From 67e0f8df20a7f718869d339aeac5a01774e1d96d Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Tue, 9 Jun 2026 16:18:52 -0700
Subject: [PATCH] sync: auto-sync from GURU-5070 at 2026-06-09 16:18:12

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-09 16:18:12
---
 ...06-09-mike-kittle-bec-marco-remediation.md | 79 +++++++++++++++++++
 ...ke-dataforth-freepbx-safesite-forensics.md |  8 ++
 2 files changed, 87 insertions(+)
 create mode 100644 clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-marco-remediation.md

diff --git a/clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-marco-remediation.md b/clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-marco-remediation.md
new file mode 100644
index 0000000..daff9ca
--- /dev/null
+++ b/clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-marco-remediation.md
@@ -0,0 +1,79 @@
+# Kittle BEC — marco@ compromise, full-tenant remediation, CA hardening, fraud prevented
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** GURU-5070
+- **Role:** admin
+
+## Session Summary
+
+Responded to a live Business Email Compromise in the Kittle Design & Construction M365 tenant (kittlearizona.com, `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`). Starting from "marco@kittle appears to be compromised," a breach check confirmed compromise: marco@ held **2 hidden inbox rules** concealing ACH/EFT fraud — one filtering subjects "EFT Form Update" / "KDC - Application for Payment #1 Job No. 5654.25" / sender "@maranaaz.gov" (the payer, Town of Marana), the other filtering internal accounting@/ken@ — both moving matches to RSS Feeds + mark-read + stop-processing. Remediated marco: revoked sessions, reset password (force-change), deleted the 2 rules.
+
+Investigated "Kim" (disappearing email) — resolved that **Kim = admin@ (Kimberly Ross)**, not a separate mailbox. admin@ had no malicious rule/forwarding but had been hit by a **failed German login (smart-lockout 50053)**; reset + revoked as precaution. Ran a tenant-wide sweep: hidden inbox rules across all 14 mailboxes (only marco dirty), OAuth/enterprise-app consent audit (all legit — iOS Accounts, Gmail, SharePoint Online, QuickBooks Desktop Mail.Send on Accounting, our ComputerGuru apps, and CIPP-SAM which is ACG's own tooling, owner org `ce61461e`). Found the tenant had **zero Conditional Access** and only Security Defaults.
+
+Deployed Conditional Access: created Require-MFA-all, Block-legacy-auth, Block-non-US (with a US named location) in report-only, then — at Mike's direction — **disabled Security Defaults and enforced all three** (break-glass `sysadmin@` excluded; MFA-require replaced the Security-Defaults MFA baseline with no gap). Mike then added **Entra ID P2** for all users (Business Premium is P1-only; P2 enables Identity Protection).
+
+Ran a final full-tenant scan + a Grok adversarial second-opinion review. The scan's headline: **message-trace proved marco@ actively SENT the fraudulent "Application for Payment" and "EFT Form Update" emails to the Town of Marana AP (accountspayable@/mmurray@/sfields@maranaaz.gov), delivered 6/9 ~17:05 UTC**, CC'ing an attacker **lookalike domain `kittlarizona.com`** (missing the "e", registered that same day via Namecheap, email on Zoho). Blocked the lookalike in Kittle's tenant, drafted + (Mike) sent abuse reports to Zoho + Namecheap. Offboarded Wrex (→ Joshua): disabled, revoked, mailbox converted to shared, Joshua granted FullAccess+SendAs. Reset Kim's MFA (added phone 520-551-5592 as default, removed Authenticator). Updated Syncro #32394 throughout, emailed Ken the incident summary, billed 1.5h emergency remote. **Outcome: a human called Marana — the scammer had also phoned them (vishing) to demand the change and Marana was about to pay when the real Kittle canceled it. Fraud PREVENTED; no funds moved.**
+
+## Key Decisions
+
+- **Disabled Security Defaults to enforce CA, but enforced MFA-require simultaneously** so there was no MFA-enforcement gap mid-incident (Security Defaults' only function here was baseline MFA).
+- **Enforced legacy + geo blocks immediately; left MFA-require enforced too** (per the SD-replacement logic) — break-glass `sysadmin@` excluded from all three to avoid lockout.
+- **Treated CIPP-SAM as legitimate** after confirming its owner org is ACG's MSP tenant (`ce61461e`) and Mike confirmed it's ACG tooling — avoided a false-positive takedown.
+- **JIT-elevation pattern not needed for marco/admin resets** — they aren't privileged-role holders, so direct passwordProfile PATCH worked.
+- **Lookalike takedown via Zoho (email host) first, Namecheap (registrar) second** — Zoho suspension kills the active mailflow fastest; also blocked the domain in-tenant for immediate protection regardless of takedown speed.
+- **Used Grok for an independent adversarial review** — it concurred and surfaced the key gap (prove whether money moved), which the message-trace + Marana call then answered.
+
+## Problems Encountered
+
+- **Kim not in the directory** — searched all 14 users, no "Kim"; Mike clarified Kim = admin@ (Kimberly Ross).
+- **revokeSignInSessions returned 411** (missing Content-Length on empty POST) — fixed with `-H "Content-Length: 0"`.
+- **CA enable returned 400 "Security Defaults is enabled"** — CA and Security Defaults are mutually exclusive; disabled SD first.
+- **SD-disable + CA-enable showed stale state on immediate read-back** (Entra replication lag) — a retry loop confirmed the real enforced state.
+- **Named-location reference 400 right after creation** — replication lag; retried after the location replicated.
+- **admin@ Authenticator delete 400 "cannot delete default method"** — set the phone as default via the **beta** `signInPreferences` endpoint (v1.0 returned "resource not found"), then the delete succeeded (204).
+- **risky-users 403 "tenant not licensed"** confirmed Business Premium = P1 only (no P2) until Mike added P2.
+- **Gemini (agy) review wrapper not found** — relied on Grok + the technical scan.
+
+## Configuration Changes
+
+- **kittlearizona.com M365 tenant:**
+  - marco@ — 2 malicious hidden inbox rules deleted (RuleIdentity 15121045003998068737, 15048987409960140801); password reset (force-change); sessions revoked.
+  - admin@ (Kim) — password reset (`Desert2026!`, force-change); sessions revoked; MFA reset: added phone +1 520-551-5592 (set default), removed Microsoft Authenticator.
+  - Conditional Access — created + ENABLED: "ACG - Require MFA for all users", "ACG - Block legacy authentication", "ACG - Block non-US sign-ins"; named location "United States (ACG)"; **Security Defaults disabled**; break-glass `sysadmin@` excluded.
+  - Tenant Allow/Block List — `kittlarizona.com` blocked (Sender, no expiration).
+  - wrex@ — disabled, sessions revoked, mailbox converted to Shared; joshua@ granted FullAccess (auto-map) + SendAs.
+  - Entra ID P2 licenses added for all users (by Mike).
+
+## Credentials & Secrets
+
+- marco@kittlearizona.com temp password: `Kdc-0XgnVdTsiuqLQg!7` (force-change).
+- admin@kittlearizona.com (Kim) temp password: `Desert2026!` (force-change); MFA phone +1 520-551-5592.
+- Tenant tokens via remediation-tool apps (vault `msp-tools/computerguru-*.sops.yaml`); pass `VAULT_ROOT_ENV=D:/vault` to get-token.sh on GURU-5070 (home identity.json lacks vault_path).
+
+## Infrastructure & Servers
+
+- **Kittle M365:** kittlearizona.com, tenant `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`. 14 users. Business Premium + Entra P2 (added today). marco@ id `d68eadea-3884-44ef-9792-4ce9dcfa62e7`; admin@ id `b586e40b-dec7-4d5a-85cd-5a5fe92fe567`; wrex@ id `3deb6498-b2b2-43e0-91a2-d7cbb0013eec`.
+- **Lookalike/attacker infra:** `kittlarizona.com` — registrar Namecheap (abuse@namecheap.com), email host Zoho (mx.zoho.com / abuse@zoho.com), registered 2026-06-09 15:34 UTC, A 192.64.119.224.
+- **Payer:** Town of Marana, AZ — accountspayable@maranaaz.gov, mmurray@maranaaz.gov, sfields@maranaaz.gov.
+
+## Commands & Outputs
+
+- Breach check: `bash scripts/user-breach-check.sh kittlearizona.com <upn>` (VAULT_ROOT_ENV=D:/vault).
+- Hidden rule listing: EXO `Get-InboxRule -Mailbox <upn> -IncludeHidden`; removal: `Remove-InboxRule -Mailbox <upn> -Identity <RuleIdentity> -Force -Confirm:$false`.
+- Revoke: `POST /users/{id}/revokeSignInSessions` with `Content-Length: 0`.
+- Set default MFA (beta): `PATCH /beta/users/{id}/authentication/signInPreferences {"userPreferredMethodForSecondaryAuthentication":"sms"}` then delete the Authenticator method.
+- CA enable blocked until `PATCH /policies/identitySecurityDefaultsEnforcementPolicy {"isEnabled":false}`.
+- Domain recon: `curl https://rdap.org/domain/kittlarizona.com` (registrar + dates); `nslookup -type=MX` (Zoho).
+
+## Pending / Incomplete Tasks
+
+- **Human/external:** Marana to flag/blocklist the fraudulent banking details; both parties to add the email + phone fraud to the IC3 complaint; confirm with bank that no ACH cleared (Marana reports none did).
+- **Awaiting:** Zoho + Namecheap takedown response on `kittlarizona.com`.
+- **Cleanup backlog:** run P2 Identity Protection risky-users now that licensed; remove alexis@ duplicate Authenticator (April leftover); disable IMAP/POP/EAS tenant-wide; remove Wrex's now-freed user license.
+
+## Reference Information
+
+- **Syncro ticket #32394** (Kittle Design & Construction LLC, cust `32460233`; id `112389608`; contact Ken Schagel `4509381`). Billed 1.5h emergency remote (`26184` @ $225 = $337.50; invoice `1650625794`). Prior: #32207 (April breach), #32393 (Ken phishing share), #32394 (this).
+- Grok review output: `~/Downloads/kittle-grok-review.txt`. Domain RDAP: `~/Downloads/rdap.json`.
+- reset-password.sh JIT pattern: `.claude/skills/remediation-tool/scripts/reset-password.sh` (built earlier this session for Birth Biologic).
diff --git a/session-logs/2026-06/2026-06-09-mike-dataforth-freepbx-safesite-forensics.md b/session-logs/2026-06/2026-06-09-mike-dataforth-freepbx-safesite-forensics.md
index fc6c722..247df07 100644
--- a/session-logs/2026-06/2026-06-09-mike-dataforth-freepbx-safesite-forensics.md
+++ b/session-logs/2026-06/2026-06-09-mike-dataforth-freepbx-safesite-forensics.md
@@ -71,3 +71,11 @@ Third thread: **Safesite (Safe Site Utility Services)** forensic review of a rec
 - **Coord:** todo `5766a59f-0ddf-43d8-b16b-1c60024a3c04`; broadcast `faaec0ce-ed5f-4e0f-8693-904a3d000c38`.
 - **Artifacts on GURU-5070:** `~/Downloads/safesite-recall-proof.json`, `~/Downloads/safesite-forensic-results.txt`.
 - **Forensic cmd ids (Safesite re-dispatch):** 86340d9b, 8d3e6530, 9aa25e67, 1cf8dfea, 3322e787, 16b2a2b1.
+
+## Update — Dataforth outbound no-audio (RTP forward removed)
+
+After the inbound fix, outbound calls connected but had **no audio** (FirstDigital confirmed they saw no audio sent from us). Packet capture: FD→PBX RTP flowing, **PBX→FD RTP = 0**. Root cause: the static **RTP port-forward** I'd added on the UDM (WAN UDP 10000-20000 → 192.168.100.2) created an inbound-initiated conntrack that **collided with the PBX's outbound RTP** to the same ports — inbound RTP arrived via the DNAT (one-way audio), outbound RTP was dropped.
+
+**Fix:** removed the RTP DNAT + forward-accept from the UDM; kept **only** the SIP 5060 forward. Media now flows both ways via **symmetric RTP pinholes** (standard FreePBX-behind-NAT). Verified: outbound call answered **59s with two-way audio**. `/data/on_boot.d/30-freepbx-sip-forward.sh` rewritten to SIP-only with a warning comment.
+
+**RULE: do NOT port-forward the RTP range for this trunk — it breaks outbound audio. SIP 5060 forward only.** (Supersedes the RTP-forward line in Configuration Changes above.) Logged on #32392.