report: sign-in investigation for mike@azcomputerguru.com (new-location alert)
No compromise found; alert traced to geo-IP mislocation of Tucson FirstDigital IP. Documents ongoing password-spray against Azure CLI app (0 successes). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,84 @@
|
||||
# Sign-in Investigation — mike@azcomputerguru.com ("new location" alert)
|
||||
|
||||
**Date:** 2026-07-14
|
||||
**Tenant:** Arizona Computer Guru (azcomputerguru.com, ce61461e-81a0-4c84-bb4a-7b354a9a356d)
|
||||
**Subject:** mike@azcomputerguru.com
|
||||
**Tool:** ComputerGuru remediation app suite — Security Investigator `bfbc12a4` (Graph read) + Investigator-EXO (Exchange read)
|
||||
**Scope:** read-only
|
||||
|
||||
## Summary
|
||||
|
||||
- **No evidence of compromise.** All 8 successful interactive sign-ins in the last 30 days are from Arizona (Cox Phoenix residential + FirstDigital Tucson), on known apps/devices.
|
||||
- **The "new location" alert is almost certainly a geo-IP artifact:** the 2026-06-23 SharePoint sign-in from `67.206.163.122` (FirstDigital Communications, physically **Tucson AZ**) is geolocated by Microsoft as **Salt Lake City, UT** — a location Mike had not signed in from before.
|
||||
- **Active password-spray attack in progress** against the account via the **Microsoft Azure CLI** first-party app (ROPC-style username/password auth): 200 failed interactive sign-ins between 2026-07-10 and 2026-07-14 from ~185 unique IPs across 14 countries (US, DE, CN, IN, KR, BR, RU, ...). 197 failures = 50053 (smart lockout / blocked IP), 3 = 50126 (invalid password). **Zero successes.**
|
||||
- MFA posture is strong: Microsoft Authenticator on 2 devices, Windows Hello for Business on 21 devices, phone + recovery email registered. No auth methods added during the attack window.
|
||||
- Mailbox is clean: no hidden inbox rules, forwarding disabled, no non-SELF mailbox/SendAs permissions; the 46 visible inbox rules are long-standing legitimate MSP routing rules.
|
||||
|
||||
## Target details
|
||||
|
||||
| Field | Value |
|
||||
|---|---|
|
||||
| UPN | mike@azcomputerguru.com |
|
||||
| Object ID | f34ebe40-9565-4135-af4c-2e808df57a25 |
|
||||
| Account Enabled | true |
|
||||
| Created | 2020-07-08T19:48:57Z |
|
||||
| Last Password Change | 2025-12-11T22:04:04Z |
|
||||
|
||||
## Per-check findings
|
||||
|
||||
### 1. Inbox rules (Graph)
|
||||
46 rules. All recognizable long-standing rules (vendor notifications, forwards to techs/webmaster@, Syncro/RMM alert routing). No delete-all/RSS-hide patterns, no external attacker-style forwards.
|
||||
|
||||
### 2. Mailbox forwarding / settings
|
||||
Forwarding disabled. No auto-forward SMTP address.
|
||||
|
||||
### 3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox)
|
||||
Hidden inbox rules: none. Mailbox permissions: no non-SELF. SendAs: no non-SELF. ForwardingAddress/ForwardingSmtpAddress: empty.
|
||||
|
||||
### 4. OAuth consents + app role assignments
|
||||
4 OAuth grants, 36 app role assignments — consistent with admin/owner account; nothing new or unfamiliar in the attack window.
|
||||
|
||||
### 5. Authentication methods
|
||||
26 registered: Microsoft Authenticator (SM-S938U, samsungSM-X518U), WHfB x21 (GURU-5070, ACG-YOGA, ACG-TECH-02L, ...), phone +1 520-289-1912, recovery email superguru@gmail.com, password. None created recently.
|
||||
|
||||
### 6. Sign-ins (30d, interactive)
|
||||
- **Successes: 8**, all US/Arizona:
|
||||
- 2026-07-02 Phoenix (Cox `98.181.90.163`) — Teams + Auth Broker
|
||||
- 2026-06-23 "Salt Lake City" (`67.206.163.122` = FirstDigital, **actually Tucson**) — SharePoint Online ← likely alert trigger
|
||||
- 2026-06-14 Phoenix (IPv6) — M365 Admin portal, Office portal
|
||||
- **Failures: 200 in the last ~4 days (2026-07-10 → 2026-07-14)**, all targeting **Microsoft Azure CLI** client: 115 US, 49 DE, 7 CA, 7 CN, 6 IN, 5 KR, 3 BR + others; ~185 unique IPs (distributed botnet). Error codes: 197x 50053 (lockout/blocked), 3x 50126 (bad password). Attack was still active at 12:26 UTC today.
|
||||
|
||||
### 7. Directory audits
|
||||
6 entries in 30d — routine, nothing targeting credentials/auth methods.
|
||||
|
||||
### 8. Risky users / risk detections
|
||||
riskyUsers: **403 Forbidden** (see Gaps). riskDetections: 0 returned.
|
||||
|
||||
### 9. Sent items (recent 25)
|
||||
Normal correspondence — no blast pattern.
|
||||
|
||||
### 10. Deleted items (recent 25)
|
||||
Normal — no deleted security alerts or MFA notifications.
|
||||
|
||||
## Suspicious items
|
||||
|
||||
- Ongoing distributed password spray against Azure CLI app (ROPC username+password flow). Password is holding; smart lockout engaged. No success events.
|
||||
|
||||
## Gaps — checks not completed
|
||||
|
||||
- `GET /identityProtection/riskyUsers/...` returned 403 despite `IdentityRiskyUser.Read.All` in the token — likely Entra ID P2 licensing on this tenant; verify license or re-consent per `references/gotchas.md`.
|
||||
|
||||
## Next actions
|
||||
|
||||
1. **No credential reset required** — no successful unauthorized sign-in. Optional: rotate password anyway for peace of mind (last change 2025-12-11).
|
||||
2. **Blunt the spray surface:** consider a Conditional Access policy (report-only first, break-glass excluded) blocking legacy/ROPC-style auth or requiring compliant device for "Microsoft Azure CLI" / management endpoints. The failures are all username+password attempts that MFA/lockout are absorbing.
|
||||
3. Mark the FirstDigital Tucson IP (`67.206.163.122`) as recognized — Microsoft geolocates it to Salt Lake City, which is what fired the "new location" notification.
|
||||
4. Re-check in a few days whether the spray has subsided (`user-breach-check.sh azcomputerguru.com mike@azcomputerguru.com`).
|
||||
|
||||
## Remediation actions
|
||||
|
||||
None — read-only investigation.
|
||||
|
||||
## Data artifacts
|
||||
|
||||
Raw JSON at `/tmp/remediation-tool/ce61461e-81a0-4c84-bb4a-7b354a9a356d/user-breach/mike_azcomputerguru_com/` — files: `00_user.json` … `10_deleted.json`, plus `../signins_success30.json` (success-only query).
|
||||
Reference in New Issue
Block a user