sync: auto-sync from GURU-5070 at 2026-06-11 08:22:42
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-11 08:22:42
This commit is contained in:
171
clients/kittle/reports/2026-04-23-breach-check.md
Normal file
171
clients/kittle/reports/2026-04-23-breach-check.md
Normal file
@@ -0,0 +1,171 @@
|
||||
# Breach Check — Kittle Design & Construction
|
||||
**Date:** 2026-04-23
|
||||
**Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`)
|
||||
**Analyst:** Mike Swanson
|
||||
**Scope:** Tenant-wide compromised account sweep
|
||||
**Tool:** ComputerGuru Security Investigator (read-only Graph + Exchange)
|
||||
|
||||
---
|
||||
|
||||
## Limitations
|
||||
|
||||
- **No Entra ID P1/P2 license** — sign-in logs, risky user detection, and Identity Protection not available
|
||||
- **Exchange Admin role not yet assigned** to Security Investigator SP — SMTP forwarding and transport rules not checked
|
||||
- Both limitations can be addressed: assign Security Investigator SP the "View-Only Recipients" Exchange role for forwarding checks; upgrade to Entra P1 for sign-in visibility
|
||||
|
||||
---
|
||||
|
||||
## Summary
|
||||
|
||||
| Severity | Finding | User |
|
||||
|---|---|---|
|
||||
| [WARNING] | Hidden inbox rule (name: ".") routing external emails to folder | alexis@kittlearizona.com |
|
||||
| [WARNING] | Duplicate Authenticator registrations (same device name, different app versions) | alexis@kittlearizona.com |
|
||||
| [INFO] | Inbox rule filtering Capital One / Bill.com emails to custom folder | Ken@kittlearizona.com |
|
||||
| [INFO] | Two Authenticator devices registered (different Samsung models) | Lori@kittlearizona.com |
|
||||
| [INFO] | Weak MFA — phone only, no Authenticator | scott@kittlearizona.com |
|
||||
| [INFO] | IMAP legacy auth consent granted (one user) | unknown — see OAuth section |
|
||||
| [INFO] | Large-scope AllPrincipals OAuth consent — verify is intentional | tenant-wide |
|
||||
|
||||
---
|
||||
|
||||
## Findings Detail
|
||||
|
||||
### [WARNING] alexis@kittlearizona.com — Hidden inbox rule
|
||||
|
||||
**Rule name:** `.` (single dot)
|
||||
**Status:** Enabled
|
||||
**Action:** Move to folder (ID: AQMkAGJiAWNh...)
|
||||
**Condition:** Sender contains `HOWMET.COM`
|
||||
|
||||
A rule named `.` is a known attacker hiding technique — the single dot renders as blank or near-invisible in many email clients. The rule silently moves incoming emails from Howmet (aerospace/metals company) to a folder.
|
||||
|
||||
**Questions to resolve:**
|
||||
1. Does Kittle have a business relationship with Howmet Aerospace?
|
||||
2. Does Alexis recognize this rule?
|
||||
3. What folder is this routing to? (Confirm it's accessible and not an RSS/hidden folder)
|
||||
|
||||
If Alexis did not create this rule, treat as confirmed compromise indicator and escalate to full breach check with password reset, session revocation, and MFA re-enrollment.
|
||||
|
||||
---
|
||||
|
||||
### [WARNING] alexis@kittlearizona.com — Duplicate Authenticator registrations
|
||||
|
||||
Two Microsoft Authenticator entries on the same device name:
|
||||
|
||||
| Entry | Display Name | App Version | Created |
|
||||
|---|---|---|---|
|
||||
| 1 | iPhone 12 Pro Max | 6.8.41 | not available |
|
||||
| 2 | iPhone 12 Pro Max | 6.8.40 | not available |
|
||||
|
||||
Both tagged `SoftwareTokenActivated`. Identical device name with different app versions indicates either:
|
||||
- Legitimate: same phone, app was updated and re-registered (unusual — updates don't re-register)
|
||||
- Suspicious: attacker registered their own Authenticator under the same device name
|
||||
|
||||
**Action:** Ask Alexis to open Microsoft Authenticator on her phone and count how many Kittle accounts appear. If she only sees one, the second registration is an attacker device — remove entry ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (version 6.8.40) immediately and force MFA re-enrollment.
|
||||
|
||||
---
|
||||
|
||||
### [INFO] Ken@kittlearizona.com — Inbox rule filtering financial emails
|
||||
|
||||
**Rule name:** `Admin`
|
||||
**Status:** Enabled
|
||||
**Action:** Move to folder (ID: AQMkAGNiZTJj...)
|
||||
**Condition:** Body or subject contains any of:
|
||||
- `@flystucson.com`
|
||||
- `capitalone`
|
||||
- `capitaloneshopping.com`
|
||||
- `@capitalone.com`
|
||||
- `capital one `
|
||||
- `@inform.bill.com`
|
||||
- `cwelsh@hq.bill.com`
|
||||
- `bill.com`
|
||||
|
||||
Filtering Capital One and Bill.com notifications to a folder is a known attacker tactic to hide fraudulent payment activity from the account owner. This could also be legitimate email organization.
|
||||
|
||||
**Action:** Confirm with Ken:
|
||||
1. Did he create this rule?
|
||||
2. What folder does it route to, and has he seen the emails landing there?
|
||||
3. Does Kittle use Bill.com and Capital One for business payments?
|
||||
|
||||
If Ken did not create this rule, it is a confirmed compromise indicator.
|
||||
|
||||
---
|
||||
|
||||
### [INFO] Lori@kittlearizona.com — Two Authenticator devices
|
||||
|
||||
| Entry | Display Name | App Version |
|
||||
|---|---|---|
|
||||
| 1 | SM-F766U (Samsung Galaxy Z Fold series) | 6.2512.8111 |
|
||||
| 2 | SM-G975U (Samsung Galaxy S10+) | 6.2511.7533 |
|
||||
|
||||
Different device models — consistent with a phone upgrade where the old device wasn't removed. Lower concern than Alexis's case, but should be cleaned up.
|
||||
|
||||
**Action:** Confirm which device is current with Lori. Remove the old registration.
|
||||
|
||||
---
|
||||
|
||||
### [INFO] scott@kittlearizona.com — Phone-only MFA
|
||||
|
||||
Scott has password + phone number registered but no Microsoft Authenticator. SMS/voice MFA is weaker than Authenticator (susceptible to SIM swap, social engineering).
|
||||
|
||||
**Action:** Enroll Scott in Microsoft Authenticator.
|
||||
|
||||
---
|
||||
|
||||
### [INFO] IMAP legacy auth consent
|
||||
|
||||
App ID `9b504397-914d-4af2-b6d9-9081e80da54e` has a user-level delegated consent for:
|
||||
```
|
||||
openid offline_access email profile IMAP.AccessAsUser.All
|
||||
```
|
||||
|
||||
IMAP is legacy authentication and bypasses Conditional Access policies. This is a user-level (Principal) consent, meaning one specific user authorized it.
|
||||
|
||||
**Action:** Identify which user consented to this app and verify it's a legitimate mail client (e.g., Thunderbird, Apple Mail in legacy mode). If no one recognizes it, revoke the consent grant.
|
||||
|
||||
---
|
||||
|
||||
### [INFO] Large-scope AllPrincipals OAuth consent
|
||||
|
||||
App ID `c5df10ae-2aa7-4283-86ef-1884c267a9ac` has admin-consented (AllPrincipals) access including:
|
||||
`Directory.ReadWrite.All`, `User.ReadWrite.All`, `RoleManagement.ReadWrite.Directory`, `Mail.Send`, `Policy.ReadWrite.*`, `SecurityEvents.ReadWrite.All`, and many others.
|
||||
|
||||
This is consistent with a multi-tenant MSP management platform (CIPP, Lighthouse, etc.). Verify this was intentionally granted by Kittle's admin.
|
||||
|
||||
---
|
||||
|
||||
## Clean checks
|
||||
|
||||
- No mailbox auto-replies active (Alexis and Ken have old OOO content saved but disabled)
|
||||
- No B2B guest invites in 30 days
|
||||
- No suspicious directory audits beyond today's Security Investigator consent (expected)
|
||||
- 13 of 16 users have Authenticator MFA enrolled
|
||||
- No mailbox forwarding (SMTP forwarding check pending Exchange role assignment)
|
||||
|
||||
---
|
||||
|
||||
## Recommended Actions
|
||||
|
||||
| Priority | Action | Owner |
|
||||
|---|---|---|
|
||||
| P1 | Ask Alexis: does she recognize the "." rule and the Howmet sender? | Mike |
|
||||
| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? | Mike |
|
||||
| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? | Mike |
|
||||
| P2 | Assign Exchange "View-Only Recipients" role to Security Investigator SP to enable SMTP forwarding check | Mike |
|
||||
| P2 | Identify the IMAP app consent — which user, what client? | Mike |
|
||||
| P3 | Remove Lori's old Authenticator device after confirming current phone | Mike |
|
||||
| P3 | Enroll Scott in Microsoft Authenticator | Mike |
|
||||
| P3 | Verify `c5df10ae` AllPrincipals consent is intentional MSP tooling | Mike |
|
||||
|
||||
---
|
||||
|
||||
## Escalation criteria
|
||||
|
||||
If Alexis or Ken cannot explain their respective rules → treat as active compromise:
|
||||
1. Force password reset
|
||||
2. Revoke all sessions (`revokeSignInSessions`)
|
||||
3. Remove suspicious Authenticator entry from Alexis
|
||||
4. Delete the unrecognized inbox rule
|
||||
5. Run full per-user breach check (sent items, deleted items, OAuth consents for that user)
|
||||
6. Check if any Bill.com or Capital One transactions were made without authorization (Ken's case)
|
||||
144
clients/kittle/reports/2026-06-08-full-sweep.md
Normal file
144
clients/kittle/reports/2026-06-08-full-sweep.md
Normal file
@@ -0,0 +1,144 @@
|
||||
# Kittle Design & Construction — Full M365 Sweep
|
||||
**Date:** 2026-06-08
|
||||
**Tenant:** kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
|
||||
**Performed by:** ComputerGuru Security Investigator (read-only)
|
||||
**Scope:** All 13 licensed mailboxes — inbox rules, SMTP forwarding, OAuth consents, MFA methods
|
||||
|
||||
---
|
||||
|
||||
## Summary
|
||||
|
||||
All critical findings from the 2026-04-23 breach check are confirmed resolved. No new active compromises found. Three legacy MFA cleanup items remain open (carried over from April).
|
||||
|
||||
---
|
||||
|
||||
## SMTP Forwarding — All Clean [OK]
|
||||
|
||||
This check was skipped in April (Exchange Admin role was missing on Security Investigator SP at that time). Now confirmed:
|
||||
|
||||
| Mailbox | ForwardingAddress | ForwardingSmtpAddress | Status |
|
||||
|---|---|---|---|
|
||||
| Accounting | none | none | [OK] |
|
||||
| Admin | none | none | [OK] |
|
||||
| Alexis | none | none | [OK] |
|
||||
| Brandon | none | none | [OK] |
|
||||
| Hayden | none | none | [OK] |
|
||||
| Jason | none | none | [OK] |
|
||||
| Joshua | none | none | [OK] |
|
||||
| Ken | none | none | [OK] |
|
||||
| Lori | none | none | [OK] |
|
||||
| Marco | none | none | [OK] |
|
||||
| Neal | none | none | [OK] |
|
||||
| Scott | none | none | [OK] |
|
||||
| Wrex | none | none | [OK] |
|
||||
|
||||
---
|
||||
|
||||
## Inbox Rules
|
||||
|
||||
| Mailbox | Rules Found | Status |
|
||||
|---|---|---|
|
||||
| Accounting | None | [OK] |
|
||||
| Admin | None | [OK] |
|
||||
| Alexis | None | [OK] — hidden rule "." confirmed deleted |
|
||||
| Brandon | None | [OK] |
|
||||
| Hayden | None | [OK] |
|
||||
| Jason | None | [OK] |
|
||||
| Joshua | None | [OK] |
|
||||
| Ken | "Christina Micek" (copy-to-folder on emails sent TO Christina) | [OK] — benign org rule |
|
||||
| Lori | None | [OK] |
|
||||
| Marco | None | [OK] |
|
||||
| Neal | None | [OK] |
|
||||
| Scott | None | [OK] |
|
||||
| Wrex | None | [OK] |
|
||||
|
||||
**Ken's prior "Admin" rule (Capital One/Bill.com/@flystucson.com filter) — CONFIRMED GONE [RESOLVED]**
|
||||
|
||||
---
|
||||
|
||||
## OAuth App Consents — No Suspicious Grants
|
||||
|
||||
| App | Publisher | Grant Type | Scope | Verdict |
|
||||
|---|---|---|---|---|
|
||||
| iOS Accounts | Apple Inc. (verified) | AllPrincipals | EAS.AccessAsUser.All, EWS.AccessAsUser.All | [OK] — standard iOS native mail |
|
||||
| SharePoint Online Web Client Extensibility | Microsoft | AllPrincipals | Files.ReadWrite.All, Sites.FullControl.All, etc. | [OK] — Microsoft SP |
|
||||
| Microsoft Teams | Microsoft | AllPrincipals | standard Teams scopes | [OK] |
|
||||
| ComputerGuru AI Remediation | Arizona Computer Guru LLC (verified) | AllPrincipals | User.Read | [OK] — our app |
|
||||
| QuickBooks Desktop | Intuit (verified) | Accounting only | Mail.Send | [OK] — QB uses it to send email |
|
||||
| Gmail | Google LLC (verified) | Scott only | EAS.AccessAsUser.All, offline_access | [OK] — Scott using Gmail as email client |
|
||||
| MyFiles (Samsung) | Samsung (unverified) | Jason only | Files.ReadWrite, User.Read | [OK] — Samsung My Files app (SM-X218U tablet) |
|
||||
| One Calendar | Code Spark (verified) | Wrex only | Calendars.ReadWrite, Contacts.Read | [OK] — calendar sync app |
|
||||
| Read AI | Unverified | Marco only | User.Read, email, offline_access | [OK] — meeting notes AI, low scope |
|
||||
| Virtru | Unverified | AllPrincipals | User.Read only | [INFO] — email encryption, no mail access |
|
||||
| BMO Secure Email (Echoworx) | Echoworx (verified) | AllPrincipals | User.Read only | [OK] — secure email portal |
|
||||
|
||||
**Old malicious app c5df10ae (Directory.ReadWrite.All, Mail.Send, 50+ scopes) — CONFIRMED GONE [RESOLVED]**
|
||||
|
||||
---
|
||||
|
||||
## MFA Authentication Methods
|
||||
|
||||
| User | Authenticator | Phone | Software OATH | Status |
|
||||
|---|---|---|---|---|
|
||||
| Accounting | SM-F731U1 | — | — | [OK] |
|
||||
| Admin (Kimberly) | moto g power 5G | — | — | [OK] |
|
||||
| Alexis | iPhone 12 Pro Max (x2) | +1 5206280921 | Yes (7d1425ca) | [WARNING] see below |
|
||||
| Brandon | SM-F741U | — | — | [OK] |
|
||||
| Hayden | iPhone 12 Pro Max | — | — | [OK] |
|
||||
| Jason | SM-X218U | — | — | [OK] |
|
||||
| Joshua | iPad Pro 11" (2nd gen) | — | — | [OK] |
|
||||
| Ken | iPhone 12 Pro Max | — | — | [OK] |
|
||||
| Lori | SM-G975U + SM-F766U | — | — | [WARNING] see below |
|
||||
| Marco | iPhone 14 | — | — | [OK] |
|
||||
| Neal | iPhone 16 Pro | — | — | [OK] |
|
||||
| Scott | — | +1 5202884444 | — | [WARNING] no Authenticator app |
|
||||
| Wrex | iPhone 14 | +1 5209122806 | — | [OK] |
|
||||
|
||||
### MFA Open Items
|
||||
|
||||
**[WARNING] Alexis — suspicious Authenticator still present:**
|
||||
- Entry `c927402a-75c6-4a55-840a-86d1eea43a9b` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
|
||||
- Entry `7365a870-4809-4fdc-9e9b-dcd76eddb8ef` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
|
||||
- Both entries identical display names, both SoftwareTokenActivated. One is legitimate; one should be removed.
|
||||
- Action: Ask Alexis how many Authenticator entries she sees in her Microsoft Authenticator app. If she sees only one kittlearizona.com account, remove `c927402a`.
|
||||
- Alexis also has a software OATH token (7d1425ca) — if she doesn't use a hardware TOTP key, remove this too.
|
||||
|
||||
**[WARNING] Lori — old Samsung device still registered:**
|
||||
- SM-G975U (Samsung S10+) — old phone
|
||||
- SM-F766U (Samsung Z Flip) — current phone (presumably)
|
||||
- Action: Confirm with Lori which is her current phone, then remove the old entry.
|
||||
|
||||
**[WARNING] Scott — phone-only MFA:**
|
||||
- Only MFA method is SMS/call to +1 5202884444
|
||||
- No Microsoft Authenticator enrolled
|
||||
- SMS MFA is significantly weaker than app-based MFA
|
||||
- Action: Enroll Scott in Microsoft Authenticator
|
||||
|
||||
---
|
||||
|
||||
## Resolved Findings (from 2026-04-23)
|
||||
|
||||
| Finding | Status |
|
||||
|---|---|
|
||||
| Alexis hidden inbox rule "." (routing Howmet emails) | [RESOLVED] — confirmed gone |
|
||||
| Ken "Admin" inbox rule (Capital One/Bill.com/@flystucson.com) | [RESOLVED] — confirmed gone |
|
||||
| Malicious OAuth app c5df10ae (Directory.ReadWrite.All + 50 scopes) | [RESOLVED] — confirmed gone |
|
||||
| IMAP legacy auth grant 9b504397 | [RESOLVED] — confirmed gone |
|
||||
| SMTP forwarding check (was incomplete in April) | [RESOLVED] — all clean, confirmed 2026-06-08 |
|
||||
|
||||
---
|
||||
|
||||
## Outstanding Items
|
||||
|
||||
| Priority | Item | Owner |
|
||||
|---|---|---|
|
||||
| P1 | Ask Alexis: count Authenticator entries on phone. If only one, remove `c927402a`. Also remove software OATH token if unused. | Mike |
|
||||
| P2 | Ask Lori: confirm current phone is the Z Flip (SM-F766U), then remove SM-G975U entry | Mike |
|
||||
| P3 | Enroll Scott in Microsoft Authenticator (replace phone-only MFA) | Mike |
|
||||
| P3 | Invoice ticket #32207 (1.0 hr Labor - Remote Business) | Mike |
|
||||
|
||||
---
|
||||
|
||||
## Vault Paths Accessed
|
||||
|
||||
- `msp-tools/computerguru-security-investigator.sops.yaml` (investigator + investigator-exo tiers)
|
||||
Reference in New Issue
Block a user