diff --git a/clients/kittle/session-logs/2026-06/2026-06-08-mike-bec-incident-remediation.md b/clients/kittle/session-logs/2026-06/2026-06-08-mike-bec-incident-remediation.md index 651771b..a966f94 100644 --- a/clients/kittle/session-logs/2026-06/2026-06-08-mike-bec-incident-remediation.md +++ b/clients/kittle/session-logs/2026-06/2026-06-08-mike-bec-incident-remediation.md @@ -220,3 +220,42 @@ Wrex Wrex@kittlearizona.com (sessions revoked, password reset) - **EWS endpoint:** `https://outlook.office365.com/EWS/Exchange.asmx` - **Graph directoryAudits:** confirmed working with Security Investigator token (no P1 needed for this endpoint) - **Graph signIns:** blocked — requires Entra P1 (`Authentication_RequestFromNonPremiumTenantOrB2CTenant`) + +--- + +## Update: 16:23 PT — Post-save follow-up actions + +### Additional actions completed after initial save + +**Alignable OAuth on Alexis — revoked:** +At Mike's direction, revoked the Alignable OAuth grant on alexis@kittlearizona.com. +- Grant ID: `jB3LklISEEOHpW2kH5IbQLz8wKqAnj1KmLeBzb1HLJrh6qF03cBERamPOhj4CXha` +- App SP client ID: `92cb1d8c-1252-4310-87a5-6da41f921b40` +- Scopes: `offline_access User.Read Contacts.Read` +- HTTP 204 [OK] + +**Lori Schagel — downscoped to User Administrator:** +All 10 pre-existing admin roles had been stripped during containment. Re-assigned User Administrator only (confirmed pre-existing GA was unnecessary exposure, not attacker-planted). +- Lori user ID: `5817629b-5832-43c6-b74c-86a05c29c852` +- User Administrator role object ID: `1321d5cd-17bb-40de-891b-1e85667e1c5a` +- roleTemplateId: `fe930be7-5e62-47db-91af-98c3a49a38b1` +- HTTP 204 [OK] + +**Lori role assignment timing — confirmed pre-existing:** +directoryAudits query (last 30 days, all RoleManagement events) returned only ACG-initiated removals. Zero "Add member to role" events from any other initiator in the 30-day window. Lori's GA was assigned more than 30 days before the incident — pre-existing, not attacker-planted. Breach report updated to reflect this finding. + +**Victim notification confirmed sent:** +Mike asked explicitly — confirmed 740 emails sent via EWS SOAP from admin@kittlearizona.com in 3 batches. All NoError. 747 delivered by phishing campaign; 7 automated addresses filtered (vzwpix, att.net MMS, Microsoft internal, streaming service) before notification send. + +**All consent links accepted by Mike** — confirmed all 5 MSP apps (Security Investigator, Exchange Operator, User Manager, Tenant Admin, Defender Add-on) have admin consent in Kittle tenant. + +**Thread deletion failed:** Bot received HTTP 403 Missing Permissions attempting to delete Discord thread 1513652236444504197. Thread remains open. + +### Breach report updates + +`clients/kittle/reports/2026-06-08-breach-check.md` updated with: +- Lori role assignment confirmed pre-existing (not attacker-planted) +- Alignable OAuth revocation added to remediation table +- Lori User Administrator re-assignment added to remediation table +- Open items updated to reflect resolved items (Ken MFA clean, Lori role timing resolved) +- New open item: Lori GA access review (recommend discussing with Ken whether she needs any admin role)