sync: auto-sync from GURU-5070 at 2026-06-09 10:52:48
Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-09 10:52:48
This commit is contained in:
@@ -0,0 +1,140 @@
|
||||
# Session Log — 2026-06-09 — Kittle BEC/ACH Fraud Investigation + IC3 Filing (and fleet Exchange-role fix)
|
||||
|
||||
## User
|
||||
- **User:** Mike Swanson (mike)
|
||||
- **Machine:** GURU-5070
|
||||
- **Role:** admin
|
||||
|
||||
## Session Summary
|
||||
|
||||
This session spanned several threads but culminated in a major incident: the discovery and full
|
||||
documentation of an **active ACH payment-redirection fraud** inside the 2026-06-08 Kittle Design &
|
||||
Construction BEC. The session opened on ClaudeTools harness work (P1 completion: skill-description
|
||||
trims, `/save` `/sync` thinning, `session-logs/YYYY-MM/` convention, `now-phoenix.sh`, harness 1.4.x,
|
||||
plus a guard false-positive test matrix and a `/self-check` `harness`+`consistency` category), then a
|
||||
Safe Site M365 + multi-RMM inventory investigation (parked), then pivoted to Kittle.
|
||||
|
||||
The pivotal enabler was a **fleet-wide fix for a recurring Exchange-role gap**: app-only EXO management
|
||||
(Search-UnifiedAuditLog, Get-MessageTrace, inbox rules) requires the **Exchange Operator SP**
|
||||
(`b43e7342-...`) to hold the Entra **Exchange Administrator** directory role, which admin-consent never
|
||||
grants. Built `assign-exchange-role.sh` (idempotent, via the authoritative
|
||||
`roleManagement/directory/roleAssignments` API — the legacy `directoryRoles/members` reads back
|
||||
unreliably) and **backfilled the whole fleet: 13 tenants were silently broken and got fixed**, 12
|
||||
already OK, 20 skipped (tenant-admin not consented), 0 errors. This unblocked EXO forensics on
|
||||
kittlearizona.com (which already had the role).
|
||||
|
||||
With EXO working, the Kittle investigation escalated sharply. The original 2026-06-08 remediation had
|
||||
treated the incident as a credential-phishing blast (1,000 phishing emails) and missed the real
|
||||
objective. Audit-log + message-trace analysis revealed the attacker used Ken Schagel's standing
|
||||
delegate (FullAccess) permission to the Accounting mailbox to **operate the finance mailbox**: from IP
|
||||
64.44.131.168 they read customer/employee/finance folders (21 MailItemsAccessed events), then **sent
|
||||
fraudulent "EFT UPDATE"/ACH bank-change emails (SendOnBehalf of Accounting@) to the City of Tucson** to
|
||||
redirect Kittle's payments, then **hard-deleted the entire thread** to conceal it. Recovered the deleted
|
||||
emails + the fraudulent `BSD ACH APPLICATION.pdf` from the M365 Recoverable Items dumpster via Graph,
|
||||
extracting the attacker's mule bank accounts. Confirmed a multi-stage scheme using lookalike
|
||||
infrastructure (`Accounting.kittlearizona@gmx.com`, `tucsonoz.com`).
|
||||
|
||||
Assembled a complete **FBI IC3 complaint package** (report PDF, 3 bank freeze letters, 2 ACH form PDFs,
|
||||
171-event audit CSV, recovered emails, resolution confirmation), generated PDFs by installing
|
||||
`markdown`+`xhtml2pdf`, and walked Mike through filing the IC3 complaint (**Submission ID
|
||||
`aa2ef50482ca4c05a54ae0f6cb56ffa0`**, filed 2026-06-09 12:46 PM EST). Outcome: **the City of Tucson
|
||||
stopped the payment before any transfer — $0 actual loss** (attempted $130k+); Kittle confirmed no Foam
|
||||
Factory relationship. Also: posted public+emailed Syncro ticket updates, reset Ken's password, removed
|
||||
his outbound-spam send restriction, created Ken as a Syncro contact, and researched bank fraud/BSA
|
||||
contacts.
|
||||
|
||||
## Key Decisions
|
||||
|
||||
- **Exchange-role gap fixed via backfill + standing audit, not another empty promise.** Root cause: the
|
||||
Exchange Operator SP missing the Exchange Admin directory role; onboarding assigns it but
|
||||
pre-existing/manually-consented tenants never got it and nothing audited for it. Built the idempotent
|
||||
tool + ran `--all`. Saved `feedback_exchange_role_recurring_gap.md` so future sessions stop saying
|
||||
"next onboarding will fix it" (structurally false for already-onboarded tenants).
|
||||
- **Used the authoritative `roleManagement/directory/roleAssignments` API** for role checks/writes — the
|
||||
legacy `directoryRoles/{id}/members` list reads back unreliably (replication lag falsely showed Safe
|
||||
Site/kittle unassigned right after a successful write).
|
||||
- **Refined `harness-guard.sh` conflict rule to require a real hunk** (both `^<<<<<<< ` AND `^>>>>>>> `)
|
||||
instead of also firing on a lone `=======` — a markdown-underline false-positive vector. Built a
|
||||
12-case test matrix; FP surface now 0.
|
||||
- **GrepAI demoted below the wiki** across CORE/EXTENDED/standard/guidelines — resolved the "GrepAI first"
|
||||
vs "wiki first" contradiction; GrepAI scoped to code/discovery.
|
||||
- **Forensic scan pattern fix:** initial `*SSUS*` matched the company abbreviation (2,271 false hits);
|
||||
changed to the specific `06122026` date token.
|
||||
- **IC3 first in the reporting order** — it generates the reference # the bank letters cite and routes to
|
||||
the FBI Recovery Asset Team (the actual lever on receiving banks).
|
||||
- **Ken's password reset JIT cleanup must be done manually** — `reset-password.sh` grants the Tenant
|
||||
Admin SP Privileged Authentication Administrator to reset an admin target, but Microsoft blocks an SP
|
||||
from removing its OWN privileged role, so the cleanup always fails (script bug). Mike must remove it in
|
||||
the Entra portal.
|
||||
- **Syncro ticket emails route to the customer DEFAULT address** (ken@), not contacts; the `contact_id`
|
||||
PUT is silently ignored by the API. Accepted emailing ken@ once his account was secured.
|
||||
|
||||
## Problems Encountered
|
||||
|
||||
- **Legacy directory-role member endpoints unreliable** (read-back lag + self-removal block) — switched
|
||||
to `roleManagement/directory/roleAssignments`; JIT PAA removal left to manual portal action.
|
||||
- **Windows-native python can't read MSYS `/c/`,`/tmp` paths** and `/tmp` clears between Bash calls —
|
||||
used `cygpath -m` and kept intermediates in cwd / single invocations.
|
||||
- **Recoverable-items message IDs are folder-scoped** — fetching attachment bodies via top-level
|
||||
`/messages/{id}` 404'd; used `/mailFolders/recoverableitemsdeletions/messages/{id}/...`.
|
||||
- **No MD→PDF tool installed** — Mike granted module-install; used pure-python `markdown`+`xhtml2pdf`.
|
||||
- **`Get-BlockedSenderAddress` removal lag** — Ken showed still-restricted immediately after
|
||||
`Remove-BlockedSenderAddress`; cleared on re-check (EOP propagation), did not re-issue.
|
||||
- **Notepad didn't launch** from `cmd /c start` — used `Start-Process` with the Notepad++ path instead.
|
||||
- **Syncro emailed ken@ not admin@** — API won't set ticket contact; documented, proceeded.
|
||||
|
||||
## Configuration Changes
|
||||
|
||||
Created/modified (committed):
|
||||
- `.claude/skills/remediation-tool/scripts/assign-exchange-role.sh` (NEW) — fleet Exchange-Admin role backfill/audit.
|
||||
- `.claude/skills/remediation-tool/references/tenants.md` — Safe Site + kittlearizona marked onboarded/verified; Exchange-role backfill note.
|
||||
- `.claude/memory/feedback_exchange_role_recurring_gap.md` (NEW) + MEMORY.md index line.
|
||||
- `.claude/scripts/now-phoenix.sh`, `.claude/scripts/test-harness-guard.sh` (NEW); `.claude/scripts/harness-guard.sh` (pair-required conflict rule).
|
||||
- `.claude/skills/self-check/scripts/self-check.sh` + `baseline/manifest.json` + `SKILL.md` (harness + consistency + guard-selftest checks).
|
||||
- `.claude/CLAUDE_EXTENDED.md`, `.claude/CODING_GUIDELINES.md`, `.claude/standards/context-lookup/grepai-first.md` (GrepAI wiki-first).
|
||||
- `.claude/commands/save.md` `sync.md`; 8 skill SKILL.md description trims; `.claude/harness/VERSION` (→1.4.3) + CHANGELOG.
|
||||
- `wiki/clients/safesite.md` (NEW).
|
||||
- `clients/kittle/reports/2026-06-09-ic3-bec-fraud-report.md` (NEW; updated with amounts, resolution, IC3 #).
|
||||
- `specs/claudetools-harness-optimization/plan.md` (status).
|
||||
|
||||
Not in repo (local evidence package): `C:\Users\guru\Downloads\Kittle-IC3-Package\` — report PDF+MD, BANK-FRAUD-NOTIFICATIONS PDF+MD, FRAUD_BSD_ACH_APPLICATION.pdf, EVIDENCE_2nd_ACH_FoamFactory.pdf, attacker-audit-events.csv, recovered-fraud-emails.txt, resolution-confirmation.txt, IC3-fill-sheet.txt.
|
||||
|
||||
Tenant changes (M365): kittlearizona Exchange Operator SP granted Exchange Admin role (and 13 other tenants); Ken@kittlearizona password reset; Ken removed from restricted-senders. **Tenant Admin SP still holds Privileged Authentication Administrator on kittlearizona — MUST remove in Entra portal.**
|
||||
|
||||
## Credentials & Secrets
|
||||
|
||||
- Ken Schagel M365 password reset to `LucyRed1903!` (no forced change) — NOW SUPERSEDED: Mike changed it in person on-site 2026-06-09. The `LucyRed1903!` value is stale/invalid.
|
||||
- No new vault entries this session. EXO/Graph access via existing remediation-tool app suite (per-tenant tokens via get-token.sh; pass `VAULT_ROOT_ENV=D:/vault` since ~/.claude/identity.json lacks vault_path on GURU-5070).
|
||||
|
||||
## Infrastructure & Servers
|
||||
|
||||
- **Kittle tenant:** kittlearizona.com — tenant `3d073ebe-806a-4a5e-9035-3c7c4a264fc0`. Compromised: Ken@, Accounting@ (Darline Cabrera bookkeeper, impersonated). O365 E3 (no Entra P1).
|
||||
- **Attacker IPs:** 64.44.131.168 (Chicago, AS20278 Nexeon Technologies — OWA + fraud sends + deletions), 45.134.224.220 (Kansas City, AS147049 PacketHub — phishing send), 40.126.41.96 (Azure — contact harvest via python-httpx/0.28.1, OAuth app d3590ed6-52b3-4102-aeff-aad2292ab01c).
|
||||
- **Attacker infra:** Accounting.kittlearizona@gmx.com; tucsonoz.com (lookalike of tucsonaz.gov); phone (659) 221-9243.
|
||||
- **Fraudulent mule accounts:** Truist rt 053201607 acct 1410020505238 (submitted to City under Kittle's name); FOAM FACTORY INC at First State Bank of East Detroit rt 072410165 acct 62100616, and JPMorgan Chase rt 021000021 (ACH 072000326) acct 2906183268 SWIFT CHASUS33.
|
||||
- **Targeted payer:** City of Tucson BSD/AP — Randi Arnett (Finance Mgr, Randi.Arnett@tucsonaz.gov), HCDAccountsPayable-Finance@tucsonaz.gov. Invoices #31468 ($123,776.75), #31400 (~$8,818), #31453 ($41,231).
|
||||
- App SP IDs: Exchange Operator b43e7342-5b4b-492f-890f-bb5a4f7f40e9; Tenant Admin 709e6eed-0711-4875-9c44-2d3518c47063 (objectId in kittle 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5).
|
||||
|
||||
## Commands & Outputs
|
||||
|
||||
- `assign-exchange-role.sh --all` → 13 ASSIGNED / 12 OK / 20 SKIP / 0 ERROR.
|
||||
- Role assignment via `POST roleManagement/directory/roleAssignments {principalId, roleDefinitionId:29232cdf-9323-42fd-ade2-1d097af3e4de, directoryScopeId:/}`.
|
||||
- EXO unblock for kittle took ~15-20 min to propagate (Get-OrganizationConfig 403→200).
|
||||
- Recovered fraud form bank details via `pdftotext -layout` on FRAUD_BSD_ACH_APPLICATION.pdf.
|
||||
- PDF gen: `pip install markdown xhtml2pdf`; `xhtml2pdf.pisa.CreatePDF(html, dest)`.
|
||||
- `Remove-BlockedSenderAddress -SenderAddress ken@kittlearizona.com` then `Get-BlockedSenderAddress` → clean (after lag).
|
||||
|
||||
## Pending / Incomplete Tasks
|
||||
|
||||
- **Kittle:** Send bank freeze letters (Truist business-fraud — Mike on phone; First State Bank fraud 866-372-1275 / main 586-775-5000; Chase Global Bank Recoveries 866-954-3718 opt 4 / gb.fraud.recovery@jpmorgan.com). Draft City of Tucson written follow-up (offered, not done). Remove Privileged Authentication Administrator from Tenant Admin SP in kittle Entra portal. Confirm exact City invoice $ and EIN 86-0942406. Christina Micek rule on Ken + Ken FullAccess to Accounting (pre-existing, Ken to confirm). Lori GA downscope.
|
||||
- **Safe Site (parked):** corrected SSUS-06122026 endpoint scans queued on 7 agented recipients (run on GuruRMM reconnect); recall-proof in Downloads/safesite-recall-proof.json; coord todo f1c11d0d (mechanism follow-up). Unknown site LIGHT-CLOUD-3585. GuruRMM Intune-push blocked (DeviceManagementScripts.ReadWrite.All scope missing) + redundant with SC.
|
||||
- **Harness:** promote guard to FATAL after clean warn window (coord todo, ~2026-06-22). `reset-password.sh` JIT self-removal bug to fix.
|
||||
|
||||
## Reference Information
|
||||
|
||||
- **FBI IC3 Submission ID: `aa2ef50482ca4c05a54ae0f6cb56ffa0`** (filed 2026-06-09 12:46 PM EST).
|
||||
- Syncro Kittle ticket #32393 (id 112381882) — public+emailed fraud-alert, status update, IC3-filed comments. Ken contact id 4509381 (cell 520-310-1525). Kimberly Ross admin@ contact 4373248.
|
||||
- Kittle: Ken Schagel, Owner, 2539 N Balboa Ave #125, Tucson AZ 85705, ken@kittlearizona.com, (520) 299-0404. ACG: Mike Swanson, admin@azcomputerguru.com, (520) 304-8300.
|
||||
- Bank fraud: Truist 844-487-8478 / Enterprise Fraud Mgmt 1-866-802-4955; First State Bank (MI, fsb.bank) 586-775-5000 / fraud 866-372-1275; Chase Global Bank Recoveries 866-954-3718 opt 4, gb.fraud.recovery@jpmorgan.com.
|
||||
- Commits: e180a463/512ceb47 (guard matrix), 7fc29a7c (exchange-role fix), 5a5e0c4c (kittle EXO verify), c5a7c15c/42135ed5/4c580fe4/53584e14 (IC3 report iterations).
|
||||
- Package: `C:\Users\guru\Downloads\Kittle-IC3-Package\`.
|
||||
Reference in New Issue
Block a user