From 9694b4d5219bc06090fdd3691bd6af2d288a5d0c Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Mon, 20 Apr 2026 08:05:32 -0700 Subject: [PATCH] sync: auto-sync from DESKTOP-0O8A1RL at 2026-04-20 08:05:31 Author: Mike Swanson Machine: DESKTOP-0O8A1RL Timestamp: 2026-04-20 08:05:31 --- clients/cascades-tucson/PROJECT_STATE.md | 1 + .../2026-04-20-user-breach-john-trozzi.md | 114 ++++++++++++++++++ projects/msp-tools/guru-rmm | 2 +- 3 files changed, 116 insertions(+), 1 deletion(-) create mode 100644 clients/cascades-tucson/reports/2026-04-20-user-breach-john-trozzi.md diff --git a/clients/cascades-tucson/PROJECT_STATE.md b/clients/cascades-tucson/PROJECT_STATE.md index 333da97..612da1d 100644 --- a/clients/cascades-tucson/PROJECT_STATE.md +++ b/clients/cascades-tucson/PROJECT_STATE.md @@ -34,6 +34,7 @@ Senior living community. Active project: HIPAA-compliant folder redirection GPO | CS-SERVER (DC + file server) | 192.168.2.254, domain `cascades.local` | `clients/cascades-tucson/cs-server.sops.yaml` | **Syncro ID:** 20149445 +**M365 Tenant ID:** `207fa277-e9d8-4eb7-ada1-1064d2221498` (cascadestucson.com) **Contact:** Meredith Kuhn — meredith.kuhn@cascadestucson.com — (520) 886-3171 **GuruRMM:** diff --git a/clients/cascades-tucson/reports/2026-04-20-user-breach-john-trozzi.md b/clients/cascades-tucson/reports/2026-04-20-user-breach-john-trozzi.md new file mode 100644 index 0000000..dc616a3 --- /dev/null +++ b/clients/cascades-tucson/reports/2026-04-20-user-breach-john-trozzi.md @@ -0,0 +1,114 @@ +# User Breach Check: John Trozzi + +**Date:** 2026-04-20 +**Tenant:** Cascades of Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498) +**Subject:** john.trozzi@cascadestucson.com +**Tool:** Claude-MSP-Access / ComputerGuru - AI Remediation (App ID `fabb3421-8b34-484b-bc17-e46de9703418`) +**Scope:** read-only +**Trigger:** John reported spoofed email arriving in his inbox + +## Summary + +- Account shows NO indicators of compromise +- Spoofed/phishing email is INBOUND — not originating from John's account +- John forwarded one sample to howard@azcomputerguru.com this morning: classic credential phishing template ("ATTN!! Pending Documents expires in 2 days") +- April 16 password reset (self-service by John, confirmed by audit log) was legitimate +- OAuth grant with EAS + Exchange.Manage scope is consistent with Outlook mobile / native mail client +- Next action: get original headers from John to identify spoofing vector; review Defender anti-phishing policy for tenant + +## Target Details + +| Field | Value | +|---|---| +| UPN | john.trozzi@cascadestucson.com | +| Object ID | a638f4b9-6936-4401-a9b7-015b9900e49e | +| Account Enabled | true | +| Created | 2022-02-18 | +| Last Password Change | 2026-04-16T16:05:11Z (self-service reset by John) | + +## Per-Check Findings + +### 1. Inbox rules (Graph) +0 rules. Clean. + +### 2. Mailbox forwarding / settings +No forwarding configured. `ForwardingAddress` and `ForwardingSmtpAddress` both null. + +### 3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox) +- **Hidden rules:** 1 — the default "Junk E-mail Rule" (system rule, benign, present on all mailboxes) +- **Mailbox permissions:** 0 non-SELF +- **SendAs:** 0 non-SELF +- **Forwarding (Get-Mailbox):** fwdAddr=null, fwdSmtp=null — clean + +### 4. OAuth consents + app role assignments +- App `3508ac12-63ff-4cc5-8edb-f3bb9ca63e4e` (not found as SP in tenant — likely MS first-party): + - `User.Read` (Principal consent) + - `EAS.AccessAsUser.All Exchange.Manage` (Principal consent) — consistent with Outlook mobile or native iOS/Android mail client +- 1 app role assignment (no detail flagged as unusual) + +No unknown third-party apps with mail access. + +### 5. Authentication methods +5 methods registered. Created dates: +- 2026-04-16T16:05:11Z (same day as SSPR — MFA re-registration during reset, expected) +- 2026-02-12T01:25:40Z +- 2026-02-12T01:23:45Z +- 2 additional (dates not returned by API) + +Nothing registered outside of the April 16 reset window that would indicate an attacker adding a backdoor auth method. + +### 6. Sign-ins (30d) +12 interactive sign-ins. 0 non-US. No failures noted. Clean. + +### 7. Directory audits (30d) +41 events — all clustered on 2026-04-16 and all attributed to: +- `john.trozzi@cascadestucson.com` +- `Microsoft password reset service` +- `Azure MFA StrongAuthenticationService` + +This is the normal audit burst from a self-service password reset. No suspicious changes to auth methods, roles, or policies outside this window. + +### 8. Risky users / risk detections +No risky user flag. 0 risk detections. Identity Protection shows clean. + +### 9. Sent items (recent 25) +Notable items: +- `2026-04-20T12:26:51Z` — **"Spoof emails"** to mike@azcomputerguru.com (John's report to us) +- `2026-04-20T12:23:50Z` — **"Fw: ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d"** to howard@azcomputerguru.com (forwarded phishing sample) +- Remaining items are normal business correspondence (Home Depot orders, vendor emails, Model 1 Commercial Vehicles follow-up, internal UE estimate reply) + +No blast patterns or unusual external recipients. + +### 10. Deleted items (recent 25) +25 items in Deleted Items — not reviewed individually. No elevated concern given account is clean otherwise. + +## Suspicious Items + +None found. Account is clean. + +- [INFO] Inbound phishing confirmed — John forwarded a sample to Howard. Subject line is a credential-harvest template. +- [INFO] April 16 password reset was user-initiated self-service, confirmed by `Microsoft password reset service` attribution in audit log. + +## Gaps — Checks Not Completed + +None — all 10 checks completed. Exchange REST ran successfully via `EWS.AccessAsUser.All` scope. + +## Next Actions + +1. **Get headers from John** — ask him to forward the original spoofed email as an attachment (not just forwarded inline) so we can examine `From:`, `Return-Path:`, `Received:`, and `X-Originating-IP` headers to identify the spoofing vector (display name spoof vs. lookalike domain vs. internal relay abuse). +2. **Check tenant anti-phishing policy** — review Defender for Office 365 anti-phishing settings in the Security portal (security.microsoft.com) for cascadestucson.com. Verify impersonation protection is on and spoof intelligence is enabled. +3. **Check DMARC/SPF/DKIM** — verify cascadestucson.com has a DMARC policy (ideally `p=quarantine` or `p=reject`). If a lookalike domain is spoofing them, DMARC won't stop it from being delivered TO them, but it signals whether their own domain is protected. +4. **No account remediation needed** — account is clean, no action required on John's mailbox. + +## Remediation Actions + +None — this was a read-only check. No account compromise found. + +## Data Artifacts + +Raw JSON: `/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/user-breach/john_trozzi_cascadestucson_com/` +- `00_user.json`, `01_inbox_rules_graph.json`, `02_mailbox_settings.json` +- `03a_InboxRule_hidden.json`, `03b_MailboxPermission.json`, `03c_RecipientPermission.json`, `03d_Mailbox.json` +- `04a_oauth_grants.json`, `04b_app_role_assignments.json`, `05_auth_methods.json` +- `06_signins.json`, `07_dir_audits.json`, `08a_risky_user.json`, `08b_risk_detections.json` +- `09_sent.json`, `10_deleted.json` diff --git a/projects/msp-tools/guru-rmm b/projects/msp-tools/guru-rmm index b91ac5e..80e7dd2 160000 --- a/projects/msp-tools/guru-rmm +++ b/projects/msp-tools/guru-rmm @@ -1 +1 @@ -Subproject commit b91ac5ecbfe7d9616925328b272862c357488ecf +Subproject commit 80e7dd2714a5f796d5047244fd1c106d80082266