diff --git a/clients/valleywide/session-logs/2026-07/2026-07-16-winter-orders-breach-check-remediation.md b/clients/valleywide/session-logs/2026-07/2026-07-16-winter-orders-breach-check-remediation.md index ad7d3203..5c6fc5e2 100644 --- a/clients/valleywide/session-logs/2026-07/2026-07-16-winter-orders-breach-check-remediation.md +++ b/clients/valleywide/session-logs/2026-07/2026-07-16-winter-orders-breach-check-remediation.md @@ -79,3 +79,19 @@ Created Syncro ticket #32557 for Valley Wide Plastering Inc (customer 31694734) Winter asked whether other mailboxes showed similar activity. Ran tenant-sweep.sh (30d, all 36 enabled users): device-join fingerprint (Auth Broker -> Intune Enrollment/Device Registration) appears ONLY on the orders@ 7/2 event — all other device registrations came from office IP 4.18.160.106 or known AZ IPs (7/14 DESKTOP-2R13CC4 by j-r@ = legit, office IP). Zero successful non-US sign-ins tenant-wide (658 rows, complete). Ongoing password spray, ALL FAILED: rose@ 74+ x 50053 lockouts (CA,CN,DE,JP,NG,NL,SE), estimating@ 6, guest jr@casarica.net 6, jesse@/ryan@/j-r@ 2 ea (50126/50053) — none reached MFA stage, no correct passwords. Failed-signin data capped at 999 rows (counts are floors). rose@ had zero successful sign-ins in 30d — spray got nothing. Posted customer-visible comment (id 424048380, email ON per Winter) to #32557 summarizing sweep results. Bot alert 1527364806699516016. Friction logged: comment POST response failed jq parse despite tr strip; comment had posted — GET-verify-first rule prevented a duplicate. Sweep artifacts: /tmp/remediation-tool/5c53ae9f-7071-4248-b834-8685b646450f/sweep/ + +## Update: 11:05 AZ — Mike follow-ups: mailbox access, CA hardening (report-only), 7/23 todo + +Mike joined the thread (tagged by Winter). Actions on his direction: + +1. **Shelly -> Teresa mailbox FullAccess** (Mike request): Add-MailboxPermission via Exchange Operator (cert auth, EXO adminapi InvokeCommand) — teresa@valleywideplastering.com granted FullAccess to shelly@valleywideplastering.com, InheritanceType All, automapping default (on). Verified via Get-MailboxPermission: rights=FullAccess valid=true. Ties to Teresa Carpio offboarding (6/29). + +2. **CA state verified**: MFA already enforced tenant-wide (7 enabled policies incl. "Require multifactor authentication for all users" — the 7/2 attacker satisfied it with the replayed token claim). MFA registration gaps: 9 accounts (shared mailboxes payroll@, insurance@, faxinbox@, spro@, customerservice@ + billing@ onmicrosoft, +3 EXT guests). + +3. **Four CA policies created in REPORT-ONLY** (Mike: "all in report only - todo in one week to enforce"), all state=enabledForReportingButNotEnforced, break-glass exclusion sysadmin@ (41810f2d-b674-47ee-9b6f-f3ba69a7703d) on the All-user ones: + - b85ba64b-4fea-4ad2-b372-644b0c92adaa — ACG Report-only - Require compliant or registered device (All users/apps, grant compliantDevice OR domainJoinedDevice) + - cf2d4096-e361-4494-840d-5c491a00310c — ACG Report-only - Sign-in frequency 12 hours (session control) + - d0dd6b43-572b-4ddf-953f-89c5679bdf7f — ACG Report-only - Phishing-resistant MFA (auth strength 00000000-0000-0000-0000-000000000004) + - 1b65a18a-a4cc-4963-a282-3761fcb89d98 — ACG Report-only - Block shared mailbox interactive sign-in (6 shared accounts: customerservice/faxinbox/payroll/spro/billing-onmicrosoft/insurance) + +4. **7/23 enforcement review scheduled**: local one-shot cron e7d69dc8 (BEAST discord-bot, 09:23 AZ 7/23 — session-only, dies on service restart) + durable coord todo 3add67b9-38a9-4ebf-9d0e-534875c90b78 (project valleywide, user mike) as backstop. Review = analyze 7d of sign-ins for reportOnlyFailure per policy, post to Discord thread 1527356833902362654, tag Mike for per-policy go/no-go. NOTE: policy 3 (phishing-resistant) will report-fail for everyone (no FIDO2/WHfB-CA registered); policy 1 impact depends on device registration coverage. Do NOT enforce without Mike's explicit per-policy confirmation.