sync: auto-sync from HOWARD-HOME at 2026-06-30 12:46:41
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-30 12:46:41
This commit is contained in:
@@ -0,0 +1,53 @@
|
|||||||
|
# Breach Re-Check — megan.hiatt@cascadestucson.com
|
||||||
|
|
||||||
|
**Date:** 2026-06-30 · **Performed by:** Howard Enos (ClaudeTools session)
|
||||||
|
**Tenant:** Cascades of Tucson (cascadestucson.com, `207fa277-e9d8-4eb7-ada1-1064d2221498`)
|
||||||
|
**Object ID:** `ab306d53-6d6c-4f8f-a982-f4f571722178`
|
||||||
|
**Why:** Megan's account carried a `CREDENTIAL_STUFFING_ACTIVE` marker in the April tenant
|
||||||
|
inventory. This re-check verifies whether the April remediation held and whether the campaign is
|
||||||
|
still active. Read-only; no actions taken.
|
||||||
|
|
||||||
|
## Verdict — CLEAN. April remediation held; attack no longer active.
|
||||||
|
|
||||||
|
The April credential-stuffing campaign (119 malicious sign-in attempts over 30 days from 7
|
||||||
|
EU/UK IPs, all blocked at error 50053) has **ceased**, and the hardening applied in April is
|
||||||
|
**still in place**. No compromise indicators.
|
||||||
|
|
||||||
|
## April remediation — current status (did it hold?)
|
||||||
|
|
||||||
|
| April control | Current state (2026-06-30) | Held? |
|
||||||
|
|---|---|---|
|
||||||
|
| Disable SMTP AUTH on Megan's mailbox | `SmtpClientAuthenticationDisabled=true` | **Yes** |
|
||||||
|
| Disable IMAP | `ImapEnabled=false` | **Yes** |
|
||||||
|
| Disable POP | `PopEnabled=false` | **Yes** |
|
||||||
|
| Rotate password | Last change `2026-05-28` (post-April; rotated) | **Yes** |
|
||||||
|
| MFA = Authenticator (not SMS) | Methods: password + microsoftAuthenticator only; **no SMS**, no new method | **Yes** |
|
||||||
|
| Tenant anti-spam / anti-phish hardening (SPF hard-fail, mailbox-intelligence quarantine, first-contact tips) | Applied tenant-wide in April (Default policies) | (tenant-level, unchanged) |
|
||||||
|
|
||||||
|
EWS / ActiveSync / OWA / MAPI remain enabled — same as April; those are modern-auth capable, not
|
||||||
|
basic-auth bypass paths.
|
||||||
|
|
||||||
|
## Live breach check (10-point) — all clean
|
||||||
|
|
||||||
|
| # | Check | Result |
|
||||||
|
|---|---|---|
|
||||||
|
| Sign-ins (30d) | **0 interactive, 0 non-US** (was 119 malicious + 16 US-success in April) | No active attack; no foreign success ever |
|
||||||
|
| Account | `accountEnabled=true`, cloud-only | normal |
|
||||||
|
| Auth methods | password + Microsoft Authenticator (2) | no new/weak method |
|
||||||
|
| Inbox rules | 1 visible + 4 hidden — all benign (Junk default, 2 OOF system, user "Cascade of Tucson" move rule) | no forward/redirect/delete |
|
||||||
|
| Mailbox permissions | 0 non-SELF | no delegates |
|
||||||
|
| SendAs | 0 non-SELF | none |
|
||||||
|
| Forwarding | `ForwardingAddress=null`, `ForwardingSmtpAddress=null` | not forwarding |
|
||||||
|
| OAuth grants | 5 — Outlook Mobile ×2, third-party OIDC SSO, Contacts.Read (April set) **+ ALIS SSO SP `e1cae4ad…` User.Read** (expected, June 3 ALIS rollout) | benign |
|
||||||
|
| Directory audits (30d) | 0 | no admin tampering |
|
||||||
|
| Risk detections | 0 (risky-user read still `Forbidden` — known `IdentityRiskyUser.Read.All` consent gap, not a finding) | — |
|
||||||
|
|
||||||
|
## Notes
|
||||||
|
|
||||||
|
- **`CREDENTIAL_STUFFING_ACTIVE` is a stale April marker**, not a live signal — the campaign is no
|
||||||
|
longer hitting (0 attempts in 30d). It reflects April state captured in the tenant inventory.
|
||||||
|
- The only April recommendation not confirmed implemented is **C1 — Conditional Access US-only
|
||||||
|
geo-block** for office users. It is now **optional/low-urgency**: every stuffing attempt was
|
||||||
|
already blocked by MFA + MS IP-reputation, and the campaign has stopped. Worth scheduling as
|
||||||
|
baseline hardening but not an active risk.
|
||||||
|
- Raw artifacts: `/tmp/remediation-tool/207fa277-…/user-breach/megan_hiatt_cascadestucson_com/`.
|
||||||
Reference in New Issue
Block a user