sync: auto-sync from GURU-5070 at 2026-07-02 17:30:07
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-07-02 17:30:07
This commit is contained in:
67
clients/bardach/reports/2026-07-02-barbara-account-check.md
Normal file
67
clients/bardach/reports/2026-07-02-barbara-account-check.md
Normal file
@@ -0,0 +1,67 @@
|
||||
# Account Health Check — barbara@bardach.net
|
||||
|
||||
- **Date (UTC):** 2026-07-03 00:25
|
||||
- **Trigger:** MS Authenticator "behaving crazy," trouble logging in to services
|
||||
- **Tenant:** bardach.net (`dd4a82e8-85a3-44ac-8800-07945ab4d95f`)
|
||||
- **Tooling:** remediation-tool 10-point user breach check (investigator + investigator-exo tiers, read-only)
|
||||
|
||||
## Verdict
|
||||
|
||||
**No compromise indicators found.** Account hygiene is clean. The Authenticator trouble
|
||||
correlates with an MFA re-registration + Windows Hello enrollment performed TODAY at
|
||||
~2:20 PM local on her own office PC — verify that activity was legitimate (her or a tech).
|
||||
|
||||
## Findings
|
||||
|
||||
| Check | Result |
|
||||
|---|---|
|
||||
| Account enabled | true; created 2020-05-24 |
|
||||
| Password last changed | 2026-01-18 |
|
||||
| Mail forwarding (internal/SMTP) | none |
|
||||
| Inbox rules | 1 visible: "Move Graymail to folder" (INKY graymail, **disabled**) — benign |
|
||||
| Hidden inbox rules | none |
|
||||
| Mailbox delegates (non-SELF) | none |
|
||||
| Send-As grants | none |
|
||||
| OAuth consents | 1: zipForm Plus (Mail.Send, principal consent) — legitimate realtor software |
|
||||
| App role assignments | 6 (standard) |
|
||||
| Risk detections | 0 (risky-user API forbidden — no Identity Protection license) |
|
||||
| Sign-in logs | **unavailable — tenant has no Entra ID P1** (Graph returns NonPremiumTenant) |
|
||||
| Directory audits (30d) | 3 entries, all today — see timeline |
|
||||
|
||||
## Auth methods (6) — all consistent with Barbara
|
||||
|
||||
| Method | Detail |
|
||||
|---|---|
|
||||
| Password | rotated 2026-01-18 |
|
||||
| SMS phone | +1 520-275-3867 (mobile) |
|
||||
| Microsoft Authenticator | iPhone (iOS) |
|
||||
| Windows Hello | BCB-OFFICE26 — **created 2026-07-02 21:24 UTC (2:24 PM local, TODAY)** |
|
||||
| Windows Hello | LAPTOP-E5EKEJT8 — 2025-11-08 |
|
||||
| Windows Hello | (blank name) — 2023-09-23, stale leftover from an old PC; candidate for cleanup |
|
||||
|
||||
Registered devices all known/hers: Surface-Pro (2020), BCB-Office (2023), BCB-OFFICE2023,
|
||||
iPhone 15 Pro Max, LAPTOP-E5EKEJT8, BCB-OFFICE26 (registered 2026-02-13).
|
||||
|
||||
## Today's timeline (UTC)
|
||||
|
||||
| Time | Event | Actor |
|
||||
|---|---|---|
|
||||
| 21:19:49 | Update user (MFA method change) | Azure MFA StrongAuthenticationService |
|
||||
| 21:24:17 | Update user (device registration) | Device Registration Service |
|
||||
| 21:24:17 | Add Windows Hello for Business credential (BCB-OFFICE26) | barbara@bardach.net |
|
||||
|
||||
## Recommendations
|
||||
|
||||
1. **Confirm the 2:19-2:24 PM changes were legitimate** (Barbara or a tech at BCB-OFFICE26).
|
||||
If nobody did this deliberately: rotate password + revoke sessions immediately.
|
||||
2. If unprompted Authenticator pushes continue: remove + re-add the account in the
|
||||
Authenticator app on her iPhone (fixes broken registrations), confirm phone date/time
|
||||
is set automatically.
|
||||
3. Optional hygiene: delete the blank 2023 Windows Hello method.
|
||||
4. Visibility caveat: without Entra P1 there are no sign-in logs, so MFA-fatigue attempts
|
||||
cannot be ruled out from logs alone. Cheap insurance if in doubt: password rotation +
|
||||
session revocation.
|
||||
|
||||
## Raw artifacts
|
||||
|
||||
`/tmp/remediation-tool/dd4a82e8-85a3-44ac-8800-07945ab4d95f/user-breach/barbara_bardach_net/`
|
||||
Reference in New Issue
Block a user