report: sign-in investigation for mike@azcomputerguru.com (new-location alert)

No compromise found; alert traced to geo-IP mislocation of Tucson FirstDigital IP.
Documents ongoing password-spray against Azure CLI app (0 successes).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-07-14 07:25:30 -07:00
parent 8b55e9645a
commit 4ab8137daa

View File

@@ -0,0 +1,84 @@
# Sign-in Investigation — mike@azcomputerguru.com ("new location" alert)
**Date:** 2026-07-14
**Tenant:** Arizona Computer Guru (azcomputerguru.com, ce61461e-81a0-4c84-bb4a-7b354a9a356d)
**Subject:** mike@azcomputerguru.com
**Tool:** ComputerGuru remediation app suite — Security Investigator `bfbc12a4` (Graph read) + Investigator-EXO (Exchange read)
**Scope:** read-only
## Summary
- **No evidence of compromise.** All 8 successful interactive sign-ins in the last 30 days are from Arizona (Cox Phoenix residential + FirstDigital Tucson), on known apps/devices.
- **The "new location" alert is almost certainly a geo-IP artifact:** the 2026-06-23 SharePoint sign-in from `67.206.163.122` (FirstDigital Communications, physically **Tucson AZ**) is geolocated by Microsoft as **Salt Lake City, UT** — a location Mike had not signed in from before.
- **Active password-spray attack in progress** against the account via the **Microsoft Azure CLI** first-party app (ROPC-style username/password auth): 200 failed interactive sign-ins between 2026-07-10 and 2026-07-14 from ~185 unique IPs across 14 countries (US, DE, CN, IN, KR, BR, RU, ...). 197 failures = 50053 (smart lockout / blocked IP), 3 = 50126 (invalid password). **Zero successes.**
- MFA posture is strong: Microsoft Authenticator on 2 devices, Windows Hello for Business on 21 devices, phone + recovery email registered. No auth methods added during the attack window.
- Mailbox is clean: no hidden inbox rules, forwarding disabled, no non-SELF mailbox/SendAs permissions; the 46 visible inbox rules are long-standing legitimate MSP routing rules.
## Target details
| Field | Value |
|---|---|
| UPN | mike@azcomputerguru.com |
| Object ID | f34ebe40-9565-4135-af4c-2e808df57a25 |
| Account Enabled | true |
| Created | 2020-07-08T19:48:57Z |
| Last Password Change | 2025-12-11T22:04:04Z |
## Per-check findings
### 1. Inbox rules (Graph)
46 rules. All recognizable long-standing rules (vendor notifications, forwards to techs/webmaster@, Syncro/RMM alert routing). No delete-all/RSS-hide patterns, no external attacker-style forwards.
### 2. Mailbox forwarding / settings
Forwarding disabled. No auto-forward SMTP address.
### 3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox)
Hidden inbox rules: none. Mailbox permissions: no non-SELF. SendAs: no non-SELF. ForwardingAddress/ForwardingSmtpAddress: empty.
### 4. OAuth consents + app role assignments
4 OAuth grants, 36 app role assignments — consistent with admin/owner account; nothing new or unfamiliar in the attack window.
### 5. Authentication methods
26 registered: Microsoft Authenticator (SM-S938U, samsungSM-X518U), WHfB x21 (GURU-5070, ACG-YOGA, ACG-TECH-02L, ...), phone +1 520-289-1912, recovery email superguru@gmail.com, password. None created recently.
### 6. Sign-ins (30d, interactive)
- **Successes: 8**, all US/Arizona:
- 2026-07-02 Phoenix (Cox `98.181.90.163`) — Teams + Auth Broker
- 2026-06-23 "Salt Lake City" (`67.206.163.122` = FirstDigital, **actually Tucson**) — SharePoint Online ← likely alert trigger
- 2026-06-14 Phoenix (IPv6) — M365 Admin portal, Office portal
- **Failures: 200 in the last ~4 days (2026-07-10 → 2026-07-14)**, all targeting **Microsoft Azure CLI** client: 115 US, 49 DE, 7 CA, 7 CN, 6 IN, 5 KR, 3 BR + others; ~185 unique IPs (distributed botnet). Error codes: 197x 50053 (lockout/blocked), 3x 50126 (bad password). Attack was still active at 12:26 UTC today.
### 7. Directory audits
6 entries in 30d — routine, nothing targeting credentials/auth methods.
### 8. Risky users / risk detections
riskyUsers: **403 Forbidden** (see Gaps). riskDetections: 0 returned.
### 9. Sent items (recent 25)
Normal correspondence — no blast pattern.
### 10. Deleted items (recent 25)
Normal — no deleted security alerts or MFA notifications.
## Suspicious items
- Ongoing distributed password spray against Azure CLI app (ROPC username+password flow). Password is holding; smart lockout engaged. No success events.
## Gaps — checks not completed
- `GET /identityProtection/riskyUsers/...` returned 403 despite `IdentityRiskyUser.Read.All` in the token — likely Entra ID P2 licensing on this tenant; verify license or re-consent per `references/gotchas.md`.
## Next actions
1. **No credential reset required** — no successful unauthorized sign-in. Optional: rotate password anyway for peace of mind (last change 2025-12-11).
2. **Blunt the spray surface:** consider a Conditional Access policy (report-only first, break-glass excluded) blocking legacy/ROPC-style auth or requiring compliant device for "Microsoft Azure CLI" / management endpoints. The failures are all username+password attempts that MFA/lockout are absorbing.
3. Mark the FirstDigital Tucson IP (`67.206.163.122`) as recognized — Microsoft geolocates it to Salt Lake City, which is what fired the "new location" notification.
4. Re-check in a few days whether the spray has subsided (`user-breach-check.sh azcomputerguru.com mike@azcomputerguru.com`).
## Remediation actions
None — read-only investigation.
## Data artifacts
Raw JSON at `/tmp/remediation-tool/ce61461e-81a0-4c84-bb4a-7b354a9a356d/user-breach/mike_azcomputerguru_com/` — files: `00_user.json``10_deleted.json`, plus `../signins_success30.json` (success-only query).