sync: auto-sync from GURU-5070 at 2026-06-09 16:18:12
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-09 16:18:12
This commit is contained in:
@@ -0,0 +1,79 @@
|
||||
# Kittle BEC — marco@ compromise, full-tenant remediation, CA hardening, fraud prevented
|
||||
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** GURU-5070
|
||||
- **Role:** admin
|
||||
|
||||
## Session Summary
|
||||
|
||||
Responded to a live Business Email Compromise in the Kittle Design & Construction M365 tenant (kittlearizona.com, `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`). Starting from "marco@kittle appears to be compromised," a breach check confirmed compromise: marco@ held **2 hidden inbox rules** concealing ACH/EFT fraud — one filtering subjects "EFT Form Update" / "KDC - Application for Payment #1 Job No. 5654.25" / sender "@maranaaz.gov" (the payer, Town of Marana), the other filtering internal accounting@/ken@ — both moving matches to RSS Feeds + mark-read + stop-processing. Remediated marco: revoked sessions, reset password (force-change), deleted the 2 rules.
|
||||
|
||||
Investigated "Kim" (disappearing email) — resolved that **Kim = admin@ (Kimberly Ross)**, not a separate mailbox. admin@ had no malicious rule/forwarding but had been hit by a **failed German login (smart-lockout 50053)**; reset + revoked as precaution. Ran a tenant-wide sweep: hidden inbox rules across all 14 mailboxes (only marco dirty), OAuth/enterprise-app consent audit (all legit — iOS Accounts, Gmail, SharePoint Online, QuickBooks Desktop Mail.Send on Accounting, our ComputerGuru apps, and CIPP-SAM which is ACG's own tooling, owner org `ce61461e`). Found the tenant had **zero Conditional Access** and only Security Defaults.
|
||||
|
||||
Deployed Conditional Access: created Require-MFA-all, Block-legacy-auth, Block-non-US (with a US named location) in report-only, then — at Mike's direction — **disabled Security Defaults and enforced all three** (break-glass `sysadmin@` excluded; MFA-require replaced the Security-Defaults MFA baseline with no gap). Mike then added **Entra ID P2** for all users (Business Premium is P1-only; P2 enables Identity Protection).
|
||||
|
||||
Ran a final full-tenant scan + a Grok adversarial second-opinion review. The scan's headline: **message-trace proved marco@ actively SENT the fraudulent "Application for Payment" and "EFT Form Update" emails to the Town of Marana AP (accountspayable@/mmurray@/sfields@maranaaz.gov), delivered 6/9 ~17:05 UTC**, CC'ing an attacker **lookalike domain `kittlarizona.com`** (missing the "e", registered that same day via Namecheap, email on Zoho). Blocked the lookalike in Kittle's tenant, drafted + (Mike) sent abuse reports to Zoho + Namecheap. Offboarded Wrex (→ Joshua): disabled, revoked, mailbox converted to shared, Joshua granted FullAccess+SendAs. Reset Kim's MFA (added phone 520-551-5592 as default, removed Authenticator). Updated Syncro #32394 throughout, emailed Ken the incident summary, billed 1.5h emergency remote. **Outcome: a human called Marana — the scammer had also phoned them (vishing) to demand the change and Marana was about to pay when the real Kittle canceled it. Fraud PREVENTED; no funds moved.**
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- **Disabled Security Defaults to enforce CA, but enforced MFA-require simultaneously** so there was no MFA-enforcement gap mid-incident (Security Defaults' only function here was baseline MFA).
|
||||
- **Enforced legacy + geo blocks immediately; left MFA-require enforced too** (per the SD-replacement logic) — break-glass `sysadmin@` excluded from all three to avoid lockout.
|
||||
- **Treated CIPP-SAM as legitimate** after confirming its owner org is ACG's MSP tenant (`ce61461e`) and Mike confirmed it's ACG tooling — avoided a false-positive takedown.
|
||||
- **JIT-elevation pattern not needed for marco/admin resets** — they aren't privileged-role holders, so direct passwordProfile PATCH worked.
|
||||
- **Lookalike takedown via Zoho (email host) first, Namecheap (registrar) second** — Zoho suspension kills the active mailflow fastest; also blocked the domain in-tenant for immediate protection regardless of takedown speed.
|
||||
- **Used Grok for an independent adversarial review** — it concurred and surfaced the key gap (prove whether money moved), which the message-trace + Marana call then answered.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **Kim not in the directory** — searched all 14 users, no "Kim"; Mike clarified Kim = admin@ (Kimberly Ross).
|
||||
- **revokeSignInSessions returned 411** (missing Content-Length on empty POST) — fixed with `-H "Content-Length: 0"`.
|
||||
- **CA enable returned 400 "Security Defaults is enabled"** — CA and Security Defaults are mutually exclusive; disabled SD first.
|
||||
- **SD-disable + CA-enable showed stale state on immediate read-back** (Entra replication lag) — a retry loop confirmed the real enforced state.
|
||||
- **Named-location reference 400 right after creation** — replication lag; retried after the location replicated.
|
||||
- **admin@ Authenticator delete 400 "cannot delete default method"** — set the phone as default via the **beta** `signInPreferences` endpoint (v1.0 returned "resource not found"), then the delete succeeded (204).
|
||||
- **risky-users 403 "tenant not licensed"** confirmed Business Premium = P1 only (no P2) until Mike added P2.
|
||||
- **Gemini (agy) review wrapper not found** — relied on Grok + the technical scan.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
- **kittlearizona.com M365 tenant:**
|
||||
- marco@ — 2 malicious hidden inbox rules deleted (RuleIdentity 15121045003998068737, 15048987409960140801); password reset (force-change); sessions revoked.
|
||||
- admin@ (Kim) — password reset (`Desert2026!`, force-change); sessions revoked; MFA reset: added phone +1 520-551-5592 (set default), removed Microsoft Authenticator.
|
||||
- Conditional Access — created + ENABLED: "ACG - Require MFA for all users", "ACG - Block legacy authentication", "ACG - Block non-US sign-ins"; named location "United States (ACG)"; **Security Defaults disabled**; break-glass `sysadmin@` excluded.
|
||||
- Tenant Allow/Block List — `kittlarizona.com` blocked (Sender, no expiration).
|
||||
- wrex@ — disabled, sessions revoked, mailbox converted to Shared; joshua@ granted FullAccess (auto-map) + SendAs.
|
||||
- Entra ID P2 licenses added for all users (by Mike).
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- marco@kittlearizona.com temp password: `Kdc-0XgnVdTsiuqLQg!7` (force-change).
|
||||
- admin@kittlearizona.com (Kim) temp password: `Desert2026!` (force-change); MFA phone +1 520-551-5592.
|
||||
- Tenant tokens via remediation-tool apps (vault `msp-tools/computerguru-*.sops.yaml`); pass `VAULT_ROOT_ENV=D:/vault` to get-token.sh on GURU-5070 (home identity.json lacks vault_path).
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **Kittle M365:** kittlearizona.com, tenant `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`. 14 users. Business Premium + Entra P2 (added today). marco@ id `d68eadea-3884-44ef-9792-4ce9dcfa62e7`; admin@ id `b586e40b-dec7-4d5a-85cd-5a5fe92fe567`; wrex@ id `3deb6498-b2b2-43e0-91a2-d7cbb0013eec`.
|
||||
- **Lookalike/attacker infra:** `kittlarizona.com` — registrar Namecheap (abuse@namecheap.com), email host Zoho (mx.zoho.com / abuse@zoho.com), registered 2026-06-09 15:34 UTC, A 192.64.119.224.
|
||||
- **Payer:** Town of Marana, AZ — accountspayable@maranaaz.gov, mmurray@maranaaz.gov, sfields@maranaaz.gov.
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- Breach check: `bash scripts/user-breach-check.sh kittlearizona.com <upn>` (VAULT_ROOT_ENV=D:/vault).
|
||||
- Hidden rule listing: EXO `Get-InboxRule -Mailbox <upn> -IncludeHidden`; removal: `Remove-InboxRule -Mailbox <upn> -Identity <RuleIdentity> -Force -Confirm:$false`.
|
||||
- Revoke: `POST /users/{id}/revokeSignInSessions` with `Content-Length: 0`.
|
||||
- Set default MFA (beta): `PATCH /beta/users/{id}/authentication/signInPreferences {"userPreferredMethodForSecondaryAuthentication":"sms"}` then delete the Authenticator method.
|
||||
- CA enable blocked until `PATCH /policies/identitySecurityDefaultsEnforcementPolicy {"isEnabled":false}`.
|
||||
- Domain recon: `curl https://rdap.org/domain/kittlarizona.com` (registrar + dates); `nslookup -type=MX` (Zoho).
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- **Human/external:** Marana to flag/blocklist the fraudulent banking details; both parties to add the email + phone fraud to the IC3 complaint; confirm with bank that no ACH cleared (Marana reports none did).
|
||||
- **Awaiting:** Zoho + Namecheap takedown response on `kittlarizona.com`.
|
||||
- **Cleanup backlog:** run P2 Identity Protection risky-users now that licensed; remove alexis@ duplicate Authenticator (April leftover); disable IMAP/POP/EAS tenant-wide; remove Wrex's now-freed user license.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- **Syncro ticket #32394** (Kittle Design & Construction LLC, cust `32460233`; id `112389608`; contact Ken Schagel `4509381`). Billed 1.5h emergency remote (`26184` @ $225 = $337.50; invoice `1650625794`). Prior: #32207 (April breach), #32393 (Ken phishing share), #32394 (this).
|
||||
- Grok review output: `~/Downloads/kittle-grok-review.txt`. Domain RDAP: `~/Downloads/rdap.json`.
|
||||
- reset-password.sh JIT pattern: `.claude/skills/remediation-tool/scripts/reset-password.sh` (built earlier this session for Birth Biologic).
|
||||
Reference in New Issue
Block a user