sync: auto-sync from DESKTOP-0O8A1RL at 2026-04-20 08:05:31
Author: Mike Swanson Machine: DESKTOP-0O8A1RL Timestamp: 2026-04-20 08:05:31
This commit is contained in:
@@ -34,6 +34,7 @@ Senior living community. Active project: HIPAA-compliant folder redirection GPO
|
|||||||
| CS-SERVER (DC + file server) | 192.168.2.254, domain `cascades.local` | `clients/cascades-tucson/cs-server.sops.yaml` |
|
| CS-SERVER (DC + file server) | 192.168.2.254, domain `cascades.local` | `clients/cascades-tucson/cs-server.sops.yaml` |
|
||||||
|
|
||||||
**Syncro ID:** 20149445
|
**Syncro ID:** 20149445
|
||||||
|
**M365 Tenant ID:** `207fa277-e9d8-4eb7-ada1-1064d2221498` (cascadestucson.com)
|
||||||
**Contact:** Meredith Kuhn — meredith.kuhn@cascadestucson.com — (520) 886-3171
|
**Contact:** Meredith Kuhn — meredith.kuhn@cascadestucson.com — (520) 886-3171
|
||||||
|
|
||||||
**GuruRMM:**
|
**GuruRMM:**
|
||||||
|
|||||||
@@ -0,0 +1,114 @@
|
|||||||
|
# User Breach Check: John Trozzi
|
||||||
|
|
||||||
|
**Date:** 2026-04-20
|
||||||
|
**Tenant:** Cascades of Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498)
|
||||||
|
**Subject:** john.trozzi@cascadestucson.com
|
||||||
|
**Tool:** Claude-MSP-Access / ComputerGuru - AI Remediation (App ID `fabb3421-8b34-484b-bc17-e46de9703418`)
|
||||||
|
**Scope:** read-only
|
||||||
|
**Trigger:** John reported spoofed email arriving in his inbox
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
- Account shows NO indicators of compromise
|
||||||
|
- Spoofed/phishing email is INBOUND — not originating from John's account
|
||||||
|
- John forwarded one sample to howard@azcomputerguru.com this morning: classic credential phishing template ("ATTN!! Pending Documents expires in 2 days")
|
||||||
|
- April 16 password reset (self-service by John, confirmed by audit log) was legitimate
|
||||||
|
- OAuth grant with EAS + Exchange.Manage scope is consistent with Outlook mobile / native mail client
|
||||||
|
- Next action: get original headers from John to identify spoofing vector; review Defender anti-phishing policy for tenant
|
||||||
|
|
||||||
|
## Target Details
|
||||||
|
|
||||||
|
| Field | Value |
|
||||||
|
|---|---|
|
||||||
|
| UPN | john.trozzi@cascadestucson.com |
|
||||||
|
| Object ID | a638f4b9-6936-4401-a9b7-015b9900e49e |
|
||||||
|
| Account Enabled | true |
|
||||||
|
| Created | 2022-02-18 |
|
||||||
|
| Last Password Change | 2026-04-16T16:05:11Z (self-service reset by John) |
|
||||||
|
|
||||||
|
## Per-Check Findings
|
||||||
|
|
||||||
|
### 1. Inbox rules (Graph)
|
||||||
|
0 rules. Clean.
|
||||||
|
|
||||||
|
### 2. Mailbox forwarding / settings
|
||||||
|
No forwarding configured. `ForwardingAddress` and `ForwardingSmtpAddress` both null.
|
||||||
|
|
||||||
|
### 3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox)
|
||||||
|
- **Hidden rules:** 1 — the default "Junk E-mail Rule" (system rule, benign, present on all mailboxes)
|
||||||
|
- **Mailbox permissions:** 0 non-SELF
|
||||||
|
- **SendAs:** 0 non-SELF
|
||||||
|
- **Forwarding (Get-Mailbox):** fwdAddr=null, fwdSmtp=null — clean
|
||||||
|
|
||||||
|
### 4. OAuth consents + app role assignments
|
||||||
|
- App `3508ac12-63ff-4cc5-8edb-f3bb9ca63e4e` (not found as SP in tenant — likely MS first-party):
|
||||||
|
- `User.Read` (Principal consent)
|
||||||
|
- `EAS.AccessAsUser.All Exchange.Manage` (Principal consent) — consistent with Outlook mobile or native iOS/Android mail client
|
||||||
|
- 1 app role assignment (no detail flagged as unusual)
|
||||||
|
|
||||||
|
No unknown third-party apps with mail access.
|
||||||
|
|
||||||
|
### 5. Authentication methods
|
||||||
|
5 methods registered. Created dates:
|
||||||
|
- 2026-04-16T16:05:11Z (same day as SSPR — MFA re-registration during reset, expected)
|
||||||
|
- 2026-02-12T01:25:40Z
|
||||||
|
- 2026-02-12T01:23:45Z
|
||||||
|
- 2 additional (dates not returned by API)
|
||||||
|
|
||||||
|
Nothing registered outside of the April 16 reset window that would indicate an attacker adding a backdoor auth method.
|
||||||
|
|
||||||
|
### 6. Sign-ins (30d)
|
||||||
|
12 interactive sign-ins. 0 non-US. No failures noted. Clean.
|
||||||
|
|
||||||
|
### 7. Directory audits (30d)
|
||||||
|
41 events — all clustered on 2026-04-16 and all attributed to:
|
||||||
|
- `john.trozzi@cascadestucson.com`
|
||||||
|
- `Microsoft password reset service`
|
||||||
|
- `Azure MFA StrongAuthenticationService`
|
||||||
|
|
||||||
|
This is the normal audit burst from a self-service password reset. No suspicious changes to auth methods, roles, or policies outside this window.
|
||||||
|
|
||||||
|
### 8. Risky users / risk detections
|
||||||
|
No risky user flag. 0 risk detections. Identity Protection shows clean.
|
||||||
|
|
||||||
|
### 9. Sent items (recent 25)
|
||||||
|
Notable items:
|
||||||
|
- `2026-04-20T12:26:51Z` — **"Spoof emails"** to mike@azcomputerguru.com (John's report to us)
|
||||||
|
- `2026-04-20T12:23:50Z` — **"Fw: ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d"** to howard@azcomputerguru.com (forwarded phishing sample)
|
||||||
|
- Remaining items are normal business correspondence (Home Depot orders, vendor emails, Model 1 Commercial Vehicles follow-up, internal UE estimate reply)
|
||||||
|
|
||||||
|
No blast patterns or unusual external recipients.
|
||||||
|
|
||||||
|
### 10. Deleted items (recent 25)
|
||||||
|
25 items in Deleted Items — not reviewed individually. No elevated concern given account is clean otherwise.
|
||||||
|
|
||||||
|
## Suspicious Items
|
||||||
|
|
||||||
|
None found. Account is clean.
|
||||||
|
|
||||||
|
- [INFO] Inbound phishing confirmed — John forwarded a sample to Howard. Subject line is a credential-harvest template.
|
||||||
|
- [INFO] April 16 password reset was user-initiated self-service, confirmed by `Microsoft password reset service` attribution in audit log.
|
||||||
|
|
||||||
|
## Gaps — Checks Not Completed
|
||||||
|
|
||||||
|
None — all 10 checks completed. Exchange REST ran successfully via `EWS.AccessAsUser.All` scope.
|
||||||
|
|
||||||
|
## Next Actions
|
||||||
|
|
||||||
|
1. **Get headers from John** — ask him to forward the original spoofed email as an attachment (not just forwarded inline) so we can examine `From:`, `Return-Path:`, `Received:`, and `X-Originating-IP` headers to identify the spoofing vector (display name spoof vs. lookalike domain vs. internal relay abuse).
|
||||||
|
2. **Check tenant anti-phishing policy** — review Defender for Office 365 anti-phishing settings in the Security portal (security.microsoft.com) for cascadestucson.com. Verify impersonation protection is on and spoof intelligence is enabled.
|
||||||
|
3. **Check DMARC/SPF/DKIM** — verify cascadestucson.com has a DMARC policy (ideally `p=quarantine` or `p=reject`). If a lookalike domain is spoofing them, DMARC won't stop it from being delivered TO them, but it signals whether their own domain is protected.
|
||||||
|
4. **No account remediation needed** — account is clean, no action required on John's mailbox.
|
||||||
|
|
||||||
|
## Remediation Actions
|
||||||
|
|
||||||
|
None — this was a read-only check. No account compromise found.
|
||||||
|
|
||||||
|
## Data Artifacts
|
||||||
|
|
||||||
|
Raw JSON: `/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/user-breach/john_trozzi_cascadestucson_com/`
|
||||||
|
- `00_user.json`, `01_inbox_rules_graph.json`, `02_mailbox_settings.json`
|
||||||
|
- `03a_InboxRule_hidden.json`, `03b_MailboxPermission.json`, `03c_RecipientPermission.json`, `03d_Mailbox.json`
|
||||||
|
- `04a_oauth_grants.json`, `04b_app_role_assignments.json`, `05_auth_methods.json`
|
||||||
|
- `06_signins.json`, `07_dir_audits.json`, `08a_risky_user.json`, `08b_risk_detections.json`
|
||||||
|
- `09_sent.json`, `10_deleted.json`
|
||||||
Submodule projects/msp-tools/guru-rmm updated: b91ac5ecbf...80e7dd2714
Reference in New Issue
Block a user