azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-01 09:11:26

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-01 09:11:26
This commit is contained in:
Howard Enos
2026-06-01 09:11:37 -07:00
parent 42f0462442
commit 847d63426a
2 changed files with 107 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
clients/quantumwms/reports/2026-06-01-m365-review.md Normal file
View File

@@ -0,0 +1,65 @@
# QuantumWMS — M365 Read-Only Review
- **Date (UTC):** 2026-06-01
- **Reviewer:** Howard Enos (Howard-Home)
- **Tenant:** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` — "Quantum Wealth Management" (`quantumwms.com` primary, `quantumwms.onmicrosoft.com` initial)
- **Method:** Read-only Microsoft Graph via ComputerGuru Security Investigator app (`bfbc12a4-...`). **No changes made to the tenant.**
- **Raw artifacts:** `/tmp/remediation-tool/2fd0092b-.../signins/all.json`
> NOTE: This is the **current production tenant** (Pax8-provisioned 2026-05-27). The old GoDaddy/johnvelez tenant (`8f7eaff4-...` / `NETORGFT2570783`) and the dormant GoDaddy `ddf3d2c9-...` tenant are bypassed and not in use.
---
## Headline: active password-spray attack on john@quantumwms.com
`john@quantumwms.com` shows **102 sign-in events 2026-05-27 → 2026-06-01: 98 failures from 98 unique IPs**, only 4 successes (all his own enrollment from the Tucson office on 5/27).
| Attribute | Detail |
|---|---|
| Failure codes | 94× **50053** (Microsoft blocked — "IP address with malicious activity"), 4× **50126** (invalid password) |
| Unique source IPs | 98 — datacenter/proxy IPv6 ranges (`2600:3c02`, `2605:6400`, `2a01:7e04`) + **Amsterdam NL** (`192.42.116.61`, flagged malicious) + **Praha CZ** (`130.193.15.79`, password guess) |
| Successful logins | 4, all from Tucson office `69.254.197.173` on 2026-05-27 (Microsoft Office + Authentication Broker) |
| Verdict | Distributed credential-stuffing/spray. **Every attempt failing. Account NOT breached.** |
**Risk despite no breach:**
- John is **NOT MFA-registered** (`isMfaRegistered: false`).
- His initial password is weak/OSINT-guessable (recorded plaintext in the 2026-05-27 session log).
- CA policies that would block this (require-MFA, block-non-US) are **report-only — not enforcing.**
- Only protections currently active: Entra malicious-IP reputation + attacker not yet having the password.
- Operational risk: spray-induced smart-lockout (50053) could lock John out during the licensing window.
## Identity & licensing
| User | Role | License | MFA registered | Notes |
|---|---|---|---|---|
| `john@quantumwms.com` | Member | Business Premium (SPB) | **No** | Under spray attack; Office activated 5/27 |
| `sheila@quantumwms.com` | Member | Business Premium (SPB) | **No** | 8 sign-ins all clean; Office activated 5/27 |
| `sysadmin@quantumwms.com` (Mike) | Global Admin | none | Yes (Authenticator + TOTP) | Daily admin |
| `breakglass@…onmicrosoft.com` | Global Admin | none | No (by design) | Emergency, CA-excluded, vaulted |
- **SubscribedSkus:** 2× SPB (Business Premium), both consumed. Matches plan. [OK]
- **App suite:** all 5 ComputerGuru apps consented w/ correct directory roles. [OK]
- **Mailboxes:** John & Sheila — no forwarding, no inbox rules (mailboxes still near-empty; mail not yet cut from Intermedia). [OK]
## Security controls — the gap
- **Security Defaults: ON** — but only protects users who have **registered** MFA. Neither real user has → MFA is effectively **not protecting John or Sheila** yet.
- **3 Conditional Access policies, all `enabledForReportingButNotEnforced`** (enforcing nothing):
- CA001 Require MFA (all users) — excludes break-glass
- CA002 Block legacy auth — excludes break-glass
- CA003 Block sign-in outside United States — excludes break-glass
## Minor / benign
- `admin@quantumwms.onmicrosoft.com`: 2 successful Admin-portal logins 5/27 from Leesburg VA, but user **no longer exists** (`Request_ResourceNotFound`) — Pax8 provisioning admin, since removed. Benign.
## 6/03 deadline status (M365 Personal lapse)
**Deadline-critical objective MET** — both users Business-Premium licensed AND Office activated (signed into Microsoft Office from the office 5/27). They will not lose Office apps on 2026-06-03.
## Recommendations (no action taken)
1. **Force-reset John's password** (strong/random, `forceChangePasswordNextSignIn = true`) — weak, sprayed, and in a plaintext log.
2. **Drive John + Sheila through MFA registration** — until then Security Defaults shields neither.
3. **Enforce CA001 (require MFA) + CA003 (block non-US) now** — would hard-block 100% of observed attacks; break-glass already excluded. (Hold CA002 block-legacy until after mail cutover per original plan.)
4. Watch for John hitting smart-lockout before the licensing/migration work.

62
wiki/clients/quantumwms.md
View File

@@ -3,7 +3,7 @@ title: Quantum WMS
slug: quantumwms
type: client
project_key: clients/quantumwms
last_updated: 2026-05-26
last_updated: 2026-06-01
---
# Quantum WMS
@@ -12,13 +12,27 @@ last_updated: 2026-05-26
| Field | Value |
|---|---|
| Company | Quantum WMS |
| Company | Quantum Wealth Management |
| Primary domain | quantumwms.com |
| Personal domain | sheilaperess.com |
| M365 tenant | `NETORGFT2570783.onmicrosoft.com` / `8f7eaff4-f913-4d3f-b8b9-92e695d987c6` |
| M365 tenant (CURRENT) | `quantumwms.onmicrosoft.com` / `2fd0092b-e9b7-474c-ad73-301f34dd6b64` — Pax8-provisioned 2026-05-27 |
| Old tenants (bypassed) | `8f7eaff4-...` (`NETORGFT2570783`, GoDaddy/johnvelez) and dormant `ddf3d2c9-...` (`netorg18235235`) — NOT in use |
| GoDaddy admin | `plan@johnvelez.com` (John Velez) — ACG has delegate access |
| Project key | `clients/quantumwms` |
## Current Status (2026-06-01)
- **6/03 license-lapse deadline: RESOLVED.** Both firm users are M365 Business Premium licensed AND have activated Office (John + Sheila both signed into Microsoft Office from the Tucson office 2026-05-27). They will not lose Office apps when M365 Personal lapses 2026-06-03.
- **Mail still on Intermedia (HEX).** MX cutover to Exchange Online not yet done; mailboxes in the new tenant are still empty.
- **Migration remainder pending:** PST backups (pre-cutover), MX/mail cutover, CA enforcement, Defender for Business onboarding, DMARC/SPF/DKIM, DNS -> Cloudflare, Exchange Online Plan 1 for personal-domain accounts, GoDaddy/Intermedia cancellation.
### [WARNING] Security: active password-spray on john@quantumwms.com
Read-only review 2026-06-01 (see `clients/quantumwms/reports/2026-06-01-m365-review.md`):
- `john@quantumwms.com` hit by a **distributed password-spray** — 98 failed sign-ins from 98 unique IPs (datacenter/proxy IPv6 + Amsterdam NL malicious-flagged IP + Praha CZ password guess). **0 successful malicious logins — account NOT breached** (Entra blocked the IPs; password guesses failed).
- **Exposure:** John is NOT MFA-registered, his initial password is weak/OSINT-guessable, and the protective CA policies (require-MFA, block-non-US) are **report-only**. Security Defaults is ON but only protects users who have registered MFA — neither John nor Sheila has.
- **Recommended (not yet done):** force-reset John's password; drive both users through MFA registration; enforce CA001 (MFA) + CA003 (block non-US) now (break-glass already excluded).
## Contacts
| Name | Role | Notes |
@@ -49,21 +63,25 @@ SPF records found (conflict):
1. `v=spf1 include:spf.intermedia.net -all`
2. `v=spf1 include:_spf-usg1.ppe-hosted.com include:secureserver.net ~all`
## M365 Tenant (GoDaddy/johnvelez.com)
## M365 Tenant (CURRENT — `2fd0092b`)
- **Tenant created:** 2016-12-05 (GoDaddy-provisioned)
- **onmicrosoft domain:** `NETORGFT2570783.onmicrosoft.com`
- **quantumwms.com** is NOT a verified domain in this tenant — email runs entirely through Intermedia
- **Remediation app consent:** Tenant Admin tier consented by John (plan@johnvelez.com) 2026-05-26
- **Tenant:** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` ("Quantum Wealth Management"), Pax8-provisioned 2026-05-27
- **Domains:** `quantumwms.onmicrosoft.com` (initial), `quantumwms.com` (primary, verified)
- **Management:** Pax8 GDAP "Default_Ariz_Quantum Weal_704149625747913" (180 days). All 5 ComputerGuru remediation apps consented w/ directory roles.
- **Email:** still on Intermedia HEX — MX not yet cut to Exchange Online.
### Users
### Users (verified 2026-06-01)
| UPN | Display | Licenses | Notes |
|---|---|---|---|
| `plan@johnvelez.com` | John Velez | O365 Business Essentials + Flow Free | Active — no desktop Office apps |
| `admin@NETORGFT2570783.onmicrosoft.com` | johnvelez.com | None | GoDaddy admin account |
| `john__quantumwms.com@NETORGFT2570783.onmicrosoft.com` | john@quantumwms.com | None | Shell account, no mailbox, created 2026-03-16 |
| `migrationapp@NETORGFT2570783.onmicrosoft.com` | SkyKick Inc. | None | Old 2016 migration app account |
| UPN | Display | License | MFA registered | Notes |
|---|---|---|---|---|
| `john@quantumwms.com` | John Velez | Business Premium (SPB) | **No** | Office activated 5/27; under password-spray (see Security) |
| `sheila@quantumwms.com` | Sheila Peress | Business Premium (SPB) | **No** | Office activated 5/27; 8 clean sign-ins |
| `sysadmin@quantumwms.com` | Mike Swanson | none | Yes (Authenticator + TOTP) | Global Admin (daily) |
| `breakglass@quantumwms.onmicrosoft.com` | Break Glass | none | No (by design) | Emergency GA, CA-excluded, vaulted at `clients/quantumwms/m365-breakglass.sops.yaml` |
### Conditional Access (all report-only as of 2026-06-01 — enforcing nothing)
- CA001 Require MFA (all users), CA002 Block legacy auth, CA003 Block sign-in outside US — each excludes break-glass. Security Defaults is ON (interim MFA).
### Consent URL (Tenant Admin tier)
@@ -152,8 +170,12 @@ Sheila has been asked to produce **written policy from the Broker/Dealer that ex
## Open Items
- [ ] **BLOCKER:** Sheila to produce B/D written policy on email compliance requirements (due 2026-05-27 14:00)
- [ ] Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade
- [ ] Determine additional personal domain accounts beyond sheilaperess.com
- [ ] DNS cutover timing for both domains
- [ ] Confirm whether SkyKick migration app account (2016) can be deleted
- [x] **RESOLVED:** B/D compliance "Intermedia mandate" — IFG (Jen Curry) confirmed Intermedia HEX is being phased out and **recommended** the move to M365 (2026-05-27).
- [x] **DONE:** 2x Business Premium licensed + Office activated for John & Sheila (2026-05-27) — 6/03 lapse risk cleared.
- [ ] **SECURITY (new, 2026-06-01):** force-reset John's password; get John + Sheila MFA-registered; enforce CA001 + CA003 (john@ under active password-spray, currently failing).
- [ ] PST backups of John + Sheila mailboxes before Intermedia cutover.
- [ ] Mail/MX cutover Intermedia HEX -> Exchange Online; then migrate existing mail.
- [ ] Defender for Business onboarding; DMARC, single SPF, DKIM.
- [ ] DNS for both domains -> Cloudflare.
- [ ] Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade; determine additional personal-domain accounts.
- [ ] Cancel GoDaddy email hosting + Intermedia per account as each migrates.