From 847d63426a84f2fcc726b9a9bde8193b927d47ec Mon Sep 17 00:00:00 2001
From: Howard Enos <howard@azcomputerguru.com>
Date: Mon, 1 Jun 2026 09:11:37 -0700
Subject: [PATCH] sync: auto-sync from HOWARD-HOME at 2026-06-01 09:11:26

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-01 09:11:26
---
 .../reports/2026-06-01-m365-review.md         | 65 +++++++++++++++++++
 wiki/clients/quantumwms.md                    | 62 ++++++++++++------
 2 files changed, 107 insertions(+), 20 deletions(-)
 create mode 100644 clients/quantumwms/reports/2026-06-01-m365-review.md

diff --git a/clients/quantumwms/reports/2026-06-01-m365-review.md b/clients/quantumwms/reports/2026-06-01-m365-review.md
new file mode 100644
index 0000000..11ddbc6
--- /dev/null
+++ b/clients/quantumwms/reports/2026-06-01-m365-review.md
@@ -0,0 +1,65 @@
+# QuantumWMS — M365 Read-Only Review
+
+- **Date (UTC):** 2026-06-01
+- **Reviewer:** Howard Enos (Howard-Home)
+- **Tenant:** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` — "Quantum Wealth Management" (`quantumwms.com` primary, `quantumwms.onmicrosoft.com` initial)
+- **Method:** Read-only Microsoft Graph via ComputerGuru Security Investigator app (`bfbc12a4-...`). **No changes made to the tenant.**
+- **Raw artifacts:** `/tmp/remediation-tool/2fd0092b-.../signins/all.json`
+
+> NOTE: This is the **current production tenant** (Pax8-provisioned 2026-05-27). The old GoDaddy/johnvelez tenant (`8f7eaff4-...` / `NETORGFT2570783`) and the dormant GoDaddy `ddf3d2c9-...` tenant are bypassed and not in use.
+
+---
+
+## Headline: active password-spray attack on john@quantumwms.com
+
+`john@quantumwms.com` shows **102 sign-in events 2026-05-27 → 2026-06-01: 98 failures from 98 unique IPs**, only 4 successes (all his own enrollment from the Tucson office on 5/27).
+
+| Attribute | Detail |
+|---|---|
+| Failure codes | 94× **50053** (Microsoft blocked — "IP address with malicious activity"), 4× **50126** (invalid password) |
+| Unique source IPs | 98 — datacenter/proxy IPv6 ranges (`2600:3c02`, `2605:6400`, `2a01:7e04`) + **Amsterdam NL** (`192.42.116.61`, flagged malicious) + **Praha CZ** (`130.193.15.79`, password guess) |
+| Successful logins | 4, all from Tucson office `69.254.197.173` on 2026-05-27 (Microsoft Office + Authentication Broker) |
+| Verdict | Distributed credential-stuffing/spray. **Every attempt failing. Account NOT breached.** |
+
+**Risk despite no breach:**
+- John is **NOT MFA-registered** (`isMfaRegistered: false`).
+- His initial password is weak/OSINT-guessable (recorded plaintext in the 2026-05-27 session log).
+- CA policies that would block this (require-MFA, block-non-US) are **report-only — not enforcing.**
+- Only protections currently active: Entra malicious-IP reputation + attacker not yet having the password.
+- Operational risk: spray-induced smart-lockout (50053) could lock John out during the licensing window.
+
+## Identity & licensing
+
+| User | Role | License | MFA registered | Notes |
+|---|---|---|---|---|
+| `john@quantumwms.com` | Member | Business Premium (SPB) | **No** | Under spray attack; Office activated 5/27 |
+| `sheila@quantumwms.com` | Member | Business Premium (SPB) | **No** | 8 sign-ins all clean; Office activated 5/27 |
+| `sysadmin@quantumwms.com` (Mike) | Global Admin | none | Yes (Authenticator + TOTP) | Daily admin |
+| `breakglass@…onmicrosoft.com` | Global Admin | none | No (by design) | Emergency, CA-excluded, vaulted |
+
+- **SubscribedSkus:** 2× SPB (Business Premium), both consumed. Matches plan. [OK]
+- **App suite:** all 5 ComputerGuru apps consented w/ correct directory roles. [OK]
+- **Mailboxes:** John & Sheila — no forwarding, no inbox rules (mailboxes still near-empty; mail not yet cut from Intermedia). [OK]
+
+## Security controls — the gap
+
+- **Security Defaults: ON** — but only protects users who have **registered** MFA. Neither real user has → MFA is effectively **not protecting John or Sheila** yet.
+- **3 Conditional Access policies, all `enabledForReportingButNotEnforced`** (enforcing nothing):
+  - CA001 Require MFA (all users) — excludes break-glass
+  - CA002 Block legacy auth — excludes break-glass
+  - CA003 Block sign-in outside United States — excludes break-glass
+
+## Minor / benign
+
+- `admin@quantumwms.onmicrosoft.com`: 2 successful Admin-portal logins 5/27 from Leesburg VA, but user **no longer exists** (`Request_ResourceNotFound`) — Pax8 provisioning admin, since removed. Benign.
+
+## 6/03 deadline status (M365 Personal lapse)
+
+**Deadline-critical objective MET** — both users Business-Premium licensed AND Office activated (signed into Microsoft Office from the office 5/27). They will not lose Office apps on 2026-06-03.
+
+## Recommendations (no action taken)
+
+1. **Force-reset John's password** (strong/random, `forceChangePasswordNextSignIn = true`) — weak, sprayed, and in a plaintext log.
+2. **Drive John + Sheila through MFA registration** — until then Security Defaults shields neither.
+3. **Enforce CA001 (require MFA) + CA003 (block non-US) now** — would hard-block 100% of observed attacks; break-glass already excluded. (Hold CA002 block-legacy until after mail cutover per original plan.)
+4. Watch for John hitting smart-lockout before the licensing/migration work.
diff --git a/wiki/clients/quantumwms.md b/wiki/clients/quantumwms.md
index 765d18c..df7ae0d 100644
--- a/wiki/clients/quantumwms.md
+++ b/wiki/clients/quantumwms.md
@@ -3,7 +3,7 @@ title: Quantum WMS
 slug: quantumwms
 type: client
 project_key: clients/quantumwms
-last_updated: 2026-05-26
+last_updated: 2026-06-01
 ---
 
 # Quantum WMS
@@ -12,13 +12,27 @@ last_updated: 2026-05-26
 
 | Field | Value |
 |---|---|
-| Company | Quantum WMS |
+| Company | Quantum Wealth Management |
 | Primary domain | quantumwms.com |
 | Personal domain | sheilaperess.com |
-| M365 tenant | `NETORGFT2570783.onmicrosoft.com` / `8f7eaff4-f913-4d3f-b8b9-92e695d987c6` |
+| M365 tenant (CURRENT) | `quantumwms.onmicrosoft.com` / `2fd0092b-e9b7-474c-ad73-301f34dd6b64` — Pax8-provisioned 2026-05-27 |
+| Old tenants (bypassed) | `8f7eaff4-...` (`NETORGFT2570783`, GoDaddy/johnvelez) and dormant `ddf3d2c9-...` (`netorg18235235`) — NOT in use |
 | GoDaddy admin | `plan@johnvelez.com` (John Velez) — ACG has delegate access |
 | Project key | `clients/quantumwms` |
 
+## Current Status (2026-06-01)
+
+- **6/03 license-lapse deadline: RESOLVED.** Both firm users are M365 Business Premium licensed AND have activated Office (John + Sheila both signed into Microsoft Office from the Tucson office 2026-05-27). They will not lose Office apps when M365 Personal lapses 2026-06-03.
+- **Mail still on Intermedia (HEX).** MX cutover to Exchange Online not yet done; mailboxes in the new tenant are still empty.
+- **Migration remainder pending:** PST backups (pre-cutover), MX/mail cutover, CA enforcement, Defender for Business onboarding, DMARC/SPF/DKIM, DNS -> Cloudflare, Exchange Online Plan 1 for personal-domain accounts, GoDaddy/Intermedia cancellation.
+
+### [WARNING] Security: active password-spray on john@quantumwms.com
+
+Read-only review 2026-06-01 (see `clients/quantumwms/reports/2026-06-01-m365-review.md`):
+- `john@quantumwms.com` hit by a **distributed password-spray** — 98 failed sign-ins from 98 unique IPs (datacenter/proxy IPv6 + Amsterdam NL malicious-flagged IP + Praha CZ password guess). **0 successful malicious logins — account NOT breached** (Entra blocked the IPs; password guesses failed).
+- **Exposure:** John is NOT MFA-registered, his initial password is weak/OSINT-guessable, and the protective CA policies (require-MFA, block-non-US) are **report-only**. Security Defaults is ON but only protects users who have registered MFA — neither John nor Sheila has.
+- **Recommended (not yet done):** force-reset John's password; drive both users through MFA registration; enforce CA001 (MFA) + CA003 (block non-US) now (break-glass already excluded).
+
 ## Contacts
 
 | Name | Role | Notes |
@@ -49,21 +63,25 @@ SPF records found (conflict):
 1. `v=spf1 include:spf.intermedia.net -all`
 2. `v=spf1 include:_spf-usg1.ppe-hosted.com include:secureserver.net ~all`
 
-## M365 Tenant (GoDaddy/johnvelez.com)
+## M365 Tenant (CURRENT — `2fd0092b`)
 
-- **Tenant created:** 2016-12-05 (GoDaddy-provisioned)
-- **onmicrosoft domain:** `NETORGFT2570783.onmicrosoft.com`
-- **quantumwms.com** is NOT a verified domain in this tenant — email runs entirely through Intermedia
-- **Remediation app consent:** Tenant Admin tier consented by John (plan@johnvelez.com) 2026-05-26
+- **Tenant:** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` ("Quantum Wealth Management"), Pax8-provisioned 2026-05-27
+- **Domains:** `quantumwms.onmicrosoft.com` (initial), `quantumwms.com` (primary, verified)
+- **Management:** Pax8 GDAP "Default_Ariz_Quantum Weal_704149625747913" (180 days). All 5 ComputerGuru remediation apps consented w/ directory roles.
+- **Email:** still on Intermedia HEX — MX not yet cut to Exchange Online.
 
-### Users
+### Users (verified 2026-06-01)
 
-| UPN | Display | Licenses | Notes |
-|---|---|---|---|
-| `plan@johnvelez.com` | John Velez | O365 Business Essentials + Flow Free | Active — no desktop Office apps |
-| `admin@NETORGFT2570783.onmicrosoft.com` | johnvelez.com | None | GoDaddy admin account |
-| `john__quantumwms.com@NETORGFT2570783.onmicrosoft.com` | john@quantumwms.com | None | Shell account, no mailbox, created 2026-03-16 |
-| `migrationapp@NETORGFT2570783.onmicrosoft.com` | SkyKick Inc. | None | Old 2016 migration app account |
+| UPN | Display | License | MFA registered | Notes |
+|---|---|---|---|---|
+| `john@quantumwms.com` | John Velez | Business Premium (SPB) | **No** | Office activated 5/27; under password-spray (see Security) |
+| `sheila@quantumwms.com` | Sheila Peress | Business Premium (SPB) | **No** | Office activated 5/27; 8 clean sign-ins |
+| `sysadmin@quantumwms.com` | Mike Swanson | none | Yes (Authenticator + TOTP) | Global Admin (daily) |
+| `breakglass@quantumwms.onmicrosoft.com` | Break Glass | none | No (by design) | Emergency GA, CA-excluded, vaulted at `clients/quantumwms/m365-breakglass.sops.yaml` |
+
+### Conditional Access (all report-only as of 2026-06-01 — enforcing nothing)
+
+- CA001 Require MFA (all users), CA002 Block legacy auth, CA003 Block sign-in outside US — each excludes break-glass. Security Defaults is ON (interim MFA).
 
 ### Consent URL (Tenant Admin tier)
 
@@ -152,8 +170,12 @@ Sheila has been asked to produce **written policy from the Broker/Dealer that ex
 
 ## Open Items
 
-- [ ] **BLOCKER:** Sheila to produce B/D written policy on email compliance requirements (due 2026-05-27 14:00)
-- [ ] Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade
-- [ ] Determine additional personal domain accounts beyond sheilaperess.com
-- [ ] DNS cutover timing for both domains
-- [ ] Confirm whether SkyKick migration app account (2016) can be deleted
+- [x] **RESOLVED:** B/D compliance "Intermedia mandate" — IFG (Jen Curry) confirmed Intermedia HEX is being phased out and **recommended** the move to M365 (2026-05-27).
+- [x] **DONE:** 2x Business Premium licensed + Office activated for John & Sheila (2026-05-27) — 6/03 lapse risk cleared.
+- [ ] **SECURITY (new, 2026-06-01):** force-reset John's password; get John + Sheila MFA-registered; enforce CA001 + CA003 (john@ under active password-spray, currently failing).
+- [ ] PST backups of John + Sheila mailboxes before Intermedia cutover.
+- [ ] Mail/MX cutover Intermedia HEX -> Exchange Online; then migrate existing mail.
+- [ ] Defender for Business onboarding; DMARC, single SPF, DKIM.
+- [ ] DNS for both domains -> Cloudflare.
+- [ ] Sheila to confirm: sheilaperess.com Exchange Online Plan 1 only vs. Business Basic upgrade; determine additional personal-domain accounts.
+- [ ] Cancel GoDaddy email hosting + Intermedia per account as each migrates.