diff --git a/clients/mvan-inc/reports/2026-07-14-risky-signin-check.md b/clients/mvan-inc/reports/2026-07-14-risky-signin-check.md new file mode 100644 index 00000000..f5481b25 --- /dev/null +++ b/clients/mvan-inc/reports/2026-07-14-risky-signin-check.md @@ -0,0 +1,83 @@ +# MVAN Enterprises — Risky Sign-in Check — 2026-07-14 + +Tenant: mvan.onmicrosoft.com (5affaf1e-de89-416b-a655-1b2cf615d5b1), domain mvaninc.com +Requested by: Mike (Discord thread 1526651647214882956), context: ticket #32554 (mailbox +re-sync symptoms) — ruling out account compromise. +Tier used: investigator (read-only, cert auth). Window: sign-ins 2026-06-30 → 2026-07-14 (126 events). + +## Verdict + +**No evidence of compromise.** Zero successful anomalous/foreign sign-ins in the window. +All successful sign-ins are consistent US locations (Boise ID home ISP prefix 2605:59ca for +June/Mitch; Jason from Oklahoma City; tocurtis@cox.net from Ashburn VA). Identity Protection: +0 active risk detections. + +**BUT: mitch.v@mvaninc.com is under an active, ongoing distributed credential attack.** + +## Findings + +### 1. Credential-stuffing / password-spray against Mitch (ongoing) +- mitch.v@mvaninc.com: 77 sign-in events, **72 failures from 73 unique IPs** across US, CA, + DE, IT, RO, NL. Errors: 50053 (sign-in blocked / smart lockout) and 50126 (bad password). + Attempts continuing through today (last 2026-07-14 11:57 UTC). +- m.vandeveer@modernstile.com (Mitch's second account, same tenant): 14 attempts, all failed, + from JP, NL, NP — latest 2026-07-14 18:57 UTC. +- Every attack attempt FAILED. Mitch's real sign-ins (Boise) succeeded normally. +- Mitch's password was already reset 2026-05-18 (riskState remediated, + userPerformedSecuredPasswordReset). + +### 2. MFA posture +| Account | MFA registered | +|---|---| +| mitch.v@mvaninc.com | YES (Hello, Authenticator push, OTP, phone, email) | +| june.b@mvaninc.com | YES | +| jason.r@mvaninc.com | YES | +| sienna.v@mvaninc.com | YES | +| sysadmin@mvaninc.com | YES | +| **m.vandeveer@modernstile.com** | **NO — and actively targeted** | +| **kyeri.b@mvaninc.com** | **NO** | +| **invoicing@mvaninc.com** | **NO** | +| **j.bradford@modernstile.com** | **NO** | + +### 3. Stale risky-user record +- j.bradford@modernstile.com: riskLevel medium / atRisk — last updated 2020-12-25 (stale, + pre-dates current management; candidate for dismissal after MFA is fixed). + +## Recommendations +1. Register/enforce MFA on the 4 uncovered accounts — priority m.vandeveer@modernstile.com + (actively targeted, no MFA). If modernstile accounts are unused, disable them. +2. Consider CA policy blocking legacy auth / requiring MFA tenant-wide (report-only first, + break-glass excluded). +3. The attack is being absorbed by smart lockout + MFA; repeated 50053 lockouts can + occasionally cause auth prompts / sync stalls on Mitch's Outlook — possibly related to + the ticket #32554 symptoms on his machine, worth noting during troubleshooting. +4. Dismiss the stale 2020 risky-user record once MFA is addressed. + +## Remediation performed (2026-07-14, approved by Mike via Discord) + +- **Disabled** `m.vandeveer@modernstile.com` (never a successful sign-in, unlicensed, no MFA, + actively targeted) — PATCH accountEnabled=false, verified. +- **Disabled** `j.bradford@modernstile.com` (never a successful sign-in, unlicensed, no MFA) — + verified. This also moots the stale 2020 risky-user record on this account. +- Findings posted to Syncro #32554 as internal comment (id 423730614). +- Account status detail: kyeri.b@mvaninc.com ACTIVE (successful sign-in 2026-07-14 05:10 UTC, + licensed) — needs MFA enrollment. invoicing@mvaninc.com dormant since 2025-09-24 (licensed) — + disable-or-MFA decision pending. + +## Consent refresh + CA policy (2026-07-14, later same day) + +- Mike re-consented the Tenant Admin app interactively — token now carries the full manifest + (Policy.Read.All, Sites.FullControl.All, Intune scopes, etc.). Consent-audit AMBER resolved + for tenant-admin. (Exchange Operator re-consent URL was also provided; verify on next EXO task.) +- Created CA policy **"ACG - Require MFA for all users (report-only)"** + (id `f69d7b41-bf13-4631-b1cd-ccf449ef06b9`), state `enabledForReportingButNotEnforced`, + all users / all apps, grant = MFA, exclude break-glass `sysadmin@mvaninc.com` + (547852a1-4ced-4e36-abe5-52779a53b4b1). Security defaults confirmed off. Pre-existing + policies: only the 2 Microsoft-managed ones (device-code block, risky-sign-in MFA). +- NEXT: review report-only impact in Entra sign-in logs after a few days of traffic; get + explicit confirmation before flipping to `enabled`. kyeri.b and invoicing must enroll MFA + before enforcement or they will be blocked. + +## Artifacts +- Raw sign-ins JSON: `.mvan-signins.json` (scripts scratch dir, 14-day window) +- Related: Syncro ticket #32554 — https://computerguru.syncromsp.com/tickets/113827636 diff --git a/clients/mvan-inc/session-logs/2026-07/2026-07-14-winter-mvan-email-issues-ticket.md b/clients/mvan-inc/session-logs/2026-07/2026-07-14-winter-mvan-email-issues-ticket.md index 408d7304..79ce6b56 100644 --- a/clients/mvan-inc/session-logs/2026-07/2026-07-14-winter-mvan-email-issues-ticket.md +++ b/clients/mvan-inc/session-logs/2026-07/2026-07-14-winter-mvan-email-issues-ticket.md @@ -94,3 +94,44 @@ cause, and the awaiting-client questions. Bot alert posted to #bot-alerts. - Discord thread: 1526651647214882956 (#tech-department, Arizona Computer Guru) - Wiki: `wiki/clients/mvan-enterprises.md` (GPS client, Syncro cid 29462761) - Vault: `clients/mvan-inc/m365.sops.yaml`, `msp-tools/syncro-winter` + +## Update: 15:28 AZ — RMM restore, risky sign-in check, MFA remediation (requested by Mike) + +Follow-on work in the same Discord thread, requested by **Mike Swanson** (@azcomputerguru). + +### RMM / ScreenConnect +- MVAN RMM footprint: 1 agent — "June" (92f583bc-1095-400c-8cd3-2e15a881ab3d), offline since + 2026-07-12 05:05 UTC despite the machine being in active use. +- ScreenConnect session JUNE (0737c201-61a0-4f07-b7b8-68dcc5796cad) was online (June Bradford + logged in, Win 11 Pro). CP1 tag has a typo: "MVAN Enterprised" (fix pending). +- Reinstalled GuruRMM agent via SC send-command using site installer one-liner + (site Main, code LOWER-FORGE-6736). Agent checked back in at 18:28 UTC (11:28 AZ). Verified online. + +### Risky sign-in check (remediation-tool, tenant 5affaf1e-de89-416b-a655-1b2cf615d5b1) +- **No compromise**: 0 active risk detections, 0 successful anomalous sign-ins (14-day window, + 126 events). Legit sign-ins from Boise ID (June/Mitch), OKC (Jason). +- **Active distributed credential attack**: mitch.v@mvaninc.com — 72 fails / 73 unique IPs / + 6 countries (US CA DE IT RO NL), err 50053/50126, ongoing. m.vandeveer@modernstile.com — + 14 fails (JP NL NP), account had NO MFA. +- MFA gaps found: m.vandeveer@modernstile.com, j.bradford@modernstile.com, kyeri.b@mvaninc.com, + invoicing@mvaninc.com. +- Full report: `clients/mvan-inc/reports/2026-07-14-risky-signin-check.md` + +### Remediation (approved by Mike in-thread) +- Internal comment with findings posted to Syncro #32554 (comment 423730614) + bot alert. +- **Disabled** m.vandeveer@modernstile.com and j.bradford@modernstile.com (never a successful + sign-in, unlicensed, no MFA) — PATCH accountEnabled=false via user-manager tier, verified + after ~20s replication lag (204 + immediate read-back showed stale true; re-read confirmed). +- Consent audit was AMBER (tenant-admin missing Policy.Read.All → 403 on CA endpoints). + Mike re-consented interactively; refreshed token shows full manifest. +- Created CA policy "ACG - Require MFA for all users (report-only)" + (f69d7b41-bf13-4631-b1cd-ccf449ef06b9), enabledForReportingButNotEnforced, all users/apps, + MFA grant, break-glass sysadmin@mvaninc.com excluded. Security defaults off; only the 2 + Microsoft-managed policies pre-existed. + +### Pending +- MVAN answers for ticket #32554 (affected users, mail client, browser vs desktop view change). +- kyeri.b (active) + invoicing (dormant since 2025-09) MFA enrollment or disable decision. +- Review report-only CA impact after a few days; explicit go before flipping to enabled. +- SC CP1 typo fix ("MVAN Enterprised" -> "MVAN Enterprises"). +- Exchange Operator consent still AMBER (Mail.ReadWrite) — verify on next EXO task.