sync: auto-sync from GURU-5070 at 2026-06-11 08:22:42

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-11 08:22:42
This commit is contained in:
2026-06-11 08:22:55 -07:00
parent c6c8d4e79d
commit 665afd6d1d
8 changed files with 205 additions and 17 deletions

View File

@@ -0,0 +1,171 @@
# Breach Check — Kittle Design & Construction
**Date:** 2026-04-23
**Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`)
**Analyst:** Mike Swanson
**Scope:** Tenant-wide compromised account sweep
**Tool:** ComputerGuru Security Investigator (read-only Graph + Exchange)
---
## Limitations
- **No Entra ID P1/P2 license** — sign-in logs, risky user detection, and Identity Protection not available
- **Exchange Admin role not yet assigned** to Security Investigator SP — SMTP forwarding and transport rules not checked
- Both limitations can be addressed: assign Security Investigator SP the "View-Only Recipients" Exchange role for forwarding checks; upgrade to Entra P1 for sign-in visibility
---
## Summary
| Severity | Finding | User |
|---|---|---|
| [WARNING] | Hidden inbox rule (name: ".") routing external emails to folder | alexis@kittlearizona.com |
| [WARNING] | Duplicate Authenticator registrations (same device name, different app versions) | alexis@kittlearizona.com |
| [INFO] | Inbox rule filtering Capital One / Bill.com emails to custom folder | Ken@kittlearizona.com |
| [INFO] | Two Authenticator devices registered (different Samsung models) | Lori@kittlearizona.com |
| [INFO] | Weak MFA — phone only, no Authenticator | scott@kittlearizona.com |
| [INFO] | IMAP legacy auth consent granted (one user) | unknown — see OAuth section |
| [INFO] | Large-scope AllPrincipals OAuth consent — verify is intentional | tenant-wide |
---
## Findings Detail
### [WARNING] alexis@kittlearizona.com — Hidden inbox rule
**Rule name:** `.` (single dot)
**Status:** Enabled
**Action:** Move to folder (ID: AQMkAGJiAWNh...)
**Condition:** Sender contains `HOWMET.COM`
A rule named `.` is a known attacker hiding technique — the single dot renders as blank or near-invisible in many email clients. The rule silently moves incoming emails from Howmet (aerospace/metals company) to a folder.
**Questions to resolve:**
1. Does Kittle have a business relationship with Howmet Aerospace?
2. Does Alexis recognize this rule?
3. What folder is this routing to? (Confirm it's accessible and not an RSS/hidden folder)
If Alexis did not create this rule, treat as confirmed compromise indicator and escalate to full breach check with password reset, session revocation, and MFA re-enrollment.
---
### [WARNING] alexis@kittlearizona.com — Duplicate Authenticator registrations
Two Microsoft Authenticator entries on the same device name:
| Entry | Display Name | App Version | Created |
|---|---|---|---|
| 1 | iPhone 12 Pro Max | 6.8.41 | not available |
| 2 | iPhone 12 Pro Max | 6.8.40 | not available |
Both tagged `SoftwareTokenActivated`. Identical device name with different app versions indicates either:
- Legitimate: same phone, app was updated and re-registered (unusual — updates don't re-register)
- Suspicious: attacker registered their own Authenticator under the same device name
**Action:** Ask Alexis to open Microsoft Authenticator on her phone and count how many Kittle accounts appear. If she only sees one, the second registration is an attacker device — remove entry ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (version 6.8.40) immediately and force MFA re-enrollment.
---
### [INFO] Ken@kittlearizona.com — Inbox rule filtering financial emails
**Rule name:** `Admin`
**Status:** Enabled
**Action:** Move to folder (ID: AQMkAGNiZTJj...)
**Condition:** Body or subject contains any of:
- `@flystucson.com`
- `capitalone`
- `capitaloneshopping.com`
- `@capitalone.com`
- `capital one `
- `@inform.bill.com`
- `cwelsh@hq.bill.com`
- `bill.com`
Filtering Capital One and Bill.com notifications to a folder is a known attacker tactic to hide fraudulent payment activity from the account owner. This could also be legitimate email organization.
**Action:** Confirm with Ken:
1. Did he create this rule?
2. What folder does it route to, and has he seen the emails landing there?
3. Does Kittle use Bill.com and Capital One for business payments?
If Ken did not create this rule, it is a confirmed compromise indicator.
---
### [INFO] Lori@kittlearizona.com — Two Authenticator devices
| Entry | Display Name | App Version |
|---|---|---|
| 1 | SM-F766U (Samsung Galaxy Z Fold series) | 6.2512.8111 |
| 2 | SM-G975U (Samsung Galaxy S10+) | 6.2511.7533 |
Different device models — consistent with a phone upgrade where the old device wasn't removed. Lower concern than Alexis's case, but should be cleaned up.
**Action:** Confirm which device is current with Lori. Remove the old registration.
---
### [INFO] scott@kittlearizona.com — Phone-only MFA
Scott has password + phone number registered but no Microsoft Authenticator. SMS/voice MFA is weaker than Authenticator (susceptible to SIM swap, social engineering).
**Action:** Enroll Scott in Microsoft Authenticator.
---
### [INFO] IMAP legacy auth consent
App ID `9b504397-914d-4af2-b6d9-9081e80da54e` has a user-level delegated consent for:
```
openid offline_access email profile IMAP.AccessAsUser.All
```
IMAP is legacy authentication and bypasses Conditional Access policies. This is a user-level (Principal) consent, meaning one specific user authorized it.
**Action:** Identify which user consented to this app and verify it's a legitimate mail client (e.g., Thunderbird, Apple Mail in legacy mode). If no one recognizes it, revoke the consent grant.
---
### [INFO] Large-scope AllPrincipals OAuth consent
App ID `c5df10ae-2aa7-4283-86ef-1884c267a9ac` has admin-consented (AllPrincipals) access including:
`Directory.ReadWrite.All`, `User.ReadWrite.All`, `RoleManagement.ReadWrite.Directory`, `Mail.Send`, `Policy.ReadWrite.*`, `SecurityEvents.ReadWrite.All`, and many others.
This is consistent with a multi-tenant MSP management platform (CIPP, Lighthouse, etc.). Verify this was intentionally granted by Kittle's admin.
---
## Clean checks
- No mailbox auto-replies active (Alexis and Ken have old OOO content saved but disabled)
- No B2B guest invites in 30 days
- No suspicious directory audits beyond today's Security Investigator consent (expected)
- 13 of 16 users have Authenticator MFA enrolled
- No mailbox forwarding (SMTP forwarding check pending Exchange role assignment)
---
## Recommended Actions
| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: does she recognize the "." rule and the Howmet sender? | Mike |
| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? | Mike |
| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? | Mike |
| P2 | Assign Exchange "View-Only Recipients" role to Security Investigator SP to enable SMTP forwarding check | Mike |
| P2 | Identify the IMAP app consent — which user, what client? | Mike |
| P3 | Remove Lori's old Authenticator device after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator | Mike |
| P3 | Verify `c5df10ae` AllPrincipals consent is intentional MSP tooling | Mike |
---
## Escalation criteria
If Alexis or Ken cannot explain their respective rules → treat as active compromise:
1. Force password reset
2. Revoke all sessions (`revokeSignInSessions`)
3. Remove suspicious Authenticator entry from Alexis
4. Delete the unrecognized inbox rule
5. Run full per-user breach check (sent items, deleted items, OAuth consents for that user)
6. Check if any Bill.com or Capital One transactions were made without authorization (Ken's case)

View File

@@ -0,0 +1,144 @@
# Kittle Design & Construction — Full M365 Sweep
**Date:** 2026-06-08
**Tenant:** kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
**Performed by:** ComputerGuru Security Investigator (read-only)
**Scope:** All 13 licensed mailboxes — inbox rules, SMTP forwarding, OAuth consents, MFA methods
---
## Summary
All critical findings from the 2026-04-23 breach check are confirmed resolved. No new active compromises found. Three legacy MFA cleanup items remain open (carried over from April).
---
## SMTP Forwarding — All Clean [OK]
This check was skipped in April (Exchange Admin role was missing on Security Investigator SP at that time). Now confirmed:
| Mailbox | ForwardingAddress | ForwardingSmtpAddress | Status |
|---|---|---|---|
| Accounting | none | none | [OK] |
| Admin | none | none | [OK] |
| Alexis | none | none | [OK] |
| Brandon | none | none | [OK] |
| Hayden | none | none | [OK] |
| Jason | none | none | [OK] |
| Joshua | none | none | [OK] |
| Ken | none | none | [OK] |
| Lori | none | none | [OK] |
| Marco | none | none | [OK] |
| Neal | none | none | [OK] |
| Scott | none | none | [OK] |
| Wrex | none | none | [OK] |
---
## Inbox Rules
| Mailbox | Rules Found | Status |
|---|---|---|
| Accounting | None | [OK] |
| Admin | None | [OK] |
| Alexis | None | [OK] — hidden rule "." confirmed deleted |
| Brandon | None | [OK] |
| Hayden | None | [OK] |
| Jason | None | [OK] |
| Joshua | None | [OK] |
| Ken | "Christina Micek" (copy-to-folder on emails sent TO Christina) | [OK] — benign org rule |
| Lori | None | [OK] |
| Marco | None | [OK] |
| Neal | None | [OK] |
| Scott | None | [OK] |
| Wrex | None | [OK] |
**Ken's prior "Admin" rule (Capital One/Bill.com/@flystucson.com filter) — CONFIRMED GONE [RESOLVED]**
---
## OAuth App Consents — No Suspicious Grants
| App | Publisher | Grant Type | Scope | Verdict |
|---|---|---|---|---|
| iOS Accounts | Apple Inc. (verified) | AllPrincipals | EAS.AccessAsUser.All, EWS.AccessAsUser.All | [OK] — standard iOS native mail |
| SharePoint Online Web Client Extensibility | Microsoft | AllPrincipals | Files.ReadWrite.All, Sites.FullControl.All, etc. | [OK] — Microsoft SP |
| Microsoft Teams | Microsoft | AllPrincipals | standard Teams scopes | [OK] |
| ComputerGuru AI Remediation | Arizona Computer Guru LLC (verified) | AllPrincipals | User.Read | [OK] — our app |
| QuickBooks Desktop | Intuit (verified) | Accounting only | Mail.Send | [OK] — QB uses it to send email |
| Gmail | Google LLC (verified) | Scott only | EAS.AccessAsUser.All, offline_access | [OK] — Scott using Gmail as email client |
| MyFiles (Samsung) | Samsung (unverified) | Jason only | Files.ReadWrite, User.Read | [OK] — Samsung My Files app (SM-X218U tablet) |
| One Calendar | Code Spark (verified) | Wrex only | Calendars.ReadWrite, Contacts.Read | [OK] — calendar sync app |
| Read AI | Unverified | Marco only | User.Read, email, offline_access | [OK] — meeting notes AI, low scope |
| Virtru | Unverified | AllPrincipals | User.Read only | [INFO] — email encryption, no mail access |
| BMO Secure Email (Echoworx) | Echoworx (verified) | AllPrincipals | User.Read only | [OK] — secure email portal |
**Old malicious app c5df10ae (Directory.ReadWrite.All, Mail.Send, 50+ scopes) — CONFIRMED GONE [RESOLVED]**
---
## MFA Authentication Methods
| User | Authenticator | Phone | Software OATH | Status |
|---|---|---|---|---|
| Accounting | SM-F731U1 | — | — | [OK] |
| Admin (Kimberly) | moto g power 5G | — | — | [OK] |
| Alexis | iPhone 12 Pro Max (x2) | +1 5206280921 | Yes (7d1425ca) | [WARNING] see below |
| Brandon | SM-F741U | — | — | [OK] |
| Hayden | iPhone 12 Pro Max | — | — | [OK] |
| Jason | SM-X218U | — | — | [OK] |
| Joshua | iPad Pro 11" (2nd gen) | — | — | [OK] |
| Ken | iPhone 12 Pro Max | — | — | [OK] |
| Lori | SM-G975U + SM-F766U | — | — | [WARNING] see below |
| Marco | iPhone 14 | — | — | [OK] |
| Neal | iPhone 16 Pro | — | — | [OK] |
| Scott | — | +1 5202884444 | — | [WARNING] no Authenticator app |
| Wrex | iPhone 14 | +1 5209122806 | — | [OK] |
### MFA Open Items
**[WARNING] Alexis — suspicious Authenticator still present:**
- Entry `c927402a-75c6-4a55-840a-86d1eea43a9b` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
- Entry `7365a870-4809-4fdc-9e9b-dcd76eddb8ef` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
- Both entries identical display names, both SoftwareTokenActivated. One is legitimate; one should be removed.
- Action: Ask Alexis how many Authenticator entries she sees in her Microsoft Authenticator app. If she sees only one kittlearizona.com account, remove `c927402a`.
- Alexis also has a software OATH token (7d1425ca) — if she doesn't use a hardware TOTP key, remove this too.
**[WARNING] Lori — old Samsung device still registered:**
- SM-G975U (Samsung S10+) — old phone
- SM-F766U (Samsung Z Flip) — current phone (presumably)
- Action: Confirm with Lori which is her current phone, then remove the old entry.
**[WARNING] Scott — phone-only MFA:**
- Only MFA method is SMS/call to +1 5202884444
- No Microsoft Authenticator enrolled
- SMS MFA is significantly weaker than app-based MFA
- Action: Enroll Scott in Microsoft Authenticator
---
## Resolved Findings (from 2026-04-23)
| Finding | Status |
|---|---|
| Alexis hidden inbox rule "." (routing Howmet emails) | [RESOLVED] — confirmed gone |
| Ken "Admin" inbox rule (Capital One/Bill.com/@flystucson.com) | [RESOLVED] — confirmed gone |
| Malicious OAuth app c5df10ae (Directory.ReadWrite.All + 50 scopes) | [RESOLVED] — confirmed gone |
| IMAP legacy auth grant 9b504397 | [RESOLVED] — confirmed gone |
| SMTP forwarding check (was incomplete in April) | [RESOLVED] — all clean, confirmed 2026-06-08 |
---
## Outstanding Items
| Priority | Item | Owner |
|---|---|---|
| P1 | Ask Alexis: count Authenticator entries on phone. If only one, remove `c927402a`. Also remove software OATH token if unused. | Mike |
| P2 | Ask Lori: confirm current phone is the Z Flip (SM-F766U), then remove SM-G975U entry | Mike |
| P3 | Enroll Scott in Microsoft Authenticator (replace phone-only MFA) | Mike |
| P3 | Invoice ticket #32207 (1.0 hr Labor - Remote Business) | Mike |
---
## Vault Paths Accessed
- `msp-tools/computerguru-security-investigator.sops.yaml` (investigator + investigator-exo tiers)