azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from GURU-5070 at 2026-06-11 08:22:42

Browse Source 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-11 08:22:42
This commit is contained in:
Mike Swanson
2026-06-11 08:22:55 -07:00
parent 6ade6153bf
commit 65ad20ae0f
8 changed files with 205 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

171
clients/kittle/reports/2026-04-23-breach-check.md Normal file
View File

@@ -0,0 +1,171 @@
# Breach Check — Kittle Design & Construction
**Date:** 2026-04-23
**Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`)
**Analyst:** Mike Swanson
**Scope:** Tenant-wide compromised account sweep
**Tool:** ComputerGuru Security Investigator (read-only Graph + Exchange)
---
## Limitations
- **No Entra ID P1/P2 license** — sign-in logs, risky user detection, and Identity Protection not available
- **Exchange Admin role not yet assigned** to Security Investigator SP — SMTP forwarding and transport rules not checked
- Both limitations can be addressed: assign Security Investigator SP the "View-Only Recipients" Exchange role for forwarding checks; upgrade to Entra P1 for sign-in visibility
---
## Summary
| Severity | Finding | User |
|---|---|---|
| [WARNING] | Hidden inbox rule (name: ".") routing external emails to folder | alexis@kittlearizona.com |
| [WARNING] | Duplicate Authenticator registrations (same device name, different app versions) | alexis@kittlearizona.com |
| [INFO] | Inbox rule filtering Capital One / Bill.com emails to custom folder | Ken@kittlearizona.com |
| [INFO] | Two Authenticator devices registered (different Samsung models) | Lori@kittlearizona.com |
| [INFO] | Weak MFA — phone only, no Authenticator | scott@kittlearizona.com |
| [INFO] | IMAP legacy auth consent granted (one user) | unknown — see OAuth section |
| [INFO] | Large-scope AllPrincipals OAuth consent — verify is intentional | tenant-wide |
---
## Findings Detail
### [WARNING] alexis@kittlearizona.com — Hidden inbox rule
**Rule name:** `.` (single dot)
**Status:** Enabled
**Action:** Move to folder (ID: AQMkAGJiAWNh...)
**Condition:** Sender contains `HOWMET.COM`
A rule named `.` is a known attacker hiding technique — the single dot renders as blank or near-invisible in many email clients. The rule silently moves incoming emails from Howmet (aerospace/metals company) to a folder.
**Questions to resolve:**
1. Does Kittle have a business relationship with Howmet Aerospace?
2. Does Alexis recognize this rule?
3. What folder is this routing to? (Confirm it's accessible and not an RSS/hidden folder)
If Alexis did not create this rule, treat as confirmed compromise indicator and escalate to full breach check with password reset, session revocation, and MFA re-enrollment.
---
### [WARNING] alexis@kittlearizona.com — Duplicate Authenticator registrations
Two Microsoft Authenticator entries on the same device name:
| Entry | Display Name | App Version | Created |
|---|---|---|---|
| 1 | iPhone 12 Pro Max | 6.8.41 | not available |
| 2 | iPhone 12 Pro Max | 6.8.40 | not available |
Both tagged `SoftwareTokenActivated`. Identical device name with different app versions indicates either:
- Legitimate: same phone, app was updated and re-registered (unusual — updates don't re-register)
- Suspicious: attacker registered their own Authenticator under the same device name
**Action:** Ask Alexis to open Microsoft Authenticator on her phone and count how many Kittle accounts appear. If she only sees one, the second registration is an attacker device — remove entry ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (version 6.8.40) immediately and force MFA re-enrollment.
---
### [INFO] Ken@kittlearizona.com — Inbox rule filtering financial emails
**Rule name:** `Admin`
**Status:** Enabled
**Action:** Move to folder (ID: AQMkAGNiZTJj...)
**Condition:** Body or subject contains any of:
- `@flystucson.com`
- `capitalone`
- `capitaloneshopping.com`
- `@capitalone.com`
- `capital one `
- `@inform.bill.com`
- `cwelsh@hq.bill.com`
- `bill.com`
Filtering Capital One and Bill.com notifications to a folder is a known attacker tactic to hide fraudulent payment activity from the account owner. This could also be legitimate email organization.
**Action:** Confirm with Ken:
1. Did he create this rule?
2. What folder does it route to, and has he seen the emails landing there?
3. Does Kittle use Bill.com and Capital One for business payments?
If Ken did not create this rule, it is a confirmed compromise indicator.
---
### [INFO] Lori@kittlearizona.com — Two Authenticator devices
| Entry | Display Name | App Version |
|---|---|---|
| 1 | SM-F766U (Samsung Galaxy Z Fold series) | 6.2512.8111 |
| 2 | SM-G975U (Samsung Galaxy S10+) | 6.2511.7533 |
Different device models — consistent with a phone upgrade where the old device wasn't removed. Lower concern than Alexis's case, but should be cleaned up.
**Action:** Confirm which device is current with Lori. Remove the old registration.
---
### [INFO] scott@kittlearizona.com — Phone-only MFA
Scott has password + phone number registered but no Microsoft Authenticator. SMS/voice MFA is weaker than Authenticator (susceptible to SIM swap, social engineering).
**Action:** Enroll Scott in Microsoft Authenticator.
---
### [INFO] IMAP legacy auth consent
App ID `9b504397-914d-4af2-b6d9-9081e80da54e` has a user-level delegated consent for:
```
openid offline_access email profile IMAP.AccessAsUser.All
```
IMAP is legacy authentication and bypasses Conditional Access policies. This is a user-level (Principal) consent, meaning one specific user authorized it.
**Action:** Identify which user consented to this app and verify it's a legitimate mail client (e.g., Thunderbird, Apple Mail in legacy mode). If no one recognizes it, revoke the consent grant.
---
### [INFO] Large-scope AllPrincipals OAuth consent
App ID `c5df10ae-2aa7-4283-86ef-1884c267a9ac` has admin-consented (AllPrincipals) access including:
`Directory.ReadWrite.All`, `User.ReadWrite.All`, `RoleManagement.ReadWrite.Directory`, `Mail.Send`, `Policy.ReadWrite.*`, `SecurityEvents.ReadWrite.All`, and many others.
This is consistent with a multi-tenant MSP management platform (CIPP, Lighthouse, etc.). Verify this was intentionally granted by Kittle's admin.
---
## Clean checks
- No mailbox auto-replies active (Alexis and Ken have old OOO content saved but disabled)
- No B2B guest invites in 30 days
- No suspicious directory audits beyond today's Security Investigator consent (expected)
- 13 of 16 users have Authenticator MFA enrolled
- No mailbox forwarding (SMTP forwarding check pending Exchange role assignment)
---
## Recommended Actions
| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: does she recognize the "." rule and the Howmet sender? | Mike |
| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? | Mike |
| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? | Mike |
| P2 | Assign Exchange "View-Only Recipients" role to Security Investigator SP to enable SMTP forwarding check | Mike |
| P2 | Identify the IMAP app consent — which user, what client? | Mike |
| P3 | Remove Lori's old Authenticator device after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator | Mike |
| P3 | Verify `c5df10ae` AllPrincipals consent is intentional MSP tooling | Mike |
---
## Escalation criteria
If Alexis or Ken cannot explain their respective rules → treat as active compromise:
1. Force password reset
2. Revoke all sessions (`revokeSignInSessions`)
3. Remove suspicious Authenticator entry from Alexis
4. Delete the unrecognized inbox rule
5. Run full per-user breach check (sent items, deleted items, OAuth consents for that user)
6. Check if any Bill.com or Capital One transactions were made without authorization (Ken's case)

144
clients/kittle/reports/2026-06-08-full-sweep.md Normal file
View File

@@ -0,0 +1,144 @@
# Kittle Design & Construction — Full M365 Sweep
**Date:** 2026-06-08
**Tenant:** kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
**Performed by:** ComputerGuru Security Investigator (read-only)
**Scope:** All 13 licensed mailboxes — inbox rules, SMTP forwarding, OAuth consents, MFA methods
---
## Summary
All critical findings from the 2026-04-23 breach check are confirmed resolved. No new active compromises found. Three legacy MFA cleanup items remain open (carried over from April).
---
## SMTP Forwarding — All Clean [OK]
This check was skipped in April (Exchange Admin role was missing on Security Investigator SP at that time). Now confirmed:
| Mailbox | ForwardingAddress | ForwardingSmtpAddress | Status |
|---|---|---|---|
| Accounting | none | none | [OK] |
| Admin | none | none | [OK] |
| Alexis | none | none | [OK] |
| Brandon | none | none | [OK] |
| Hayden | none | none | [OK] |
| Jason | none | none | [OK] |
| Joshua | none | none | [OK] |
| Ken | none | none | [OK] |
| Lori | none | none | [OK] |
| Marco | none | none | [OK] |
| Neal | none | none | [OK] |
| Scott | none | none | [OK] |
| Wrex | none | none | [OK] |
---
## Inbox Rules
| Mailbox | Rules Found | Status |
|---|---|---|
| Accounting | None | [OK] |
| Admin | None | [OK] |
| Alexis | None | [OK] — hidden rule "." confirmed deleted |
| Brandon | None | [OK] |
| Hayden | None | [OK] |
| Jason | None | [OK] |
| Joshua | None | [OK] |
| Ken | "Christina Micek" (copy-to-folder on emails sent TO Christina) | [OK] — benign org rule |
| Lori | None | [OK] |
| Marco | None | [OK] |
| Neal | None | [OK] |
| Scott | None | [OK] |
| Wrex | None | [OK] |
**Ken's prior "Admin" rule (Capital One/Bill.com/@flystucson.com filter) — CONFIRMED GONE [RESOLVED]**
---
## OAuth App Consents — No Suspicious Grants
| App | Publisher | Grant Type | Scope | Verdict |
|---|---|---|---|---|
| iOS Accounts | Apple Inc. (verified) | AllPrincipals | EAS.AccessAsUser.All, EWS.AccessAsUser.All | [OK] — standard iOS native mail |
| SharePoint Online Web Client Extensibility | Microsoft | AllPrincipals | Files.ReadWrite.All, Sites.FullControl.All, etc. | [OK] — Microsoft SP |
| Microsoft Teams | Microsoft | AllPrincipals | standard Teams scopes | [OK] |
| ComputerGuru AI Remediation | Arizona Computer Guru LLC (verified) | AllPrincipals | User.Read | [OK] — our app |
| QuickBooks Desktop | Intuit (verified) | Accounting only | Mail.Send | [OK] — QB uses it to send email |
| Gmail | Google LLC (verified) | Scott only | EAS.AccessAsUser.All, offline_access | [OK] — Scott using Gmail as email client |
| MyFiles (Samsung) | Samsung (unverified) | Jason only | Files.ReadWrite, User.Read | [OK] — Samsung My Files app (SM-X218U tablet) |
| One Calendar | Code Spark (verified) | Wrex only | Calendars.ReadWrite, Contacts.Read | [OK] — calendar sync app |
| Read AI | Unverified | Marco only | User.Read, email, offline_access | [OK] — meeting notes AI, low scope |
| Virtru | Unverified | AllPrincipals | User.Read only | [INFO] — email encryption, no mail access |
| BMO Secure Email (Echoworx) | Echoworx (verified) | AllPrincipals | User.Read only | [OK] — secure email portal |
**Old malicious app c5df10ae (Directory.ReadWrite.All, Mail.Send, 50+ scopes) — CONFIRMED GONE [RESOLVED]**
---
## MFA Authentication Methods
| User | Authenticator | Phone | Software OATH | Status |
|---|---|---|---|---|
| Accounting | SM-F731U1 | — | — | [OK] |
| Admin (Kimberly) | moto g power 5G | — | — | [OK] |
| Alexis | iPhone 12 Pro Max (x2) | +1 5206280921 | Yes (7d1425ca) | [WARNING] see below |
| Brandon | SM-F741U | — | — | [OK] |
| Hayden | iPhone 12 Pro Max | — | — | [OK] |
| Jason | SM-X218U | — | — | [OK] |
| Joshua | iPad Pro 11" (2nd gen) | — | — | [OK] |
| Ken | iPhone 12 Pro Max | — | — | [OK] |
| Lori | SM-G975U + SM-F766U | — | — | [WARNING] see below |
| Marco | iPhone 14 | — | — | [OK] |
| Neal | iPhone 16 Pro | — | — | [OK] |
| Scott | — | +1 5202884444 | — | [WARNING] no Authenticator app |
| Wrex | iPhone 14 | +1 5209122806 | — | [OK] |
### MFA Open Items
**[WARNING] Alexis — suspicious Authenticator still present:**
- Entry `c927402a-75c6-4a55-840a-86d1eea43a9b` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
- Entry `7365a870-4809-4fdc-9e9b-dcd76eddb8ef` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
- Both entries identical display names, both SoftwareTokenActivated. One is legitimate; one should be removed.
- Action: Ask Alexis how many Authenticator entries she sees in her Microsoft Authenticator app. If she sees only one kittlearizona.com account, remove `c927402a`.
- Alexis also has a software OATH token (7d1425ca) — if she doesn't use a hardware TOTP key, remove this too.
**[WARNING] Lori — old Samsung device still registered:**
- SM-G975U (Samsung S10+) — old phone
- SM-F766U (Samsung Z Flip) — current phone (presumably)
- Action: Confirm with Lori which is her current phone, then remove the old entry.
**[WARNING] Scott — phone-only MFA:**
- Only MFA method is SMS/call to +1 5202884444
- No Microsoft Authenticator enrolled
- SMS MFA is significantly weaker than app-based MFA
- Action: Enroll Scott in Microsoft Authenticator
---
## Resolved Findings (from 2026-04-23)
| Finding | Status |
|---|---|
| Alexis hidden inbox rule "." (routing Howmet emails) | [RESOLVED] — confirmed gone |
| Ken "Admin" inbox rule (Capital One/Bill.com/@flystucson.com) | [RESOLVED] — confirmed gone |
| Malicious OAuth app c5df10ae (Directory.ReadWrite.All + 50 scopes) | [RESOLVED] — confirmed gone |
| IMAP legacy auth grant 9b504397 | [RESOLVED] — confirmed gone |
| SMTP forwarding check (was incomplete in April) | [RESOLVED] — all clean, confirmed 2026-06-08 |
---
## Outstanding Items
| Priority | Item | Owner |
|---|---|---|
| P1 | Ask Alexis: count Authenticator entries on phone. If only one, remove `c927402a`. Also remove software OATH token if unused. | Mike |
| P2 | Ask Lori: confirm current phone is the Z Flip (SM-F766U), then remove SM-G975U entry | Mike |
| P3 | Enroll Scott in Microsoft Authenticator (replace phone-only MFA) | Mike |
| P3 | Invoice ticket #32207 (1.0 hr Labor - Remote Business) | Mike |
---
## Vault Paths Accessed
- `msp-tools/computerguru-security-investigator.sops.yaml` (investigator + investigator-exo tiers)

137
clients/kittle/session-logs/2026-04-24-session.md Normal file
View File

@@ -0,0 +1,137 @@
# Session Log — Kittle Design & Construction
**Date:** 2026-04-23 / 2026-04-24 (overnight)
**Analyst:** Mike Swanson
**Machine:** DESKTOP-0O8A1RL
**Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`)
## User
- **User:** Mike Swanson (mike)
- **Machine:** DESKTOP-0O8A1RL
- **Role:** admin
---
## Session Summary
Performed a full tenant-wide M365 breach check on kittlearizona.com, identified two high-priority compromise indicators, and executed remediation. Also onboarded the Exchange Operator and Tenant Admin apps into the tenant (consent + role assignment). Created Syncro ticket #32207 for billing.
---
## Breach Check Findings
Full report: `clients/kittle-design/reports/2026-04-23-breach-check.md`
| Severity | Finding | User |
|---|---|---|
| [WARNING] | Hidden inbox rule "." routing Howmet emails to Conversation History | alexis@kittlearizona.com |
| [WARNING] | Duplicate Authenticator — same device name, two different app versions | alexis@kittlearizona.com |
| [INFO] | Inbox rule "Admin" filtering Capital One / Bill.com to folder | Ken@kittlearizona.com |
| [INFO] | Two Authenticator devices (different Samsung models — likely phone upgrade) | Lori@kittlearizona.com |
| [INFO] | Phone-only MFA, no Authenticator | scott@kittlearizona.com |
| [INFO] | IMAP legacy auth consent — single user | unknown |
| [INFO] | Large-scope AllPrincipals OAuth consent (c5df10ae) | tenant-wide |
---
## Remediation Actions Taken
### Onboarding
Exchange Operator and Tenant Admin apps consented by Kittle admin. Role assignments:
- Security Investigator SP (`26e16c7a`): Exchange Administrator — assigned
- Exchange Operator SP (`775ec856`): Exchange Administrator — assigned manually (onboard script missed it)
- User Manager SP (`ea0277ab`): User Administrator + Authentication Administrator — assigned
### alexis@kittlearizona.com
| Action | Result | Detail |
|---|---|---|
| Hidden "." inbox rule deleted | [OK] | Exchange identity: `alexis\\2866869517449953281` |
| 3 hidden Howmet emails restored to inbox | [OK] | All HTTP 201; emails dated Feb 28 and Mar 4, 2025 |
| All sign-in sessions revoked | [OK] | `revokeSignInSessions` returned true |
| Password reset (temp, force-change) | [OK] | See credentials section below |
**Emails recovered:**
1. "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04)
2. "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04)
3. "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28)
**Still pending:**
- Ask Alexis to count Authenticator entries on her phone. If only one, remove suspicious entry:
- Entry to remove: ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (app version 6.8.40, "iPhone 12 Pro Max")
### OAuth Consents Revoked
**c5df10ae-2aa7-4283-86ef-1884c267a9ac** (AllPrincipals — 7 grants deleted, all HTTP 204):
- `rhDfxacqg0KG7xiEwmeprLz8wKqAnj1KmLeBzb1HLJo` — Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes
- `rhDfxacqg0KG7xiEwmeprFhKBKSuvdJJu5jQBa-uOnc` — LicenseManager.AccessAsUser
- `rhDfxacqg0KG7xiEwmeprLhRraINEIxGmlMZtBZahO8` — M365AdminPortal.IntegratedApps.ReadWrite, user_impersonation
- `rhDfxacqg0KG7xiEwmeprFm5M4Bw4bFKniz6sx5jbAI` — user_impersonation
- `rhDfxacqg0KG7xiEwmeprKm4oqODLdhAnY4nYViP4rs` — AllProfiles.Manage, AllSites.FullControl
- `rhDfxacqg0KG7xiEwmeprICwF0FoazRErqVlL2xiBFk` — Calendars.ReadWrite.All, Exchange.Manage, MailboxSettings.ReadWrite
- `rhDfxacqg0KG7xiEwmeprPl4LqXf8mRPjoQUGmKJt3k` — Vulnerability.Read
**9b504397-914d-4af2-b6d9-9081e80da54e** (IMAP legacy auth, 1 grant deleted, HTTP 204):
- `l0NQm02R8kq22ZCB6A2lTrz8wKqAnj1KmLeBzb1HLJoafsNfsqzMSLDHPoGZ_dNa` — IMAP.AccessAsUser.All, openid, offline_access, email, profile
- Consented by user `5fc37e1a-acb2-48cc-b0c7-3e8199fdd35a` (user object ID — UPN not resolved)
### Ken@kittlearizona.com
No action taken. Inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) still present. Awaiting confirmation from Ken whether he created it. If he can't explain it — treat as active compromise and escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions).
---
## Credentials
```
Tenant: kittlearizona.com
Tenant ID: 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
alexis@kittlearizona.com
Temp password: KittleGwiNUK#2026
(force change on next login — issued 2026-04-23)
User object ID: 74a1eae1-c0dd-4544-a98f-3a18f809785a
Exchange Operator SP: 775ec856-f032-4dcf-a499-ccf7f9bce07b
Tenant Admin SP: 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5
Security Investigator SP: 26e16c7a-0ac8-4f85-bdd7-992611bbd271
User Manager SP: ea0277ab-497c-45f7-b88a-e2d53f54a4c7
```
---
## Syncro
- **Ticket #32207** — "M365 Security Sweep — Breach Check & Remediation"
- Status: Resolved
- Line item: 1.0 hr Labor - Remote Business (product_id: 1190473)
- Ready to invoice — run `/syncro bill 32207` or manually in GUI
---
## Infrastructure Notes
- Kittle has no Entra P1/P2 — sign-in logs and Identity Protection unavailable
- SMTP forwarding check not completed — Exchange Admin role was not assigned to Security Investigator at time of breach check (fixed during remediation session)
- Token cache location: `/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/`
---
## Files Changed This Session
- `clients/kittle-design/reports/2026-04-23-breach-check.md` — breach check report (written 2026-04-23)
- `.claude/skills/remediation-tool/scripts/tenant-sweep.sh` — fixed tier name `graph``investigator` on line 12
- `.claude/skills/remediation-tool/references/tenants.md` — Kittle row updated from NO to PARTIAL
---
## Pending Items
| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? Remove `c927402a` if only one. | Mike |
| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? If no → escalate | Mike |
| P2 | Verify Alexis received temp password and changed it | Mike |
| P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator | Mike |
| P3 | Invoice ticket #32207 | Mike |

184
clients/kittle/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md Normal file
View File

@@ -0,0 +1,184 @@
# Session Log — 2026-06-08 — Mike — Kittle M365 Full Security Sweep
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-BEAST-ROG
- **Role:** admin
---
## Session Summary
Mike opened a Discord thread to check all kittlearizona.com M365 accounts for compromise. The bot loaded context from prior session logs and the wiki, surfacing the April 2026 breach check history: Alexis's confirmed compromise had been remediated, Ken's suspicious "Admin" inbox rule was unresolved, and SMTP forwarding had never been checked due to a missing Exchange Admin role on the Security Investigator SP.
A full read-only sweep was run against all 13 licensed mailboxes using the remediation-tool skill (investigator + investigator-exo tiers, certificate auth). Checks covered: SMTP forwarding, inbox rules, OAuth app consents, and MFA authentication methods for every user. Tokens were acquired fresh via get-token.sh against tenant 3d073ebe-806a-4a5e-9035-3c7c4a264fc0.
All critical April findings were confirmed resolved: Alexis's hidden inbox rule "." is gone, Ken's "Admin" rule (Capital One/Bill.com/@flystucson.com filter) is gone, and the malicious OAuth app c5df10ae (Directory.ReadWrite.All + 50+ scopes) is fully removed from the tenant. SMTP forwarding was confirmed clean across all 13 mailboxes — the first time this check ran successfully on this tenant. All OAuth grants were identified and verified legitimate (QuickBooks Desktop, Gmail, iOS Accounts, Samsung MyFiles, One Calendar, Read AI, Virtru, BMO Secure Email). No new active compromises were found.
Three MFA cleanup items remain open from April: Alexis still has a duplicate suspicious Authenticator entry (c927402a), Lori still has an old Samsung S10+ registered, and Scott has phone-only MFA with no Authenticator app enrolled. A client-facing action guide was drafted for Mike to send to Kittle, and an Entra P1 upgrade recommendation was included. A Syncro ticket (#32394) was created, billed at 1.0 hr Labor - Remote Business ($150.00), invoiced, and marked Invoiced.
---
## Key Decisions
- Classified Ken's current "Christina Micek" inbox rule as benign — it copies emails sent TO that contact to a folder, consistent with an organizational filing rule.
- Confirmed the SMTP forwarding gap from April is now filled — all 13 mailboxes are clean on forwarding.
- Identified MyFiles (appId d5e6af94) as Samsung's native file manager app based on reply URLs (com.sec.android.app.myfiles bundle) and Jason's known Samsung tablet (SM-X218U). Not flagged as suspicious.
- Gmail EAS grant on Scott explains his email client setup (using Gmail to connect to M365 via EAS) — not a threat.
- QuickBooks Desktop Mail.Send on Accounting — verified Intuit as publisher, consistent with QB sending email on behalf of the Accounting mailbox.
- Recommended Entra P1 at minimum for Ken, Alexis, and Accounting — specifically to restore sign-in log visibility lost during the April investigation (no P1 = no Identity Protection, no Conditional Access, no sign-in logs).
- Billed against a new ticket (#32394) rather than appending to the April ticket (#32207) — different work scope (sweep + guide vs. initial breach response).
---
## Problems Encountered
- MFA check script failed on first run due to `UID` being a readonly bash variable. Fixed by renaming the variable to `OID` in the loop.
- OAuth service principal list was very long (100+ entries). Identified all notable non-Microsoft SPs by running targeted GET calls on each SP ID from the grants list rather than parsing the full list.
- Ollama unavailable on BEAST during this session — Syncro comment and line item descriptions drafted directly by Claude.
---
## Configuration Changes
- `clients/kittle-design/reports/2026-06-08-full-sweep.md` — created (full sweep report with all findings)
- `clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md` — created (this log)
---
## Credentials & Secrets
- No new credentials discovered or created.
- Tokens acquired via `get-token.sh` for tenant 3d073ebe-806a-4a5e-9035-3c7c4a264fc0:
- investigator tier (Graph read) — cached at `/tmp/remediation-tool/3d073ebe.../investigator.jwt`
- investigator-exo tier (Exchange read) — cached at `/tmp/remediation-tool/3d073ebe.../investigator-exo.jwt`
- Vault paths accessed: `msp-tools/computerguru-security-investigator.sops.yaml`
---
## Infrastructure & Servers
- **Tenant:** kittlearizona.com | ID: `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`
- **Entra P1/P2:** NOT licensed — sign-in logs and Identity Protection unavailable
- **Exchange Admin role on Security Investigator SP:** Confirmed present (was missing in April)
- **SP Object IDs in tenant:**
- Security Investigator: `26e16c7a-0ac8-4f85-bdd7-992611bbd271`
- Exchange Operator: `775ec856-f032-4dcf-a499-ccf7f9bce07b`
- User Manager: `ea0277ab-497c-45f7-b88a-e2d53f54a4c7`
- Tenant Admin: `0caa0dde-3f8d-4d46-ab26-aa0d38add0b5`
- ComputerGuru AI Remediation: `2fd24cfa-8533-460f-9cbb-53cc4a32d3f5`
---
## Commands & Outputs
```bash
# Token acquisition
bash .claude/skills/remediation-tool/scripts/get-token.sh 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 investigator
bash .claude/skills/remediation-tool/scripts/get-token.sh 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 investigator-exo
# User list — 14 users returned (13 licensed + sysadmin)
GET /users?$select=id,displayName,userPrincipalName,assignedLicenses,accountEnabled
# Inbox rules — all clean except Ken (benign "Christina Micek" copy rule)
# Exchange REST: POST /adminapi/beta/{tenant}/InvokeCommand Get-InboxRule per mailbox
# SMTP forwarding — all 13 mailboxes: ForwardingAddress=none, ForwardingSmtpAddress=none, DeliverToMailboxAndForward=false
# Exchange REST: POST /adminapi/beta/{tenant}/InvokeCommand Get-Mailbox per mailbox
# Old malicious app check — confirmed absent
GET /servicePrincipals?$filter=appId eq 'c5df10ae-2aa7-4283-86ef-1884c267a9ac'
# Result: count=0
# OAuth grants — notable findings:
# - 654bae70 = QuickBooks Desktop (Intuit), Mail.Send on Accounting
# - d375a540 = Gmail (Google), EAS on Scott
# - f90fe4d2 = Samsung MyFiles, Files.ReadWrite on Jason
# - ccedcb63 = One Calendar (Code Spark), Calendars.ReadWrite on Wrex
# - 55a9597c = Read AI, User.Read on Marco
```
---
## Pending / Incomplete Tasks
| Priority | Item | Owner |
|---|---|---|
| P1 | Ask Alexis: count Authenticator entries in app. If only one kittlearizona.com account, remove `c927402a-75c6-4a55-840a-86d1eea43a9b`. Also remove software OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` if unused. | Mike |
| P2 | Confirm with Lori: is current phone Samsung Z Flip (SM-F766U)? If yes, remove old SM-G975U entry `da5454c7-eaa8-4b67-9cb8-61ed1486d012`. | Mike |
| P3 | Enroll Scott in Microsoft Authenticator (phone-only MFA at +1 5202884444 is weak) | Mike |
| P3 | Send client-facing MFA action guide + Entra P1 recommendation to Ken/Kimberly | Mike |
| P4 | Quote Entra P1 add-on for Kittle — recommend minimum coverage for Ken, Alexis, Accounting | Mike |
---
## Reference Information
- **Syncro ticket:** #32394 (ID: 112389608) — https://computerguru.syncromsp.com/tickets/112389608
- **Prior ticket:** #32207 (April 2026 breach check)
- **Sweep report:** `clients/kittle-design/reports/2026-06-08-full-sweep.md`
- **Wiki:** `wiki/clients/kittle-design.md` — needs recompile to reflect resolved findings and new open items
- **Tenant ID:** `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`
- **Alexis user object ID:** `74a1eae1-c0dd-4544-a98f-3a18f809785a`
- **Suspicious Authenticator to remove:** `c927402a-75c6-4a55-840a-86d1eea43a9b` (Alexis, "iPhone 12 Pro Max")
- **Lori old Authenticator to remove:** `da5454c7-eaa8-4b67-9cb8-61ed1486d012` (SM-G975U)
- **Alexis OATH token to review:** `7d1425ca-27d0-444d-9c36-6b3780c77059`
- **Scott phone MFA:** +1 5202884444 (only MFA method)
---
## Update: 18:56 PT — Ken BEC Incident Investigation
### Summary
Mike pointed to Syncro ticket #32393 ("Ken Schagel shared a file with you"), which was the incident that triggered the full sweep earlier in this session. Investigated the scope and timeline of Ken's compromise via the remediation tool.
**Confirmed: Ken's account was actively used to send a phishing blast.** Around 21:23-21:26 UTC on 2026-06-08 (2:23 PM Arizona time), the attacker used Ken's M365 account to send a fake SharePoint "shared document" email to approximately 70+ external contacts from Ken's email history. The phishing link was `flowinnactuators.com/work.html` (credential harvesting page). Microsoft's anti-abuse system detected the bulk send and automatically restricted Ken's sending ability — confirmed by an `Office365Alerts@microsoft.com` "High-severity alert: User restricted from sending email" message in Ken's deleted items.
**Mike's incident response (already completed):**
- Ken's account was sign-in blocked immediately
- Password reset to temp `B/947405806521av` (force change on login)
- Account re-enabled approximately 20 minutes later after verification
- Wrex Watson's password was also reset (sessions revoked, temp `Kittle@1426Wrx!47E742`) as a precaution — a password reset on Wrex's account occurred just before the Ken incident and could not be attributed at the time
**Current state of both accounts:**
- Ken: accountEnabled=true, one clean Authenticator (iPhone 12 Pro Max), no inbox rules, no SMTP forwarding, no per-user OAuth grants
- Wrex: accountEnabled=true, clean Authenticator (iPhone 14) + phone MFA, no inbox rules, no SMTP forwarding, no per-user OAuth grants
**Audit log unavailable** — directory audit log returned empty (no Entra P1 = minimal retention). Could not determine via API who initiated Wrex's pre-incident password reset. Recommendation: ask Wrex directly.
**Ken's deleted items:** ~2,699 items, 2,213 unread — primarily NDRs (bounce-backs) and auto-replies from the phishing blast recipients. Sent items show 6,284 items with legitimate construction business emails. The phishing blast sent items were presumably deleted by the attacker to cover tracks.
**April connection — IMAP consent:** The IMAP legacy auth consent (9b504397) revoked in April was granted by Ken's own account (`5fc37e1a`). This indicates the attacker had Ken's credentials as far back as April and used them to consent an IMAP client to his mailbox. Revoking that consent was done, but without a password reset on Ken's account in April, the attacker retained direct login access.
**April classification gap:** The April breach report classified Ken's "Admin" inbox rule (filtering Capital One, Bill.com, @flystucson.com) as `[INFO]` rather than `[WARNING]`. The report noted it "could also be legitimate email organization" and prescribed "confirm with Ken." Ken presumably confirmed he recognized the rule. In hindsight: a rule filtering two specific financial platforms plus a third-party domain in the same rule body should have been `[WARNING]` regardless of the "could be legitimate" caveat, particularly combined with the IMAP consent from his account. The workflow gap: "confirm with the user" is a weak verification step when the account being checked may already be compromised and the attacker has visibility into incoming email.
**Remediation tool classification note:** Both signals in April (financial-hiding inbox rule + IMAP consent from same user object ID `5fc37e1a`) should together trigger automatic escalation to `[WARNING]`. Flagged for checklist update.
### Phishing Blast Recipients (partial — from NDR envelope)
Confirmed external contacts who received the phishing email (from the large NDR in Ken's deleted items):
Herc Rentals (jacob.henderson, jamie.blasko), Stonhard (ttennant), Saint-Gobain (lauren.watlington, jennifer.diringer), Sellers & Sons (mike), Chasse (conf-room), Sun Valley Supply, Old Tucson (kblondeaux), Aaron Crandell Glass, PH Mechanical (jeff, johnh), Anthony DeCesaris/Smith Detection, Central Insurance (cbush), UPS, Lloyd Construction (sean), Safety Management Group (shanejardine), CFSD16 (accountspayable), Armitek (joe), Stair Parts (fwtsmtp), Pima Community College (vlewis, cebunoha), Pima Air & Space Museum (smarchand), Barker One (sharker), Flooring Systems (gabriel), Cordia Energy (jim.regelbrugge, joel.wagner, mike.buter), MOCA Tucson (dominic), Poster Frost Mirto (jmirto), Brand Crowd, GM Marketing, Global Industrial (hkudumula), Walker Consultants, Bulletproof (kris), IntraAnalytics (lily.evelyn), Climatec (ssanchez), CIS Phoenix (gesquibel2), Six Axis LLC (tmikulec), Vortex Doors (sandrag), BMO Harris fraud center, Plumb Plumbing (ssoneira), Roche (keri.overfield), Broadfence, Cushman & Wakefield (martin.stupka), eSubK, Facility Grid, Amazon (jelopezt, luballes), Netflix, Safety Sign, Sport Master, Crowd Control Warehouse, Crazy Horse Campgrounds AZ, APS, Hensel Phelps (qriley), NAU (jss627), Acousthetics, DH Pace (noel.blythe), Mechanical Systems Inc (apb, jab), Malibu Parts (steve), Clopay (dshrader, marketing), Fastenersplus, American Play Systems, eARC (rockfon), ePlus (osprocurement), Concord Inc, MH Consulting (mharding), Pueblo Mechanical (daniel.arellano, stevec), Achilles AC (kimberly, kayla), Progressive (bob.gardner), iCloud contacts (devinrose520, ernestina47), Amazon bounce, gopuff (ryan.hall), Squarespace form submission — and additional auto-reply senders (jackb@norconindustries, john.mccurry@global.inc).
### Pending Items (carry-forward)
| Priority | Item | Owner |
|---|---|---|
| P1 | Update ticket #32393 with full incident timeline and phishing scope | Mike (on PC) |
| P1 | Bill ticket #32393 for incident response time | Mike (on PC) |
| P1 | Notify Ken's external contacts — send "disregard that email" from Ken's account now that it is clean | Mike |
| P1 | Ask Kittle internally (Alexis, Lori, etc.) whether anyone clicked the link at flowinnactuators.com/work.html | Mike |
| P1 | Ask Wrex directly: did he reset his own password before the Ken incident? | Mike |
| P2 | Check Ken's Bill.com and Capital One accounts for unauthorized transactions — attacker had access since at least April | Mike/Ken |
| P2 | Remediation tool checklist update: financial-email-hiding inbox rule + IMAP consent from same user = auto-[WARNING] | Mike |
| P3 | Entra P1 quote for Kittle — incident demonstrated the cost of flying blind without sign-in logs | Mike |
| P3 | DKIM/DMARC setup for kittlearizona.com — no DMARC means the phishing could also have been spoofed to other recipients without account access | Mike |
### Reference
- Syncro ticket #32393 (ID: 112381882): https://computerguru.syncromsp.com/tickets/112381882
- Phishing link: flowinnactuators.com/work.html (credential harvesting — do not visit)
- Ken's deleted items NDR timestamp: 2026-06-08 21:23-21:26 UTC
- Microsoft auto-restriction alert: "High-severity alert: User restricted from sending email" (Office365Alerts@microsoft.com → Ken@ + Lori@)
- IMAP consent from April (revoked): app 9b504397, granted by Ken user object 5fc37e1a
- Attacker access timeline: at minimum April 2026 through June 8 2026 (~6 weeks confirmed)