stuffing attempt was + already blocked by MFA + MS IP-reputation, and the campaign has stopped. Worth scheduling as + baseline hardening but not an active risk. +- Raw artifacts: `/tmp/remediation-tool/207fa277-…/user-breach/megan_hiatt_cascadestucson_com/`.