diff --git a/clients/cascades-tucson/reports/2026-04-20-john-trozzi-spoof-email-check.md b/clients/cascades-tucson/reports/2026-04-20-john-trozzi-spoof-email-check.md new file mode 100644 index 0000000..5f0bf11 --- /dev/null +++ b/clients/cascades-tucson/reports/2026-04-20-john-trozzi-spoof-email-check.md @@ -0,0 +1,146 @@ +# John Trozzi — Spoof Email Report / Follow-up Breach Check + +**Date:** 2026-04-20 +**Tenant:** Cascades Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498) +**Subject:** John Trozzi (john.trozzi@cascadestucson.com, a638f4b9-6936-4401-a9b7-015b9900e49e) +**Tool:** Claude-MSP-Access / ComputerGuru - AI Remediation (App ID `fabb3421-8b34-484b-bc17-e46de9703418`) +**Scope:** Read-only (no remediation actions executed) +**Trigger:** John told Mike he received a spoof email. He forwarded it to howard@azcomputerguru.com at 12:23 UTC today. + +## Summary + +- **No breach indicators.** John reported the phishing email himself — he is not a victim. He forwarded the message to Howard and then emailed Mike about it. +- **The phishing lure:** subject `"ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d"` — classic DocuSign/fake-document-expiry style. +- **Mailbox posture is clean across all 10 checks:** zero inbox rules (including hidden), no forwarding, no delegates, no SendAs grants, no new OAuth consents in the attack window, all MFA methods predate the event, sign-ins are 100% Phoenix AZ. +- **Identity Protection `riskyUser.riskState = remediated`** from the prior 2026-04-16 incident (`userPerformedSecuredPasswordReset`). Current risk level `none`. That risk event is closed and unrelated to today's report. +- **Recommended next step:** confirm with John he did not click or enter credentials; block the sender tenant-wide; add to phish training examples. No account action required. + +## Target details + +| Field | Value | +|---|---| +| UPN | john.trozzi@cascadestucson.com | +| Object ID | a638f4b9-6936-4401-a9b7-015b9900e49e | +| Account Enabled | true | +| Created | 2022-02-18T18:31:39Z | +| Last Password Change | 2026-04-16T16:05:11Z (4 days ago, self-change after admin-initiated IR reset) | + +## Per-check findings + +### 1. Inbox rules (Graph) — CLEAN +`/users/{upn}/mailFolders/inbox/messageRules` → `value: []`. No rules. + +### 2. Mailbox forwarding / settings — CLEAN +- `forwardingSmtpAddress`: null +- Mailbox settings: no forwarding configured. + +### 3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox) — CLEAN +- `Get-InboxRule -IncludeHidden`: 0 rules beyond system defaults. +- `Get-MailboxPermission`: only NT AUTHORITY\SELF. No delegates. +- `Get-RecipientPermission` (SendAs): only NT AUTHORITY\SELF. No SendAs grants. +- `Get-Mailbox`: `ForwardingAddress=null`, `ForwardingSmtpAddress=null`, `DeliverToMailboxAndForward=null`. + +### 4. OAuth consents + app role assignments — CLEAN +Single longstanding consent: +- **BlueMail** (clientId `3508ac12-63ff-4cc5-8edb-f3bb9ca63e4e`) + - Graph scope: `User.Read` + - Exchange Online scope: `EAS.AccessAsUser.All Exchange.Manage` + - App role assignment created 2022-02-18 (account creation day — legitimate and pre-dates any attack window). +- No new consents in the attack window. + +### 5. Authentication methods — CLEAN (strong posture) +- Password (last changed 2026-04-16T16:05:11Z) +- Phone +- 2x Microsoft Authenticator +- FIDO2 security key + +All non-password methods predate the 2026-04-16 IR event. No new method added in the attack window. + +### 6. Sign-ins (30d, interactive) — CLEAN +- 12 sign-ins, all successful, all from **184.191.143.62 (Phoenix, AZ, US — CenturyLink/Qwest residential)**. +- 0 non-US sign-ins. +- Apps: Microsoft Authentication Broker, My Signins, Microsoft Account Controls V2 (all legitimate portal/auth flows). +- Devices: Android (Chrome Mobile) and Windows 10 (Chrome). Consistent with John's normal devices. + +### 7. Directory audits (30d, filtered to John) — CLEAN +41 events, all clustered on 2026-04-16 and attributable to: +- `sysadmin@cascadestucson.com` (MSP admin running the IR reset) +- John himself (self-service password change post-reset) +- Microsoft system actors (Substrate Management, MFA StrongAuthenticationService) + +No audit events in the last 3 days. No unauthorized changes. + +### 8. Risky users / risk detections +- `riskyUser.riskLevel`: **none** +- `riskyUser.riskState`: **remediated** +- `riskyUser.riskDetail`: **userPerformedSecuredPasswordReset** +- `riskyUser.riskLastUpdatedDateTime`: 2026-04-16T15:45:55Z +- `riskDetections` (30d): **0** + +The `remediated` flag is the closure marker for the prior 2026-04-16 incident. No new risk detections since. + +### 9. Sent items (recent 25) — CLEAN + evidence of the report +Top of the list is John reporting the phishing to us: + +| Sent (UTC) | Subject | To | +|---|---|---| +| 2026-04-20 12:26:51 | Spoof emails | mike@azcomputerguru.com | +| 2026-04-20 12:23:50 | Fw: ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d | howard@azcomputerguru.com | +| 2026-04-17 20:15:58 | 312 FLOORING 2OF 2 | prods_0478@homedepot.com | +| 2026-04-17 20:04:01 | 312 CABINETS 1 OF 2 | prods_0478@homedepot.com | +| 2026-04-17 19:58:12 | FW: Caregivers & medtech | howard@azcomputerguru.com | +| 2026-04-17 18:47:03 | Re: Model 1 Commercial Vehicles Follow Up | AFreer@model1.com | +| 2026-04-17 15:26:51 | RE: Cascades of Tucson - UE Revised Door Access Control Design Estimate | wpeterson@unwiredengineering.com | +| 2026-04-17 14:57:30 | Fw: Cascades of Tucson - UE Revised Door Access Control Design Estimate | mike@azcomputerguru.com | +| 2026-04-16 21:47:22 | Re: license upgrade | meredith.kuhn@cascadestucson.com (+ mike, howard, crystal) | +| ... | ... | ... | + +All other outbound is legitimate vendor/internal business correspondence (Home Depot, Model 1, Unwired Engineering, internal Cascades, DirecTV). **No blast patterns, no external bulk sends, no credential-harvest style outbound.** + +### 10. Deleted items (recent 25) — CLEAN +Normal marketing (Wayfair, BestBuy, Spotify, Floor & Decor), 8x8 voicemail notifications, vendor promotional email, and a few legitimate business messages. **No deleted security alerts, MFA prompts, or password-reset confirmations** — the tells of an attacker cleaning their tracks are absent. + +## Suspicious items + +None arising from this check. The only noteworthy item is the phishing email itself, which John handled correctly (reported rather than clicked). + +## Gaps — checks not completed + +None. All 10 checks completed successfully. Exchange REST and Identity Protection permissions are both in place for this tenant after the 2026-04-16 remediation. + +## Relationship to prior investigation + +On 2026-04-16, John was flagged as a risky user and an IR sequence was executed (see `clients/cascades-tucson/reports/2026-04-16-john-breach-check.md`). That incident was remediated via self-service secured password reset. Today's event is **separate** — John received a phishing email, recognized it, and reported it. No fresh compromise indicators. + +## Next actions + +1. **Talk to John** — confirm he did not click the link or enter credentials. Ask if he sees additional copies of the message or variations still arriving. If he did click, run `revoke-sessions` + force password reset immediately. +2. **Block the sender** — pull the original message headers from Howard's inbox; add sender domain to Exchange Online Tenant Allow/Block List or the anti-phish policy. +3. **Check other recipients** — query mail trace for the same Message-ID/subject across the tenant; if other Cascades users received the same lure, flag them for the same conversation. +4. **Add to phishing training catalog** — this is a textbook DocuSign-style impersonation. Worth using as a training example for staff. +5. **No account remediation required** at this time. + +## Remediation actions + +None executed. Read-only check. + +## Data artifacts + +Raw JSON at `/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/user-breach/john_trozzi_cascadestucson_com/`: + +- 00_user.json +- 01_inbox_rules_graph.json +- 02_mailbox_settings.json +- 03a_InboxRule_hidden.json +- 03b_MailboxPermission.json +- 03c_RecipientPermission.json +- 03d_Mailbox.json +- 04a_oauth_grants.json +- 04b_app_role_assignments.json +- 05_auth_methods.json +- 06_signins.json +- 07_dir_audits.json +- 08a_risky_user.json +- 08b_risk_detections.json +- 09_sent.json +- 10_deleted.json diff --git a/clients/cascades-tucson/reports/2026-04-20-tenant-phishing-sweep-and-purge.md b/clients/cascades-tucson/reports/2026-04-20-tenant-phishing-sweep-and-purge.md new file mode 100644 index 0000000..a4a2d90 --- /dev/null +++ b/clients/cascades-tucson/reports/2026-04-20-tenant-phishing-sweep-and-purge.md @@ -0,0 +1,137 @@ +# Cascades Tucson — Tenant-Wide Phishing Sweep and Purge + +**Date:** 2026-04-20 +**Tenant:** Cascades Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498) +**Subject:** Tenant-wide (46 internal mailboxes) +**Tool:** Claude-MSP-Access / ComputerGuru - AI Remediation (App ID `fabb3421-8b34-484b-bc17-e46de9703418`) +**Scope:** Read-only sweep + explicit deletion action (authorized by Mike in chat, "a" = delete Groups A+B) +**Operator:** Mike Swanson (mike@azcomputerguru.com) + +## Summary + +- Triggered by John Trozzi reporting a spoof email at 12:23 UTC. Initial check on John (see `2026-04-20-john-trozzi-spoof-email-check.md`) found him clean and confirmed he was reporting, not compromised. Tenant-wide sweep expanded the investigation. +- **14 phishing messages** found across 7 mailboxes spanning 2026-03-21 through 2026-04-20 — a sustained ~1-month campaign from at least 4 distinct attacker IPs plus a compromised-M365-tenant relay. +- **14 / 14 messages deleted** (13 succeeded on first attempt; 1 retry for Lois Lane after she moved the message to Archive between scan and delete). +- **3 false positives** correctly excluded: the "HRPYDBRUNFOC…xlsx" thread is Ashley Jensen's legitimate internal HR export from 2026-03-09, with replies from JD Martin and Alyssa Brooks. Not phishing. +- **4 Sent Items items preserved as evidence** (user forwards to MSP). +- **Recommended blocks:** Ukraine (UA) region, 139.28.37.117 / 104.168.101.10 / 207.189.10.75 / 91.244.70.212 specific IPs, and `zoom.nl` domain in URL filters. **Publish DMARC p=reject for cascadestucson.com** to kill the domain-spoofing vector. + +## Attacker origins (for regional blocking decisions) + +Two distinct delivery patterns: + +### Pattern 1 — External bulletproof/cheap hosting (April 2026) + +| IP | Country | PTR / Hoster | Language header | Messages | Target(s) | +|---|---|---|---|---|---| +| **139.28.37.117** | UA | `139.28.37.117.deltahost-ptr` (Deltahost, Ukraine — bulletproof hosting) | `vi` (Vietnamese) / `en` | 2 | john.trozzi (4/20) | +| **104.168.101.10** | US | `104-168-101-10-host.colocrossing.com` (ColoCrossing NY) | **`th` (Thai)** | 3 | lois.lane (4/17), megan.hiatt (4/17 + 4/18) | +| **207.189.10.75** | DE | no reverse DNS (`InfoDomainNonexistent`) | `en` | 1 | dax.howard (4/17) | +| **91.244.70.212** | AT | (Austria, cheap hosting) | `en` | 1 | megan.hiatt (4/17) | + +All 7 had **SPF=fail, DMARC=fail, DKIM=none**, envelope sender spoofed to recipient's own address. Microsoft let them through (`SFV:NSPM, SCL:1, compauth=pass reason=703`) because `cascadestucson.com` has `DMARC p=none` (observational, not enforcing). The `reason=703` specifically means "composite auth passed in the absence of an explicit DMARC reject policy" — i.e. a DMARC policy change to `p=quarantine` or `p=reject` would have blocked every one of these. + +### Pattern 2 — Compromised M365 tenant relay (March 2026) + +| IP (IPv6) | Source | Messages | Target(s) | +|---|---|---|---| +| `2a01:111:f403:c104::` / `:c103::3` / `:c100::f` / `:c110::1` / `:c10c::1` | Microsoft 365 Exchange Online datacenter (compromised customer tenant being used as a relay) | 6 | meredith.kuhn, anna.pitzlin, ann.dery | + +SPF/DMARC **pass** because the compromised source tenant had valid SPF/DKIM. Only reliable signal was the content: +- Envelope `DocExchange_Noreply-m939k6d7.r.us_west_2.awstrack.me` (AWS SES click-tracking host masking the real sender) +- URL unwraps to `us02web.zoom.nl/j/81163775943?pwd=…` — **`zoom.nl` is NOT Zoom**. `.nl` is the Netherlands TLD. The real Zoom is `zoom.us`. Classic lookalike-domain redirect. +- Subject has `REF#<40-char-hex>` hash which is a fingerprint of this operator. + +### Regional / TABL block recommendations + +| Recommendation | Rationale | +|---|---| +| **Block UA** at Microsoft Defender for Office 365 country filter (if available in E3+) | Deltahost is persistent infrastructure, 2 confirmed phishes in one day | +| **Add 139.28.37.117, 104.168.101.10, 207.189.10.75, 91.244.70.212 to Exchange TABL IP Block List** | Exact IPs; cheaper than broad regional block; will stop retransmission from the same hosts | +| **Add `zoom.nl` and `awstrack.me` to Exchange URL/domain block list** | The compromised-tenant phishes use these for redirect; blocking kills that vector | +| **Publish DMARC `p=quarantine` or `p=reject` for cascadestucson.com** (highest-leverage change) | Would have blocked ALL 8 external-hosting phishes because they all spoofed the domain and failed SPF/DMARC | +| **Enable Microsoft Defender impersonation protection** for cascadestucson.com domain | Catches "cascadestucson" lookalike-domain attempts before they land | + +The Thai-language header (`LANG:th`) on ColoCrossing, Vietnamese on Deltahost, and English on the DE/AT hosts suggest a **Southeast-Asia-based operator using geographically-distributed sending infrastructure**. Blocking any single region is only a partial defense; DMARC enforcement is the real fix. + +## Scan methodology + +1. Pulled all 53 Cascades tenant users via Graph `/v1.0/users`; filtered to 46 internal mailboxes (excluding `#EXT#` guests). +2. Three search passes with Graph `$search` + client-side filter: + - Subject contains 32+ hex chars (attacker hash signature) + - Subject contains "ATTN expire / Mailbox Expire / Service Termination / Password expire / Login Expire" + - Subject contains "Pending Documents expires / Executed NDA Agreement / Approval Pending Review" +3. Paginated follow-up scans for John and Lois (initial $top=500 truncated their result sets). +4. For each hit: resolved folder name, fetched full `internetMessageHeaders`, extracted origin IP / country / language / SPF / DMARC / envelope-from, and pulled bodyPreview for content-based classification. + +## Deletion inventory — 14 targets + +### Group A — external-hosting phishing (8 messages, all DELETED) + +| # | Mailbox | Folder (at scan) | Subject | Origin IP | Country | Result | +|---|---|---|---|---|---|---| +| 1 | dax.howard | Inbox | NSA: Cascadestucson Executed NDA Agreement Ref: 3a52d24c… | 207.189.10.75 | DE | DELETED 16:34:00Z | +| 2 | lois.lane | Inbox → Archive | ATTN : Mailbox Login Expire today, 4/17/2026 - 7578c86fe50e… | 104.168.101.10 | US | DELETED 16:34:32Z (retry) | +| 3 | john.trozzi | Inbox | ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2… | 139.28.37.117 | UA | DELETED 16:33:57Z | +| 4 | john.trozzi | Inbox | Action Required: Service Termination Alert – 32d38cbb… | 139.28.37.117 | UA | DELETED 16:33:59Z | +| 5 | megan.hiatt | Deleted Items | Re: HR Documents – Approval Pending Review Ref/ID#: 0f70944d… | 91.244.70.212 | AT | DELETED 16:33:52Z (purged) | +| 6 | megan.hiatt | Deleted Items | ATTN : Mailbox Login Expire today, 4/17/2026 - 123a5bc9ed53e… | 104.168.101.10 | US | DELETED 16:33:53Z (purged) | +| 7 | megan.hiatt | Deleted Items | ATTN : Mailbox Login Expire today, 4/18/2026 - fecac7931c86… | 104.168.101.10 | US | DELETED 16:33:51Z (purged) | +| 8 | megan.hiatt | Deleted Items | Undeliverable: FW: HR Documents (bounce of her fwd to info@azcomputeguru.com — typo) | — | — | DELETED 16:33:49Z (purged) | + +### Group B — compromised-M365-tenant phishing (6 messages, all DELETED) + +| # | Mailbox | Folder (at scan) | Subject | Envelope-From | Result | +|---|---|---|---|---|---| +| 9 | meredith.kuhn | Deleted Items | Document Ready for Review REF#99dab116… | DocExchange_Noreply…awstrack.me (→zoom.nl) | DELETED 16:33:45Z | +| 10 | meredith.kuhn | Deleted Items | Request for Quotation: Urban Choice Charter Project REF:3234627582… | lmccarthy@urbanchoicecharter.org | DELETED 16:33:46Z | +| 11 | anna.pitzlin | Inbox | Document Ready for Review REF#e8003bb2… | DocExchange_Noreply…awstrack.me | DELETED 16:33:55Z | +| 12 | anna.pitzlin | Inbox | Request for Quotation: Urban Choice Charter Project REF:3239883791… | lmccarthy@urbanchoicecharter.org | DELETED 16:33:56Z | +| 13 | ann.dery | Inbox | Document Ready for Review REF#ec4be8f2… | DocExchange_Noreply…awstrack.me | DELETED 16:34:02Z | +| 14 | ann.dery | Junk Email | Request for Quotation: Urban Choice Charter Project REF:953054e0… | lmccarthy@urbanchoicecharter.org | DELETED 16:34:03Z | + +### Group C — false positives (EXCLUDED from deletion — NOT phishing) + +The "HRPYDBRUNFOCb5b92c8c81854eb7afd33163c34118b7kktvrgsygrzrxvisedqvpsvfh55878.xlsx" thread is Ashley Jensen's legitimate 2026-03-09 employee roster export from an HR system that generates long hashed filenames. JD Martin replied to Ashley on 2026-03-10 and Alyssa Brooks replied on 2026-03-21 with payroll corrections. Internal HR correspondence. + +- ashley.jensen / Inbox — JD Martin's "RE:" reply to her original +- jd.martin / Inbox — JD's own copy of Ashley's original (via CC or reply-all) +- alyssa.brooks / Sent Items — her "RE:" reply to ashley.jensen + +### Group D — user outbound forwards (EXCLUDED from deletion — kept as evidence) + +| Mailbox | Folder | Subject | To | Note | +|---|---|---|---|---| +| john.trozzi | Sent Items | Fw: ATTN!! — Pending 5 (Pages) Documents… | howard@azcomputerguru.com | John's forward to MSP, body: "Getting spoof emails this morning" | +| megan.hiatt | Sent Items | FW: HR Documents – Approval Pending Review… (17:37) | info@azcomputeguru.com (TYPO) | Megan's 1st forward attempt, bounced | +| megan.hiatt | Sent Items | FW: HR Documents – Approval Pending Review… (17:38) | info@azcomputerguru.com | Megan's 2nd forward, delivered | + +These are evidence of user reporting; preserved per MSP workflow. Mike can purge later if desired. + +## Deletion log + +Full structured log at `/tmp/cascades_phishsweep/delete_log/2026-04-20T163343_deletions.jsonl`. + +Summary: 14 success (13 on first try, 1 retry for Lois after user-move to Archive), 0 remaining failures. + +## Next actions (prioritized) + +1. **[HIGH] Publish DMARC `p=quarantine` for cascadestucson.com.** This is the single change that would block every external-spoofing phish. Start at `p=quarantine pct=25` to ease in, move to `p=reject` once you've watched reports for a week. Single-biggest leverage item. +2. **[HIGH] Add to Exchange TABL IP Block List:** `139.28.37.117`, `104.168.101.10`, `207.189.10.75`, `91.244.70.212`. Blocks re-use of the same infrastructure. +3. **[HIGH] Add URL/domain block:** `zoom.nl`, `*.awstrack.me`. Kills the compromised-tenant redirect vector. +4. **[MEDIUM] Talk to the 5 targeted users** (John, Lois, Dax, Megan, Meredith, Anna, Ann) — confirm none clicked or entered credentials. Pay extra attention to Megan (repeatedly targeted: 4 messages over 2 days) and John (targeted today with two variants one hour apart). +5. **[MEDIUM] Enable Defender anti-phish impersonation protection** for `cascadestucson.com` as a protected domain (if tenant has M365 Business Premium / E5 — verify SKU). +6. **[MEDIUM] Baseline sweep of the remaining 39 mailboxes not hit this time.** Only 7 of 46 users were targeted in this 30-day window; the operator may cycle through the rest next month. +7. **[LOW] Consider country-level mail filter for UA/AT inbound.** These have near-zero legitimate traffic to a Tucson senior-living facility. Only if DMARC enforcement isn't fast enough. +8. **Run again in 7 days** to verify no recurrence and to catch any variants that used subjects we didn't match. + +## Data artifacts + +All raw scan + deletion artifacts under `/tmp/cascades_phishsweep/`: +- `users.tsv` — list of 46 internal mailboxes scanned +- `junk_sweep.jsonl` — all signature-matched hits from all mailboxes +- `campaign_enriched2.jsonl` — final enriched list with folder + IP + country + auth for 20 matches (16 true phish + 4 false-positive HR thread) +- `campaign_final.json` — deduplicated 20 unique messages +- `headers/` — per-message JSON including full `internetMessageHeaders` for each match +- `targets.jsonl` — the 14 deletion targets +- `delete_log/2026-04-20T163343_deletions.jsonl` — structured log of all 14 DELETE calls, with HTTP codes and timestamps