sync: auto-sync from HOWARD-HOME at 2026-06-01 09:11:26

Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-01 09:11:26
2026-06-01 09:11:37 -07:00
parent 42f0462442
commit 847d63426a
2 changed files with 107 additions and 20 deletions
--- a/clients/quantumwms/reports/2026-06-01-m365-review.md
+++ b/clients/quantumwms/reports/2026-06-01-m365-review.md
@@ -0,0 +1,65 @@
+# QuantumWMS — M365 Read-Only Review
+
+- **Date (UTC):** 2026-06-01
+- **Reviewer:** Howard Enos (Howard-Home)
+- **Tenant:** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` — "Quantum Wealth Management" (`quantumwms.com` primary, `quantumwms.onmicrosoft.com` initial)
+- **Method:** Read-only Microsoft Graph via ComputerGuru Security Investigator app (`bfbc12a4-...`). **No changes made to the tenant.**
+- **Raw artifacts:** `/tmp/remediation-tool/2fd0092b-.../signins/all.json`
+
+> NOTE: This is the **current production tenant** (Pax8-provisioned 2026-05-27). The old GoDaddy/johnvelez tenant (`8f7eaff4-...` / `NETORGFT2570783`) and the dormant GoDaddy `ddf3d2c9-...` tenant are bypassed and not in use.
+
+---
+
+## Headline: active password-spray attack on john@quantumwms.com
+
+`john@quantumwms.com` shows **102 sign-in events 2026-05-27 → 2026-06-01: 98 failures from 98 unique IPs**, only 4 successes (all his own enrollment from the Tucson office on 5/27).
+
+| Attribute | Detail |
+|---|---|
+| Failure codes | 94× **50053** (Microsoft blocked — "IP address with malicious activity"), 4× **50126** (invalid password) |
+| Unique source IPs | 98 — datacenter/proxy IPv6 ranges (`2600:3c02`, `2605:6400`, `2a01:7e04`) + **Amsterdam NL** (`192.42.116.61`, flagged malicious) + **Praha CZ** (`130.193.15.79`, password guess) |
+| Successful logins | 4, all from Tucson office `69.254.197.173` on 2026-05-27 (Microsoft Office + Authentication Broker) |
+| Verdict | Distributed credential-stuffing/spray. **Every attempt failing. Account NOT breached.** |
+
+**Risk despite no breach:**
+- John is **NOT MFA-registered** (`isMfaRegistered: false`).
+- His initial password is weak/OSINT-guessable (recorded plaintext in the 2026-05-27 session log).
+- CA policies that would block this (require-MFA, block-non-US) are **report-only — not enforcing.**
+- Only protections currently active: Entra malicious-IP reputation + attacker not yet having the password.
+- Operational risk: spray-induced smart-lockout (50053) could lock John out during the licensing window.
+
+## Identity & licensing
+
+| User | Role | License | MFA registered | Notes |
+|---|---|---|---|---|
+| `john@quantumwms.com` | Member | Business Premium (SPB) | **No** | Under spray attack; Office activated 5/27 |
+| `sheila@quantumwms.com` | Member | Business Premium (SPB) | **No** | 8 sign-ins all clean; Office activated 5/27 |
+| `sysadmin@quantumwms.com` (Mike) | Global Admin | none | Yes (Authenticator + TOTP) | Daily admin |
+| `breakglass@…onmicrosoft.com` | Global Admin | none | No (by design) | Emergency, CA-excluded, vaulted |
+
+- **SubscribedSkus:** 2× SPB (Business Premium), both consumed. Matches plan. [OK]
+- **App suite:** all 5 ComputerGuru apps consented w/ correct directory roles. [OK]
+- **Mailboxes:** John & Sheila — no forwarding, no inbox rules (mailboxes still near-empty; mail not yet cut from Intermedia). [OK]
+
+## Security controls — the gap
+
+- **Security Defaults: ON** — but only protects users who have **registered** MFA. Neither real user has → MFA is effectively **not protecting John or Sheila** yet.
+- **3 Conditional Access policies, all `enabledForReportingButNotEnforced`** (enforcing nothing):
+  - CA001 Require MFA (all users) — excludes break-glass
+  - CA002 Block legacy auth — excludes break-glass
+  - CA003 Block sign-in outside United States — excludes break-glass
+
+## Minor / benign
+
+- `admin@quantumwms.onmicrosoft.com`: 2 successful Admin-portal logins 5/27 from Leesburg VA, but user **no longer exists** (`Request_ResourceNotFound`) — Pax8 provisioning admin, since removed. Benign.
+
+## 6/03 deadline status (M365 Personal lapse)
+
+**Deadline-critical objective MET** — both users Business-Premium licensed AND Office activated (signed into Microsoft Office from the office 5/27). They will not lose Office apps on 2026-06-03.
+
+## Recommendations (no action taken)
+
+1. **Force-reset John's password** (strong/random, `forceChangePasswordNextSignIn = true`) — weak, sprayed, and in a plaintext log.
+2. **Drive John + Sheila through MFA registration** — until then Security Defaults shields neither.
+3. **Enforce CA001 (require MFA) + CA003 (block non-US) now** — would hard-block 100% of observed attacks; break-glass already excluded. (Hold CA002 block-legacy until after mail cutover per original plan.)
+4. Watch for John hitting smart-lockout before the licensing/migration work.