azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

report: Cascades Tucson phishing sweep - deleted 14 phish across 7 users

Browse Source 
Triggered by John Trozzi reporting a spoof email. Single-user check
confirmed him clean (reported, not compromised). Tenant-wide sweep
found a sustained ~1 month campaign from 4 external IPs (UA/US/DE/AT
- deltahost + ColoCrossing) plus a compromised-M365-tenant relay
vector. Deleted 14 messages (Groups A+B) per Mike's explicit
authorization. Preserved legitimate HR thread (HRPYDBRUN xlsx) and
user outbound forwards as evidence.

Recommendations in report: DMARC p=quarantine/reject for
cascadestucson.com (biggest leverage), TABL IP blocks, zoom.nl
URL block, Defender impersonation protection.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-20 09:39:10 -07:00
parent 9694b4d521
commit a92d2d3f2c
2 changed files with 283 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

146
clients/cascades-tucson/reports/2026-04-20-john-trozzi-spoof-email-check.md Normal file
View File

@@ -0,0 +1,146 @@
# John Trozzi — Spoof Email Report / Follow-up Breach Check
**Date:** 2026-04-20
**Tenant:** Cascades Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498)
**Subject:** John Trozzi (john.trozzi@cascadestucson.com, a638f4b9-6936-4401-a9b7-015b9900e49e)
**Tool:** Claude-MSP-Access / ComputerGuru - AI Remediation (App ID `fabb3421-8b34-484b-bc17-e46de9703418`)
**Scope:** Read-only (no remediation actions executed)
**Trigger:** John told Mike he received a spoof email. He forwarded it to howard@azcomputerguru.com at 12:23 UTC today.
## Summary
- **No breach indicators.** John reported the phishing email himself — he is not a victim. He forwarded the message to Howard and then emailed Mike about it.
- **The phishing lure:** subject `"ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d"` — classic DocuSign/fake-document-expiry style.
- **Mailbox posture is clean across all 10 checks:** zero inbox rules (including hidden), no forwarding, no delegates, no SendAs grants, no new OAuth consents in the attack window, all MFA methods predate the event, sign-ins are 100% Phoenix AZ.
- **Identity Protection `riskyUser.riskState = remediated`** from the prior 2026-04-16 incident (`userPerformedSecuredPasswordReset`). Current risk level `none`. That risk event is closed and unrelated to today's report.
- **Recommended next step:** confirm with John he did not click or enter credentials; block the sender tenant-wide; add to phish training examples. No account action required.
## Target details
| Field | Value |
|---|---|
| UPN | john.trozzi@cascadestucson.com |
| Object ID | a638f4b9-6936-4401-a9b7-015b9900e49e |
| Account Enabled | true |
| Created | 2022-02-18T18:31:39Z |
| Last Password Change | 2026-04-16T16:05:11Z (4 days ago, self-change after admin-initiated IR reset) |
## Per-check findings
### 1. Inbox rules (Graph) — CLEAN
`/users/{upn}/mailFolders/inbox/messageRules``value: []`. No rules.
### 2. Mailbox forwarding / settings — CLEAN
- `forwardingSmtpAddress`: null
- Mailbox settings: no forwarding configured.
### 3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox) — CLEAN
- `Get-InboxRule -IncludeHidden`: 0 rules beyond system defaults.
- `Get-MailboxPermission`: only NT AUTHORITY\SELF. No delegates.
- `Get-RecipientPermission` (SendAs): only NT AUTHORITY\SELF. No SendAs grants.
- `Get-Mailbox`: `ForwardingAddress=null`, `ForwardingSmtpAddress=null`, `DeliverToMailboxAndForward=null`.
### 4. OAuth consents + app role assignments — CLEAN
Single longstanding consent:
- **BlueMail** (clientId `3508ac12-63ff-4cc5-8edb-f3bb9ca63e4e`)
- Graph scope: `User.Read`
- Exchange Online scope: `EAS.AccessAsUser.All Exchange.Manage`
- App role assignment created 2022-02-18 (account creation day — legitimate and pre-dates any attack window).
- No new consents in the attack window.
### 5. Authentication methods — CLEAN (strong posture)
- Password (last changed 2026-04-16T16:05:11Z)
- Phone
- 2x Microsoft Authenticator
- FIDO2 security key
All non-password methods predate the 2026-04-16 IR event. No new method added in the attack window.
### 6. Sign-ins (30d, interactive) — CLEAN
- 12 sign-ins, all successful, all from **184.191.143.62 (Phoenix, AZ, US — CenturyLink/Qwest residential)**.
- 0 non-US sign-ins.
- Apps: Microsoft Authentication Broker, My Signins, Microsoft Account Controls V2 (all legitimate portal/auth flows).
- Devices: Android (Chrome Mobile) and Windows 10 (Chrome). Consistent with John's normal devices.
### 7. Directory audits (30d, filtered to John) — CLEAN
41 events, all clustered on 2026-04-16 and attributable to:
- `sysadmin@cascadestucson.com` (MSP admin running the IR reset)
- John himself (self-service password change post-reset)
- Microsoft system actors (Substrate Management, MFA StrongAuthenticationService)
No audit events in the last 3 days. No unauthorized changes.
### 8. Risky users / risk detections
- `riskyUser.riskLevel`: **none**
- `riskyUser.riskState`: **remediated**
- `riskyUser.riskDetail`: **userPerformedSecuredPasswordReset**
- `riskyUser.riskLastUpdatedDateTime`: 2026-04-16T15:45:55Z
- `riskDetections` (30d): **0**
The `remediated` flag is the closure marker for the prior 2026-04-16 incident. No new risk detections since.
### 9. Sent items (recent 25) — CLEAN + evidence of the report
Top of the list is John reporting the phishing to us:
| Sent (UTC) | Subject | To |
|---|---|---|
| 2026-04-20 12:26:51 | Spoof emails | mike@azcomputerguru.com |
| 2026-04-20 12:23:50 | Fw: ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d | howard@azcomputerguru.com |
| 2026-04-17 20:15:58 | 312 FLOORING 2OF 2 | prods_0478@homedepot.com |
| 2026-04-17 20:04:01 | 312 CABINETS 1 OF 2 | prods_0478@homedepot.com |
| 2026-04-17 19:58:12 | FW: Caregivers & medtech | howard@azcomputerguru.com |
| 2026-04-17 18:47:03 | Re: Model 1 Commercial Vehicles Follow Up | AFreer@model1.com |
| 2026-04-17 15:26:51 | RE: Cascades of Tucson - UE Revised Door Access Control Design Estimate | wpeterson@unwiredengineering.com |
| 2026-04-17 14:57:30 | Fw: Cascades of Tucson - UE Revised Door Access Control Design Estimate | mike@azcomputerguru.com |
| 2026-04-16 21:47:22 | Re: license upgrade | meredith.kuhn@cascadestucson.com (+ mike, howard, crystal) |
| ... | ... | ... |
All other outbound is legitimate vendor/internal business correspondence (Home Depot, Model 1, Unwired Engineering, internal Cascades, DirecTV). **No blast patterns, no external bulk sends, no credential-harvest style outbound.**
### 10. Deleted items (recent 25) — CLEAN
Normal marketing (Wayfair, BestBuy, Spotify, Floor & Decor), 8x8 voicemail notifications, vendor promotional email, and a few legitimate business messages. **No deleted security alerts, MFA prompts, or password-reset confirmations** — the tells of an attacker cleaning their tracks are absent.
## Suspicious items
None arising from this check. The only noteworthy item is the phishing email itself, which John handled correctly (reported rather than clicked).
## Gaps — checks not completed
None. All 10 checks completed successfully. Exchange REST and Identity Protection permissions are both in place for this tenant after the 2026-04-16 remediation.
## Relationship to prior investigation
On 2026-04-16, John was flagged as a risky user and an IR sequence was executed (see `clients/cascades-tucson/reports/2026-04-16-john-breach-check.md`). That incident was remediated via self-service secured password reset. Today's event is **separate** — John received a phishing email, recognized it, and reported it. No fresh compromise indicators.
## Next actions
1. **Talk to John** — confirm he did not click the link or enter credentials. Ask if he sees additional copies of the message or variations still arriving. If he did click, run `revoke-sessions` + force password reset immediately.
2. **Block the sender** — pull the original message headers from Howard's inbox; add sender domain to Exchange Online Tenant Allow/Block List or the anti-phish policy.
3. **Check other recipients** — query mail trace for the same Message-ID/subject across the tenant; if other Cascades users received the same lure, flag them for the same conversation.
4. **Add to phishing training catalog** — this is a textbook DocuSign-style impersonation. Worth using as a training example for staff.
5. **No account remediation required** at this time.
## Remediation actions
None executed. Read-only check.
## Data artifacts
Raw JSON at `/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/user-breach/john_trozzi_cascadestucson_com/`:
- 00_user.json
- 01_inbox_rules_graph.json
- 02_mailbox_settings.json
- 03a_InboxRule_hidden.json
- 03b_MailboxPermission.json
- 03c_RecipientPermission.json
- 03d_Mailbox.json
- 04a_oauth_grants.json
- 04b_app_role_assignments.json
- 05_auth_methods.json
- 06_signins.json
- 07_dir_audits.json
- 08a_risky_user.json
- 08b_risk_detections.json
- 09_sent.json
- 10_deleted.json

137
clients/cascades-tucson/reports/2026-04-20-tenant-phishing-sweep-and-purge.md Normal file
View File

@@ -0,0 +1,137 @@
# Cascades Tucson — Tenant-Wide Phishing Sweep and Purge
**Date:** 2026-04-20
**Tenant:** Cascades Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498)
**Subject:** Tenant-wide (46 internal mailboxes)
**Tool:** Claude-MSP-Access / ComputerGuru - AI Remediation (App ID `fabb3421-8b34-484b-bc17-e46de9703418`)
**Scope:** Read-only sweep + explicit deletion action (authorized by Mike in chat, "a" = delete Groups A+B)
**Operator:** Mike Swanson (mike@azcomputerguru.com)
## Summary
- Triggered by John Trozzi reporting a spoof email at 12:23 UTC. Initial check on John (see `2026-04-20-john-trozzi-spoof-email-check.md`) found him clean and confirmed he was reporting, not compromised. Tenant-wide sweep expanded the investigation.
- **14 phishing messages** found across 7 mailboxes spanning 2026-03-21 through 2026-04-20 — a sustained ~1-month campaign from at least 4 distinct attacker IPs plus a compromised-M365-tenant relay.
- **14 / 14 messages deleted** (13 succeeded on first attempt; 1 retry for Lois Lane after she moved the message to Archive between scan and delete).
- **3 false positives** correctly excluded: the "HRPYDBRUNFOC…xlsx" thread is Ashley Jensen's legitimate internal HR export from 2026-03-09, with replies from JD Martin and Alyssa Brooks. Not phishing.
- **4 Sent Items items preserved as evidence** (user forwards to MSP).
- **Recommended blocks:** Ukraine (UA) region, 139.28.37.117 / 104.168.101.10 / 207.189.10.75 / 91.244.70.212 specific IPs, and `zoom.nl` domain in URL filters. **Publish DMARC p=reject for cascadestucson.com** to kill the domain-spoofing vector.
## Attacker origins (for regional blocking decisions)
Two distinct delivery patterns:
### Pattern 1 — External bulletproof/cheap hosting (April 2026)
| IP | Country | PTR / Hoster | Language header | Messages | Target(s) |
|---|---|---|---|---|---|
| **139.28.37.117** | UA | `139.28.37.117.deltahost-ptr` (Deltahost, Ukraine — bulletproof hosting) | `vi` (Vietnamese) / `en` | 2 | john.trozzi (4/20) |
| **104.168.101.10** | US | `104-168-101-10-host.colocrossing.com` (ColoCrossing NY) | **`th` (Thai)** | 3 | lois.lane (4/17), megan.hiatt (4/17 + 4/18) |
| **207.189.10.75** | DE | no reverse DNS (`InfoDomainNonexistent`) | `en` | 1 | dax.howard (4/17) |
| **91.244.70.212** | AT | (Austria, cheap hosting) | `en` | 1 | megan.hiatt (4/17) |
All 7 had **SPF=fail, DMARC=fail, DKIM=none**, envelope sender spoofed to recipient's own address. Microsoft let them through (`SFV:NSPM, SCL:1, compauth=pass reason=703`) because `cascadestucson.com` has `DMARC p=none` (observational, not enforcing). The `reason=703` specifically means "composite auth passed in the absence of an explicit DMARC reject policy" — i.e. a DMARC policy change to `p=quarantine` or `p=reject` would have blocked every one of these.
### Pattern 2 — Compromised M365 tenant relay (March 2026)
| IP (IPv6) | Source | Messages | Target(s) |
|---|---|---|---|
| `2a01:111:f403:c104::` / `:c103::3` / `:c100::f` / `:c110::1` / `:c10c::1` | Microsoft 365 Exchange Online datacenter (compromised customer tenant being used as a relay) | 6 | meredith.kuhn, anna.pitzlin, ann.dery |
SPF/DMARC **pass** because the compromised source tenant had valid SPF/DKIM. Only reliable signal was the content:
- Envelope `DocExchange_Noreply-m939k6d7.r.us_west_2.awstrack.me` (AWS SES click-tracking host masking the real sender)
- URL unwraps to `us02web.zoom.nl/j/81163775943?pwd=…`**`zoom.nl` is NOT Zoom**. `.nl` is the Netherlands TLD. The real Zoom is `zoom.us`. Classic lookalike-domain redirect.
- Subject has `REF#<40-char-hex>` hash which is a fingerprint of this operator.
### Regional / TABL block recommendations
| Recommendation | Rationale |
|---|---|
| **Block UA** at Microsoft Defender for Office 365 country filter (if available in E3+) | Deltahost is persistent infrastructure, 2 confirmed phishes in one day |
| **Add 139.28.37.117, 104.168.101.10, 207.189.10.75, 91.244.70.212 to Exchange TABL IP Block List** | Exact IPs; cheaper than broad regional block; will stop retransmission from the same hosts |
| **Add `zoom.nl` and `awstrack.me` to Exchange URL/domain block list** | The compromised-tenant phishes use these for redirect; blocking kills that vector |
| **Publish DMARC `p=quarantine` or `p=reject` for cascadestucson.com** (highest-leverage change) | Would have blocked ALL 8 external-hosting phishes because they all spoofed the domain and failed SPF/DMARC |
| **Enable Microsoft Defender impersonation protection** for cascadestucson.com domain | Catches "cascadestucson" lookalike-domain attempts before they land |
The Thai-language header (`LANG:th`) on ColoCrossing, Vietnamese on Deltahost, and English on the DE/AT hosts suggest a **Southeast-Asia-based operator using geographically-distributed sending infrastructure**. Blocking any single region is only a partial defense; DMARC enforcement is the real fix.
## Scan methodology
1. Pulled all 53 Cascades tenant users via Graph `/v1.0/users`; filtered to 46 internal mailboxes (excluding `#EXT#` guests).
2. Three search passes with Graph `$search` + client-side filter:
- Subject contains 32+ hex chars (attacker hash signature)
- Subject contains "ATTN expire / Mailbox Expire / Service Termination / Password expire / Login Expire"
- Subject contains "Pending Documents expires / Executed NDA Agreement / Approval Pending Review"
3. Paginated follow-up scans for John and Lois (initial $top=500 truncated their result sets).
4. For each hit: resolved folder name, fetched full `internetMessageHeaders`, extracted origin IP / country / language / SPF / DMARC / envelope-from, and pulled bodyPreview for content-based classification.
## Deletion inventory — 14 targets
### Group A — external-hosting phishing (8 messages, all DELETED)
| # | Mailbox | Folder (at scan) | Subject | Origin IP | Country | Result |
|---|---|---|---|---|---|---|
| 1 | dax.howard | Inbox | NSA: Cascadestucson Executed NDA Agreement Ref: 3a52d24c… | 207.189.10.75 | DE | DELETED 16:34:00Z |
| 2 | lois.lane | Inbox → Archive | ATTN : Mailbox Login Expire today, 4/17/2026 - 7578c86fe50e… | 104.168.101.10 | US | DELETED 16:34:32Z (retry) |
| 3 | john.trozzi | Inbox | ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2… | 139.28.37.117 | UA | DELETED 16:33:57Z |
| 4 | john.trozzi | Inbox | Action Required: Service Termination Alert 32d38cbb… | 139.28.37.117 | UA | DELETED 16:33:59Z |
| 5 | megan.hiatt | Deleted Items | Re: HR Documents Approval Pending Review Ref/ID#: 0f70944d… | 91.244.70.212 | AT | DELETED 16:33:52Z (purged) |
| 6 | megan.hiatt | Deleted Items | ATTN : Mailbox Login Expire today, 4/17/2026 - 123a5bc9ed53e… | 104.168.101.10 | US | DELETED 16:33:53Z (purged) |
| 7 | megan.hiatt | Deleted Items | ATTN : Mailbox Login Expire today, 4/18/2026 - fecac7931c86… | 104.168.101.10 | US | DELETED 16:33:51Z (purged) |
| 8 | megan.hiatt | Deleted Items | Undeliverable: FW: HR Documents (bounce of her fwd to info@azcomputeguru.com — typo) | — | — | DELETED 16:33:49Z (purged) |
### Group B — compromised-M365-tenant phishing (6 messages, all DELETED)
| # | Mailbox | Folder (at scan) | Subject | Envelope-From | Result |
|---|---|---|---|---|---|
| 9 | meredith.kuhn | Deleted Items | Document Ready for Review REF#99dab116… | DocExchange_Noreply…awstrack.me (→zoom.nl) | DELETED 16:33:45Z |
| 10 | meredith.kuhn | Deleted Items | Request for Quotation: Urban Choice Charter Project REF:3234627582… | lmccarthy@urbanchoicecharter.org | DELETED 16:33:46Z |
| 11 | anna.pitzlin | Inbox | Document Ready for Review REF#e8003bb2… | DocExchange_Noreply…awstrack.me | DELETED 16:33:55Z |
| 12 | anna.pitzlin | Inbox | Request for Quotation: Urban Choice Charter Project REF:3239883791… | lmccarthy@urbanchoicecharter.org | DELETED 16:33:56Z |
| 13 | ann.dery | Inbox | Document Ready for Review REF#ec4be8f2… | DocExchange_Noreply…awstrack.me | DELETED 16:34:02Z |
| 14 | ann.dery | Junk Email | Request for Quotation: Urban Choice Charter Project REF:953054e0… | lmccarthy@urbanchoicecharter.org | DELETED 16:34:03Z |
### Group C — false positives (EXCLUDED from deletion — NOT phishing)
The "HRPYDBRUNFOCb5b92c8c81854eb7afd33163c34118b7kktvrgsygrzrxvisedqvpsvfh55878.xlsx" thread is Ashley Jensen's legitimate 2026-03-09 employee roster export from an HR system that generates long hashed filenames. JD Martin replied to Ashley on 2026-03-10 and Alyssa Brooks replied on 2026-03-21 with payroll corrections. Internal HR correspondence.
- ashley.jensen / Inbox — JD Martin's "RE:" reply to her original
- jd.martin / Inbox — JD's own copy of Ashley's original (via CC or reply-all)
- alyssa.brooks / Sent Items — her "RE:" reply to ashley.jensen
### Group D — user outbound forwards (EXCLUDED from deletion — kept as evidence)
| Mailbox | Folder | Subject | To | Note |
|---|---|---|---|---|
| john.trozzi | Sent Items | Fw: ATTN!! — Pending 5 (Pages) Documents… | howard@azcomputerguru.com | John's forward to MSP, body: "Getting spoof emails this morning" |
| megan.hiatt | Sent Items | FW: HR Documents Approval Pending Review… (17:37) | info@azcomputeguru.com (TYPO) | Megan's 1st forward attempt, bounced |
| megan.hiatt | Sent Items | FW: HR Documents Approval Pending Review… (17:38) | info@azcomputerguru.com | Megan's 2nd forward, delivered |
These are evidence of user reporting; preserved per MSP workflow. Mike can purge later if desired.
## Deletion log
Full structured log at `/tmp/cascades_phishsweep/delete_log/2026-04-20T163343_deletions.jsonl`.
Summary: 14 success (13 on first try, 1 retry for Lois after user-move to Archive), 0 remaining failures.
## Next actions (prioritized)
1. **[HIGH] Publish DMARC `p=quarantine` for cascadestucson.com.** This is the single change that would block every external-spoofing phish. Start at `p=quarantine pct=25` to ease in, move to `p=reject` once you've watched reports for a week. Single-biggest leverage item.
2. **[HIGH] Add to Exchange TABL IP Block List:** `139.28.37.117`, `104.168.101.10`, `207.189.10.75`, `91.244.70.212`. Blocks re-use of the same infrastructure.
3. **[HIGH] Add URL/domain block:** `zoom.nl`, `*.awstrack.me`. Kills the compromised-tenant redirect vector.
4. **[MEDIUM] Talk to the 5 targeted users** (John, Lois, Dax, Megan, Meredith, Anna, Ann) — confirm none clicked or entered credentials. Pay extra attention to Megan (repeatedly targeted: 4 messages over 2 days) and John (targeted today with two variants one hour apart).
5. **[MEDIUM] Enable Defender anti-phish impersonation protection** for `cascadestucson.com` as a protected domain (if tenant has M365 Business Premium / E5 — verify SKU).
6. **[MEDIUM] Baseline sweep of the remaining 39 mailboxes not hit this time.** Only 7 of 46 users were targeted in this 30-day window; the operator may cycle through the rest next month.
7. **[LOW] Consider country-level mail filter for UA/AT inbound.** These have near-zero legitimate traffic to a Tucson senior-living facility. Only if DMARC enforcement isn't fast enough.
8. **Run again in 7 days** to verify no recurrence and to catch any variants that used subjects we didn't match.
## Data artifacts
All raw scan + deletion artifacts under `/tmp/cascades_phishsweep/`:
- `users.tsv` — list of 46 internal mailboxes scanned
- `junk_sweep.jsonl` — all signature-matched hits from all mailboxes
- `campaign_enriched2.jsonl` — final enriched list with folder + IP + country + auth for 20 matches (16 true phish + 4 false-positive HR thread)
- `campaign_final.json` — deduplicated 20 unique messages
- `headers/` — per-message JSON including full `internetMessageHeaders` for each match
- `targets.jsonl` — the 14 deletion targets
- `delete_log/2026-04-20T163343_deletions.jsonl` — structured log of all 14 DELETE calls, with HTTP codes and timestamps