sync: auto-sync from GURU-5070 at 2026-06-11 08:22:42
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-11 08:22:42
This commit is contained in:
137
clients/kittle/session-logs/2026-04-24-session.md
Normal file
137
clients/kittle/session-logs/2026-04-24-session.md
Normal file
@@ -0,0 +1,137 @@
|
||||
# Session Log — Kittle Design & Construction
|
||||
**Date:** 2026-04-23 / 2026-04-24 (overnight)
|
||||
**Analyst:** Mike Swanson
|
||||
**Machine:** DESKTOP-0O8A1RL
|
||||
**Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`)
|
||||
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** DESKTOP-0O8A1RL
|
||||
- **Role:** admin
|
||||
|
||||
---
|
||||
|
||||
## Session Summary
|
||||
|
||||
Performed a full tenant-wide M365 breach check on kittlearizona.com, identified two high-priority compromise indicators, and executed remediation. Also onboarded the Exchange Operator and Tenant Admin apps into the tenant (consent + role assignment). Created Syncro ticket #32207 for billing.
|
||||
|
||||
---
|
||||
|
||||
## Breach Check Findings
|
||||
|
||||
Full report: `clients/kittle-design/reports/2026-04-23-breach-check.md`
|
||||
|
||||
| Severity | Finding | User |
|
||||
|---|---|---|
|
||||
| [WARNING] | Hidden inbox rule "." routing Howmet emails to Conversation History | alexis@kittlearizona.com |
|
||||
| [WARNING] | Duplicate Authenticator — same device name, two different app versions | alexis@kittlearizona.com |
|
||||
| [INFO] | Inbox rule "Admin" filtering Capital One / Bill.com to folder | Ken@kittlearizona.com |
|
||||
| [INFO] | Two Authenticator devices (different Samsung models — likely phone upgrade) | Lori@kittlearizona.com |
|
||||
| [INFO] | Phone-only MFA, no Authenticator | scott@kittlearizona.com |
|
||||
| [INFO] | IMAP legacy auth consent — single user | unknown |
|
||||
| [INFO] | Large-scope AllPrincipals OAuth consent (c5df10ae) | tenant-wide |
|
||||
|
||||
---
|
||||
|
||||
## Remediation Actions Taken
|
||||
|
||||
### Onboarding
|
||||
|
||||
Exchange Operator and Tenant Admin apps consented by Kittle admin. Role assignments:
|
||||
- Security Investigator SP (`26e16c7a`): Exchange Administrator — assigned
|
||||
- Exchange Operator SP (`775ec856`): Exchange Administrator — assigned manually (onboard script missed it)
|
||||
- User Manager SP (`ea0277ab`): User Administrator + Authentication Administrator — assigned
|
||||
|
||||
### alexis@kittlearizona.com
|
||||
|
||||
| Action | Result | Detail |
|
||||
|---|---|---|
|
||||
| Hidden "." inbox rule deleted | [OK] | Exchange identity: `alexis\\2866869517449953281` |
|
||||
| 3 hidden Howmet emails restored to inbox | [OK] | All HTTP 201; emails dated Feb 28 and Mar 4, 2025 |
|
||||
| All sign-in sessions revoked | [OK] | `revokeSignInSessions` returned true |
|
||||
| Password reset (temp, force-change) | [OK] | See credentials section below |
|
||||
|
||||
**Emails recovered:**
|
||||
1. "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04)
|
||||
2. "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04)
|
||||
3. "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28)
|
||||
|
||||
**Still pending:**
|
||||
- Ask Alexis to count Authenticator entries on her phone. If only one, remove suspicious entry:
|
||||
- Entry to remove: ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (app version 6.8.40, "iPhone 12 Pro Max")
|
||||
|
||||
### OAuth Consents Revoked
|
||||
|
||||
**c5df10ae-2aa7-4283-86ef-1884c267a9ac** (AllPrincipals — 7 grants deleted, all HTTP 204):
|
||||
- `rhDfxacqg0KG7xiEwmeprLz8wKqAnj1KmLeBzb1HLJo` — Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes
|
||||
- `rhDfxacqg0KG7xiEwmeprFhKBKSuvdJJu5jQBa-uOnc` — LicenseManager.AccessAsUser
|
||||
- `rhDfxacqg0KG7xiEwmeprLhRraINEIxGmlMZtBZahO8` — M365AdminPortal.IntegratedApps.ReadWrite, user_impersonation
|
||||
- `rhDfxacqg0KG7xiEwmeprFm5M4Bw4bFKniz6sx5jbAI` — user_impersonation
|
||||
- `rhDfxacqg0KG7xiEwmeprKm4oqODLdhAnY4nYViP4rs` — AllProfiles.Manage, AllSites.FullControl
|
||||
- `rhDfxacqg0KG7xiEwmeprICwF0FoazRErqVlL2xiBFk` — Calendars.ReadWrite.All, Exchange.Manage, MailboxSettings.ReadWrite
|
||||
- `rhDfxacqg0KG7xiEwmeprPl4LqXf8mRPjoQUGmKJt3k` — Vulnerability.Read
|
||||
|
||||
**9b504397-914d-4af2-b6d9-9081e80da54e** (IMAP legacy auth, 1 grant deleted, HTTP 204):
|
||||
- `l0NQm02R8kq22ZCB6A2lTrz8wKqAnj1KmLeBzb1HLJoafsNfsqzMSLDHPoGZ_dNa` — IMAP.AccessAsUser.All, openid, offline_access, email, profile
|
||||
- Consented by user `5fc37e1a-acb2-48cc-b0c7-3e8199fdd35a` (user object ID — UPN not resolved)
|
||||
|
||||
### Ken@kittlearizona.com
|
||||
|
||||
No action taken. Inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) still present. Awaiting confirmation from Ken whether he created it. If he can't explain it — treat as active compromise and escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions).
|
||||
|
||||
---
|
||||
|
||||
## Credentials
|
||||
|
||||
```
|
||||
Tenant: kittlearizona.com
|
||||
Tenant ID: 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
|
||||
|
||||
alexis@kittlearizona.com
|
||||
Temp password: KittleGwiNUK#2026
|
||||
(force change on next login — issued 2026-04-23)
|
||||
User object ID: 74a1eae1-c0dd-4544-a98f-3a18f809785a
|
||||
|
||||
Exchange Operator SP: 775ec856-f032-4dcf-a499-ccf7f9bce07b
|
||||
Tenant Admin SP: 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5
|
||||
Security Investigator SP: 26e16c7a-0ac8-4f85-bdd7-992611bbd271
|
||||
User Manager SP: ea0277ab-497c-45f7-b88a-e2d53f54a4c7
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Syncro
|
||||
|
||||
- **Ticket #32207** — "M365 Security Sweep — Breach Check & Remediation"
|
||||
- Status: Resolved
|
||||
- Line item: 1.0 hr Labor - Remote Business (product_id: 1190473)
|
||||
- Ready to invoice — run `/syncro bill 32207` or manually in GUI
|
||||
|
||||
---
|
||||
|
||||
## Infrastructure Notes
|
||||
|
||||
- Kittle has no Entra P1/P2 — sign-in logs and Identity Protection unavailable
|
||||
- SMTP forwarding check not completed — Exchange Admin role was not assigned to Security Investigator at time of breach check (fixed during remediation session)
|
||||
- Token cache location: `/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/`
|
||||
|
||||
---
|
||||
|
||||
## Files Changed This Session
|
||||
|
||||
- `clients/kittle-design/reports/2026-04-23-breach-check.md` — breach check report (written 2026-04-23)
|
||||
- `.claude/skills/remediation-tool/scripts/tenant-sweep.sh` — fixed tier name `graph` → `investigator` on line 12
|
||||
- `.claude/skills/remediation-tool/references/tenants.md` — Kittle row updated from NO to PARTIAL
|
||||
|
||||
---
|
||||
|
||||
## Pending Items
|
||||
|
||||
| Priority | Action | Owner |
|
||||
|---|---|---|
|
||||
| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? Remove `c927402a` if only one. | Mike |
|
||||
| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? If no → escalate | Mike |
|
||||
| P2 | Verify Alexis received temp password and changed it | Mike |
|
||||
| P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike |
|
||||
| P3 | Enroll Scott in Microsoft Authenticator | Mike |
|
||||
| P3 | Invoice ticket #32207 | Mike |
|
||||
@@ -0,0 +1,184 @@
|
||||
# Session Log — 2026-06-08 — Mike — Kittle M365 Full Security Sweep
|
||||
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** GURU-BEAST-ROG
|
||||
- **Role:** admin
|
||||
|
||||
---
|
||||
|
||||
## Session Summary
|
||||
|
||||
Mike opened a Discord thread to check all kittlearizona.com M365 accounts for compromise. The bot loaded context from prior session logs and the wiki, surfacing the April 2026 breach check history: Alexis's confirmed compromise had been remediated, Ken's suspicious "Admin" inbox rule was unresolved, and SMTP forwarding had never been checked due to a missing Exchange Admin role on the Security Investigator SP.
|
||||
|
||||
A full read-only sweep was run against all 13 licensed mailboxes using the remediation-tool skill (investigator + investigator-exo tiers, certificate auth). Checks covered: SMTP forwarding, inbox rules, OAuth app consents, and MFA authentication methods for every user. Tokens were acquired fresh via get-token.sh against tenant 3d073ebe-806a-4a5e-9035-3c7c4a264fc0.
|
||||
|
||||
All critical April findings were confirmed resolved: Alexis's hidden inbox rule "." is gone, Ken's "Admin" rule (Capital One/Bill.com/@flystucson.com filter) is gone, and the malicious OAuth app c5df10ae (Directory.ReadWrite.All + 50+ scopes) is fully removed from the tenant. SMTP forwarding was confirmed clean across all 13 mailboxes — the first time this check ran successfully on this tenant. All OAuth grants were identified and verified legitimate (QuickBooks Desktop, Gmail, iOS Accounts, Samsung MyFiles, One Calendar, Read AI, Virtru, BMO Secure Email). No new active compromises were found.
|
||||
|
||||
Three MFA cleanup items remain open from April: Alexis still has a duplicate suspicious Authenticator entry (c927402a), Lori still has an old Samsung S10+ registered, and Scott has phone-only MFA with no Authenticator app enrolled. A client-facing action guide was drafted for Mike to send to Kittle, and an Entra P1 upgrade recommendation was included. A Syncro ticket (#32394) was created, billed at 1.0 hr Labor - Remote Business ($150.00), invoiced, and marked Invoiced.
|
||||
|
||||
---
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- Classified Ken's current "Christina Micek" inbox rule as benign — it copies emails sent TO that contact to a folder, consistent with an organizational filing rule.
|
||||
- Confirmed the SMTP forwarding gap from April is now filled — all 13 mailboxes are clean on forwarding.
|
||||
- Identified MyFiles (appId d5e6af94) as Samsung's native file manager app based on reply URLs (com.sec.android.app.myfiles bundle) and Jason's known Samsung tablet (SM-X218U). Not flagged as suspicious.
|
||||
- Gmail EAS grant on Scott explains his email client setup (using Gmail to connect to M365 via EAS) — not a threat.
|
||||
- QuickBooks Desktop Mail.Send on Accounting — verified Intuit as publisher, consistent with QB sending email on behalf of the Accounting mailbox.
|
||||
- Recommended Entra P1 at minimum for Ken, Alexis, and Accounting — specifically to restore sign-in log visibility lost during the April investigation (no P1 = no Identity Protection, no Conditional Access, no sign-in logs).
|
||||
- Billed against a new ticket (#32394) rather than appending to the April ticket (#32207) — different work scope (sweep + guide vs. initial breach response).
|
||||
|
||||
---
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- MFA check script failed on first run due to `UID` being a readonly bash variable. Fixed by renaming the variable to `OID` in the loop.
|
||||
- OAuth service principal list was very long (100+ entries). Identified all notable non-Microsoft SPs by running targeted GET calls on each SP ID from the grants list rather than parsing the full list.
|
||||
- Ollama unavailable on BEAST during this session — Syncro comment and line item descriptions drafted directly by Claude.
|
||||
|
||||
---
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
- `clients/kittle-design/reports/2026-06-08-full-sweep.md` — created (full sweep report with all findings)
|
||||
- `clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md` — created (this log)
|
||||
|
||||
---
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- No new credentials discovered or created.
|
||||
- Tokens acquired via `get-token.sh` for tenant 3d073ebe-806a-4a5e-9035-3c7c4a264fc0:
|
||||
- investigator tier (Graph read) — cached at `/tmp/remediation-tool/3d073ebe.../investigator.jwt`
|
||||
- investigator-exo tier (Exchange read) — cached at `/tmp/remediation-tool/3d073ebe.../investigator-exo.jwt`
|
||||
- Vault paths accessed: `msp-tools/computerguru-security-investigator.sops.yaml`
|
||||
|
||||
---
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **Tenant:** kittlearizona.com | ID: `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`
|
||||
- **Entra P1/P2:** NOT licensed — sign-in logs and Identity Protection unavailable
|
||||
- **Exchange Admin role on Security Investigator SP:** Confirmed present (was missing in April)
|
||||
- **SP Object IDs in tenant:**
|
||||
- Security Investigator: `26e16c7a-0ac8-4f85-bdd7-992611bbd271`
|
||||
- Exchange Operator: `775ec856-f032-4dcf-a499-ccf7f9bce07b`
|
||||
- User Manager: `ea0277ab-497c-45f7-b88a-e2d53f54a4c7`
|
||||
- Tenant Admin: `0caa0dde-3f8d-4d46-ab26-aa0d38add0b5`
|
||||
- ComputerGuru AI Remediation: `2fd24cfa-8533-460f-9cbb-53cc4a32d3f5`
|
||||
|
||||
---
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
```bash
|
||||
# Token acquisition
|
||||
bash .claude/skills/remediation-tool/scripts/get-token.sh 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 investigator
|
||||
bash .claude/skills/remediation-tool/scripts/get-token.sh 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 investigator-exo
|
||||
|
||||
# User list — 14 users returned (13 licensed + sysadmin)
|
||||
GET /users?$select=id,displayName,userPrincipalName,assignedLicenses,accountEnabled
|
||||
|
||||
# Inbox rules — all clean except Ken (benign "Christina Micek" copy rule)
|
||||
# Exchange REST: POST /adminapi/beta/{tenant}/InvokeCommand Get-InboxRule per mailbox
|
||||
|
||||
# SMTP forwarding — all 13 mailboxes: ForwardingAddress=none, ForwardingSmtpAddress=none, DeliverToMailboxAndForward=false
|
||||
# Exchange REST: POST /adminapi/beta/{tenant}/InvokeCommand Get-Mailbox per mailbox
|
||||
|
||||
# Old malicious app check — confirmed absent
|
||||
GET /servicePrincipals?$filter=appId eq 'c5df10ae-2aa7-4283-86ef-1884c267a9ac'
|
||||
# Result: count=0
|
||||
|
||||
# OAuth grants — notable findings:
|
||||
# - 654bae70 = QuickBooks Desktop (Intuit), Mail.Send on Accounting
|
||||
# - d375a540 = Gmail (Google), EAS on Scott
|
||||
# - f90fe4d2 = Samsung MyFiles, Files.ReadWrite on Jason
|
||||
# - ccedcb63 = One Calendar (Code Spark), Calendars.ReadWrite on Wrex
|
||||
# - 55a9597c = Read AI, User.Read on Marco
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
| Priority | Item | Owner |
|
||||
|---|---|---|
|
||||
| P1 | Ask Alexis: count Authenticator entries in app. If only one kittlearizona.com account, remove `c927402a-75c6-4a55-840a-86d1eea43a9b`. Also remove software OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` if unused. | Mike |
|
||||
| P2 | Confirm with Lori: is current phone Samsung Z Flip (SM-F766U)? If yes, remove old SM-G975U entry `da5454c7-eaa8-4b67-9cb8-61ed1486d012`. | Mike |
|
||||
| P3 | Enroll Scott in Microsoft Authenticator (phone-only MFA at +1 5202884444 is weak) | Mike |
|
||||
| P3 | Send client-facing MFA action guide + Entra P1 recommendation to Ken/Kimberly | Mike |
|
||||
| P4 | Quote Entra P1 add-on for Kittle — recommend minimum coverage for Ken, Alexis, Accounting | Mike |
|
||||
|
||||
---
|
||||
|
||||
## Reference Information
|
||||
|
||||
- **Syncro ticket:** #32394 (ID: 112389608) — https://computerguru.syncromsp.com/tickets/112389608
|
||||
- **Prior ticket:** #32207 (April 2026 breach check)
|
||||
- **Sweep report:** `clients/kittle-design/reports/2026-06-08-full-sweep.md`
|
||||
- **Wiki:** `wiki/clients/kittle-design.md` — needs recompile to reflect resolved findings and new open items
|
||||
- **Tenant ID:** `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`
|
||||
- **Alexis user object ID:** `74a1eae1-c0dd-4544-a98f-3a18f809785a`
|
||||
- **Suspicious Authenticator to remove:** `c927402a-75c6-4a55-840a-86d1eea43a9b` (Alexis, "iPhone 12 Pro Max")
|
||||
- **Lori old Authenticator to remove:** `da5454c7-eaa8-4b67-9cb8-61ed1486d012` (SM-G975U)
|
||||
- **Alexis OATH token to review:** `7d1425ca-27d0-444d-9c36-6b3780c77059`
|
||||
- **Scott phone MFA:** +1 5202884444 (only MFA method)
|
||||
|
||||
---
|
||||
|
||||
## Update: 18:56 PT — Ken BEC Incident Investigation
|
||||
|
||||
### Summary
|
||||
|
||||
Mike pointed to Syncro ticket #32393 ("Ken Schagel shared a file with you"), which was the incident that triggered the full sweep earlier in this session. Investigated the scope and timeline of Ken's compromise via the remediation tool.
|
||||
|
||||
**Confirmed: Ken's account was actively used to send a phishing blast.** Around 21:23-21:26 UTC on 2026-06-08 (2:23 PM Arizona time), the attacker used Ken's M365 account to send a fake SharePoint "shared document" email to approximately 70+ external contacts from Ken's email history. The phishing link was `flowinnactuators.com/work.html` (credential harvesting page). Microsoft's anti-abuse system detected the bulk send and automatically restricted Ken's sending ability — confirmed by an `Office365Alerts@microsoft.com` "High-severity alert: User restricted from sending email" message in Ken's deleted items.
|
||||
|
||||
**Mike's incident response (already completed):**
|
||||
- Ken's account was sign-in blocked immediately
|
||||
- Password reset to temp `B/947405806521av` (force change on login)
|
||||
- Account re-enabled approximately 20 minutes later after verification
|
||||
- Wrex Watson's password was also reset (sessions revoked, temp `Kittle@1426Wrx!47E742`) as a precaution — a password reset on Wrex's account occurred just before the Ken incident and could not be attributed at the time
|
||||
|
||||
**Current state of both accounts:**
|
||||
- Ken: accountEnabled=true, one clean Authenticator (iPhone 12 Pro Max), no inbox rules, no SMTP forwarding, no per-user OAuth grants
|
||||
- Wrex: accountEnabled=true, clean Authenticator (iPhone 14) + phone MFA, no inbox rules, no SMTP forwarding, no per-user OAuth grants
|
||||
|
||||
**Audit log unavailable** — directory audit log returned empty (no Entra P1 = minimal retention). Could not determine via API who initiated Wrex's pre-incident password reset. Recommendation: ask Wrex directly.
|
||||
|
||||
**Ken's deleted items:** ~2,699 items, 2,213 unread — primarily NDRs (bounce-backs) and auto-replies from the phishing blast recipients. Sent items show 6,284 items with legitimate construction business emails. The phishing blast sent items were presumably deleted by the attacker to cover tracks.
|
||||
|
||||
**April connection — IMAP consent:** The IMAP legacy auth consent (9b504397) revoked in April was granted by Ken's own account (`5fc37e1a`). This indicates the attacker had Ken's credentials as far back as April and used them to consent an IMAP client to his mailbox. Revoking that consent was done, but without a password reset on Ken's account in April, the attacker retained direct login access.
|
||||
|
||||
**April classification gap:** The April breach report classified Ken's "Admin" inbox rule (filtering Capital One, Bill.com, @flystucson.com) as `[INFO]` rather than `[WARNING]`. The report noted it "could also be legitimate email organization" and prescribed "confirm with Ken." Ken presumably confirmed he recognized the rule. In hindsight: a rule filtering two specific financial platforms plus a third-party domain in the same rule body should have been `[WARNING]` regardless of the "could be legitimate" caveat, particularly combined with the IMAP consent from his account. The workflow gap: "confirm with the user" is a weak verification step when the account being checked may already be compromised and the attacker has visibility into incoming email.
|
||||
|
||||
**Remediation tool classification note:** Both signals in April (financial-hiding inbox rule + IMAP consent from same user object ID `5fc37e1a`) should together trigger automatic escalation to `[WARNING]`. Flagged for checklist update.
|
||||
|
||||
### Phishing Blast Recipients (partial — from NDR envelope)
|
||||
|
||||
Confirmed external contacts who received the phishing email (from the large NDR in Ken's deleted items):
|
||||
Herc Rentals (jacob.henderson, jamie.blasko), Stonhard (ttennant), Saint-Gobain (lauren.watlington, jennifer.diringer), Sellers & Sons (mike), Chasse (conf-room), Sun Valley Supply, Old Tucson (kblondeaux), Aaron Crandell Glass, PH Mechanical (jeff, johnh), Anthony DeCesaris/Smith Detection, Central Insurance (cbush), UPS, Lloyd Construction (sean), Safety Management Group (shanejardine), CFSD16 (accountspayable), Armitek (joe), Stair Parts (fwtsmtp), Pima Community College (vlewis, cebunoha), Pima Air & Space Museum (smarchand), Barker One (sharker), Flooring Systems (gabriel), Cordia Energy (jim.regelbrugge, joel.wagner, mike.buter), MOCA Tucson (dominic), Poster Frost Mirto (jmirto), Brand Crowd, GM Marketing, Global Industrial (hkudumula), Walker Consultants, Bulletproof (kris), IntraAnalytics (lily.evelyn), Climatec (ssanchez), CIS Phoenix (gesquibel2), Six Axis LLC (tmikulec), Vortex Doors (sandrag), BMO Harris fraud center, Plumb Plumbing (ssoneira), Roche (keri.overfield), Broadfence, Cushman & Wakefield (martin.stupka), eSubK, Facility Grid, Amazon (jelopezt, luballes), Netflix, Safety Sign, Sport Master, Crowd Control Warehouse, Crazy Horse Campgrounds AZ, APS, Hensel Phelps (qriley), NAU (jss627), Acousthetics, DH Pace (noel.blythe), Mechanical Systems Inc (apb, jab), Malibu Parts (steve), Clopay (dshrader, marketing), Fastenersplus, American Play Systems, eARC (rockfon), ePlus (osprocurement), Concord Inc, MH Consulting (mharding), Pueblo Mechanical (daniel.arellano, stevec), Achilles AC (kimberly, kayla), Progressive (bob.gardner), iCloud contacts (devinrose520, ernestina47), Amazon bounce, gopuff (ryan.hall), Squarespace form submission — and additional auto-reply senders (jackb@norconindustries, john.mccurry@global.inc).
|
||||
|
||||
### Pending Items (carry-forward)
|
||||
|
||||
| Priority | Item | Owner |
|
||||
|---|---|---|
|
||||
| P1 | Update ticket #32393 with full incident timeline and phishing scope | Mike (on PC) |
|
||||
| P1 | Bill ticket #32393 for incident response time | Mike (on PC) |
|
||||
| P1 | Notify Ken's external contacts — send "disregard that email" from Ken's account now that it is clean | Mike |
|
||||
| P1 | Ask Kittle internally (Alexis, Lori, etc.) whether anyone clicked the link at flowinnactuators.com/work.html | Mike |
|
||||
| P1 | Ask Wrex directly: did he reset his own password before the Ken incident? | Mike |
|
||||
| P2 | Check Ken's Bill.com and Capital One accounts for unauthorized transactions — attacker had access since at least April | Mike/Ken |
|
||||
| P2 | Remediation tool checklist update: financial-email-hiding inbox rule + IMAP consent from same user = auto-[WARNING] | Mike |
|
||||
| P3 | Entra P1 quote for Kittle — incident demonstrated the cost of flying blind without sign-in logs | Mike |
|
||||
| P3 | DKIM/DMARC setup for kittlearizona.com — no DMARC means the phishing could also have been spoofed to other recipients without account access | Mike |
|
||||
|
||||
### Reference
|
||||
|
||||
- Syncro ticket #32393 (ID: 112381882): https://computerguru.syncromsp.com/tickets/112381882
|
||||
- Phishing link: flowinnactuators.com/work.html (credential harvesting — do not visit)
|
||||
- Ken's deleted items NDR timestamp: 2026-06-08 21:23-21:26 UTC
|
||||
- Microsoft auto-restriction alert: "High-severity alert: User restricted from sending email" (Office365Alerts@microsoft.com → Ken@ + Lori@)
|
||||
- IMAP consent from April (revoked): app 9b504397, granted by Ken user object 5fc37e1a
|
||||
- Attacker access timeline: at minimum April 2026 through June 8 2026 (~6 weeks confirmed)
|
||||
Reference in New Issue
Block a user