sync: auto-sync from GURU-BEAST-ROG at 2026-07-14 15:28:42

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-07-14 15:28:42
This commit is contained in:
Winter Williams
2026-07-14 15:29:34 -07:00
committed by ClaudeTools Bot
parent 088ffb7645
commit a9a17f426f
2 changed files with 124 additions and 0 deletions

View File

@@ -0,0 +1,83 @@
# MVAN Enterprises — Risky Sign-in Check — 2026-07-14
Tenant: mvan.onmicrosoft.com (5affaf1e-de89-416b-a655-1b2cf615d5b1), domain mvaninc.com
Requested by: Mike (Discord thread 1526651647214882956), context: ticket #32554 (mailbox
re-sync symptoms) — ruling out account compromise.
Tier used: investigator (read-only, cert auth). Window: sign-ins 2026-06-30 → 2026-07-14 (126 events).
## Verdict
**No evidence of compromise.** Zero successful anomalous/foreign sign-ins in the window.
All successful sign-ins are consistent US locations (Boise ID home ISP prefix 2605:59ca for
June/Mitch; Jason from Oklahoma City; tocurtis@cox.net from Ashburn VA). Identity Protection:
0 active risk detections.
**BUT: mitch.v@mvaninc.com is under an active, ongoing distributed credential attack.**
## Findings
### 1. Credential-stuffing / password-spray against Mitch (ongoing)
- mitch.v@mvaninc.com: 77 sign-in events, **72 failures from 73 unique IPs** across US, CA,
DE, IT, RO, NL. Errors: 50053 (sign-in blocked / smart lockout) and 50126 (bad password).
Attempts continuing through today (last 2026-07-14 11:57 UTC).
- m.vandeveer@modernstile.com (Mitch's second account, same tenant): 14 attempts, all failed,
from JP, NL, NP — latest 2026-07-14 18:57 UTC.
- Every attack attempt FAILED. Mitch's real sign-ins (Boise) succeeded normally.
- Mitch's password was already reset 2026-05-18 (riskState remediated,
userPerformedSecuredPasswordReset).
### 2. MFA posture
| Account | MFA registered |
|---|---|
| mitch.v@mvaninc.com | YES (Hello, Authenticator push, OTP, phone, email) |
| june.b@mvaninc.com | YES |
| jason.r@mvaninc.com | YES |
| sienna.v@mvaninc.com | YES |
| sysadmin@mvaninc.com | YES |
| **m.vandeveer@modernstile.com** | **NO — and actively targeted** |
| **kyeri.b@mvaninc.com** | **NO** |
| **invoicing@mvaninc.com** | **NO** |
| **j.bradford@modernstile.com** | **NO** |
### 3. Stale risky-user record
- j.bradford@modernstile.com: riskLevel medium / atRisk — last updated 2020-12-25 (stale,
pre-dates current management; candidate for dismissal after MFA is fixed).
## Recommendations
1. Register/enforce MFA on the 4 uncovered accounts — priority m.vandeveer@modernstile.com
(actively targeted, no MFA). If modernstile accounts are unused, disable them.
2. Consider CA policy blocking legacy auth / requiring MFA tenant-wide (report-only first,
break-glass excluded).
3. The attack is being absorbed by smart lockout + MFA; repeated 50053 lockouts can
occasionally cause auth prompts / sync stalls on Mitch's Outlook — possibly related to
the ticket #32554 symptoms on his machine, worth noting during troubleshooting.
4. Dismiss the stale 2020 risky-user record once MFA is addressed.
## Remediation performed (2026-07-14, approved by Mike via Discord)
- **Disabled** `m.vandeveer@modernstile.com` (never a successful sign-in, unlicensed, no MFA,
actively targeted) — PATCH accountEnabled=false, verified.
- **Disabled** `j.bradford@modernstile.com` (never a successful sign-in, unlicensed, no MFA) —
verified. This also moots the stale 2020 risky-user record on this account.
- Findings posted to Syncro #32554 as internal comment (id 423730614).
- Account status detail: kyeri.b@mvaninc.com ACTIVE (successful sign-in 2026-07-14 05:10 UTC,
licensed) — needs MFA enrollment. invoicing@mvaninc.com dormant since 2025-09-24 (licensed) —
disable-or-MFA decision pending.
## Consent refresh + CA policy (2026-07-14, later same day)
- Mike re-consented the Tenant Admin app interactively — token now carries the full manifest
(Policy.Read.All, Sites.FullControl.All, Intune scopes, etc.). Consent-audit AMBER resolved
for tenant-admin. (Exchange Operator re-consent URL was also provided; verify on next EXO task.)
- Created CA policy **"ACG - Require MFA for all users (report-only)"**
(id `f69d7b41-bf13-4631-b1cd-ccf449ef06b9`), state `enabledForReportingButNotEnforced`,
all users / all apps, grant = MFA, exclude break-glass `sysadmin@mvaninc.com`
(547852a1-4ced-4e36-abe5-52779a53b4b1). Security defaults confirmed off. Pre-existing
policies: only the 2 Microsoft-managed ones (device-code block, risky-sign-in MFA).
- NEXT: review report-only impact in Entra sign-in logs after a few days of traffic; get
explicit confirmation before flipping to `enabled`. kyeri.b and invoicing must enroll MFA
before enforcement or they will be blocked.
## Artifacts
- Raw sign-ins JSON: `.mvan-signins.json` (scripts scratch dir, 14-day window)
- Related: Syncro ticket #32554 — https://computerguru.syncromsp.com/tickets/113827636

View File

@@ -94,3 +94,44 @@ cause, and the awaiting-client questions. Bot alert posted to #bot-alerts.
- Discord thread: 1526651647214882956 (#tech-department, Arizona Computer Guru)
- Wiki: `wiki/clients/mvan-enterprises.md` (GPS client, Syncro cid 29462761)
- Vault: `clients/mvan-inc/m365.sops.yaml`, `msp-tools/syncro-winter`
## Update: 15:28 AZ — RMM restore, risky sign-in check, MFA remediation (requested by Mike)
Follow-on work in the same Discord thread, requested by **Mike Swanson** (@azcomputerguru).
### RMM / ScreenConnect
- MVAN RMM footprint: 1 agent — "June" (92f583bc-1095-400c-8cd3-2e15a881ab3d), offline since
2026-07-12 05:05 UTC despite the machine being in active use.
- ScreenConnect session JUNE (0737c201-61a0-4f07-b7b8-68dcc5796cad) was online (June Bradford
logged in, Win 11 Pro). CP1 tag has a typo: "MVAN Enterprised" (fix pending).
- Reinstalled GuruRMM agent via SC send-command using site installer one-liner
(site Main, code LOWER-FORGE-6736). Agent checked back in at 18:28 UTC (11:28 AZ). Verified online.
### Risky sign-in check (remediation-tool, tenant 5affaf1e-de89-416b-a655-1b2cf615d5b1)
- **No compromise**: 0 active risk detections, 0 successful anomalous sign-ins (14-day window,
126 events). Legit sign-ins from Boise ID (June/Mitch), OKC (Jason).
- **Active distributed credential attack**: mitch.v@mvaninc.com — 72 fails / 73 unique IPs /
6 countries (US CA DE IT RO NL), err 50053/50126, ongoing. m.vandeveer@modernstile.com —
14 fails (JP NL NP), account had NO MFA.
- MFA gaps found: m.vandeveer@modernstile.com, j.bradford@modernstile.com, kyeri.b@mvaninc.com,
invoicing@mvaninc.com.
- Full report: `clients/mvan-inc/reports/2026-07-14-risky-signin-check.md`
### Remediation (approved by Mike in-thread)
- Internal comment with findings posted to Syncro #32554 (comment 423730614) + bot alert.
- **Disabled** m.vandeveer@modernstile.com and j.bradford@modernstile.com (never a successful
sign-in, unlicensed, no MFA) — PATCH accountEnabled=false via user-manager tier, verified
after ~20s replication lag (204 + immediate read-back showed stale true; re-read confirmed).
- Consent audit was AMBER (tenant-admin missing Policy.Read.All → 403 on CA endpoints).
Mike re-consented interactively; refreshed token shows full manifest.
- Created CA policy "ACG - Require MFA for all users (report-only)"
(f69d7b41-bf13-4631-b1cd-ccf449ef06b9), enabledForReportingButNotEnforced, all users/apps,
MFA grant, break-glass sysadmin@mvaninc.com excluded. Security defaults off; only the 2
Microsoft-managed policies pre-existed.
### Pending
- MVAN answers for ticket #32554 (affected users, mail client, browser vs desktop view change).
- kyeri.b (active) + invoicing (dormant since 2025-09) MFA enrollment or disable decision.
- Review report-only CA impact after a few days; explicit go before flipping to enabled.
- SC CP1 typo fix ("MVAN Enterprised" -> "MVAN Enterprises").
- Exchange Operator consent still AMBER (Mail.ReadWrite) — verify on next EXO task.