diff --git a/clients/internal-infrastructure/reports/2026-07-14-mike-signin-investigation.md b/clients/internal-infrastructure/reports/2026-07-14-mike-signin-investigation.md new file mode 100644 index 00000000..4ad30122 --- /dev/null +++ b/clients/internal-infrastructure/reports/2026-07-14-mike-signin-investigation.md @@ -0,0 +1,84 @@ +# Sign-in Investigation — mike@azcomputerguru.com ("new location" alert) + +**Date:** 2026-07-14 +**Tenant:** Arizona Computer Guru (azcomputerguru.com, ce61461e-81a0-4c84-bb4a-7b354a9a356d) +**Subject:** mike@azcomputerguru.com +**Tool:** ComputerGuru remediation app suite — Security Investigator `bfbc12a4` (Graph read) + Investigator-EXO (Exchange read) +**Scope:** read-only + +## Summary + +- **No evidence of compromise.** All 8 successful interactive sign-ins in the last 30 days are from Arizona (Cox Phoenix residential + FirstDigital Tucson), on known apps/devices. +- **The "new location" alert is almost certainly a geo-IP artifact:** the 2026-06-23 SharePoint sign-in from `67.206.163.122` (FirstDigital Communications, physically **Tucson AZ**) is geolocated by Microsoft as **Salt Lake City, UT** — a location Mike had not signed in from before. +- **Active password-spray attack in progress** against the account via the **Microsoft Azure CLI** first-party app (ROPC-style username/password auth): 200 failed interactive sign-ins between 2026-07-10 and 2026-07-14 from ~185 unique IPs across 14 countries (US, DE, CN, IN, KR, BR, RU, ...). 197 failures = 50053 (smart lockout / blocked IP), 3 = 50126 (invalid password). **Zero successes.** +- MFA posture is strong: Microsoft Authenticator on 2 devices, Windows Hello for Business on 21 devices, phone + recovery email registered. No auth methods added during the attack window. +- Mailbox is clean: no hidden inbox rules, forwarding disabled, no non-SELF mailbox/SendAs permissions; the 46 visible inbox rules are long-standing legitimate MSP routing rules. + +## Target details + +| Field | Value | +|---|---| +| UPN | mike@azcomputerguru.com | +| Object ID | f34ebe40-9565-4135-af4c-2e808df57a25 | +| Account Enabled | true | +| Created | 2020-07-08T19:48:57Z | +| Last Password Change | 2025-12-11T22:04:04Z | + +## Per-check findings + +### 1. Inbox rules (Graph) +46 rules. All recognizable long-standing rules (vendor notifications, forwards to techs/webmaster@, Syncro/RMM alert routing). No delete-all/RSS-hide patterns, no external attacker-style forwards. + +### 2. Mailbox forwarding / settings +Forwarding disabled. No auto-forward SMTP address. + +### 3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox) +Hidden inbox rules: none. Mailbox permissions: no non-SELF. SendAs: no non-SELF. ForwardingAddress/ForwardingSmtpAddress: empty. + +### 4. OAuth consents + app role assignments +4 OAuth grants, 36 app role assignments — consistent with admin/owner account; nothing new or unfamiliar in the attack window. + +### 5. Authentication methods +26 registered: Microsoft Authenticator (SM-S938U, samsungSM-X518U), WHfB x21 (GURU-5070, ACG-YOGA, ACG-TECH-02L, ...), phone +1 520-289-1912, recovery email superguru@gmail.com, password. None created recently. + +### 6. Sign-ins (30d, interactive) +- **Successes: 8**, all US/Arizona: + - 2026-07-02 Phoenix (Cox `98.181.90.163`) — Teams + Auth Broker + - 2026-06-23 "Salt Lake City" (`67.206.163.122` = FirstDigital, **actually Tucson**) — SharePoint Online ← likely alert trigger + - 2026-06-14 Phoenix (IPv6) — M365 Admin portal, Office portal +- **Failures: 200 in the last ~4 days (2026-07-10 → 2026-07-14)**, all targeting **Microsoft Azure CLI** client: 115 US, 49 DE, 7 CA, 7 CN, 6 IN, 5 KR, 3 BR + others; ~185 unique IPs (distributed botnet). Error codes: 197x 50053 (lockout/blocked), 3x 50126 (bad password). Attack was still active at 12:26 UTC today. + +### 7. Directory audits +6 entries in 30d — routine, nothing targeting credentials/auth methods. + +### 8. Risky users / risk detections +riskyUsers: **403 Forbidden** (see Gaps). riskDetections: 0 returned. + +### 9. Sent items (recent 25) +Normal correspondence — no blast pattern. + +### 10. Deleted items (recent 25) +Normal — no deleted security alerts or MFA notifications. + +## Suspicious items + +- Ongoing distributed password spray against Azure CLI app (ROPC username+password flow). Password is holding; smart lockout engaged. No success events. + +## Gaps — checks not completed + +- `GET /identityProtection/riskyUsers/...` returned 403 despite `IdentityRiskyUser.Read.All` in the token — likely Entra ID P2 licensing on this tenant; verify license or re-consent per `references/gotchas.md`. + +## Next actions + +1. **No credential reset required** — no successful unauthorized sign-in. Optional: rotate password anyway for peace of mind (last change 2025-12-11). +2. **Blunt the spray surface:** consider a Conditional Access policy (report-only first, break-glass excluded) blocking legacy/ROPC-style auth or requiring compliant device for "Microsoft Azure CLI" / management endpoints. The failures are all username+password attempts that MFA/lockout are absorbing. +3. Mark the FirstDigital Tucson IP (`67.206.163.122`) as recognized — Microsoft geolocates it to Salt Lake City, which is what fired the "new location" notification. +4. Re-check in a few days whether the spray has subsided (`user-breach-check.sh azcomputerguru.com mike@azcomputerguru.com`). + +## Remediation actions + +None — read-only investigation. + +## Data artifacts + +Raw JSON at `/tmp/remediation-tool/ce61461e-81a0-4c84-bb4a-7b354a9a356d/user-breach/mike_azcomputerguru_com/` — files: `00_user.json` … `10_deleted.json`, plus `../signins_success30.json` (success-only query).