sync: auto-sync from GURU-BEAST-ROG at 2026-07-14 15:28:42
Author: Mike Swanson Machine: GURU-BEAST-ROG Timestamp: 2026-07-14 15:28:42
This commit is contained in:
committed by
ClaudeTools Bot
parent
088ffb7645
commit
a9a17f426f
83
clients/mvan-inc/reports/2026-07-14-risky-signin-check.md
Normal file
83
clients/mvan-inc/reports/2026-07-14-risky-signin-check.md
Normal file
@@ -0,0 +1,83 @@
|
|||||||
|
# MVAN Enterprises — Risky Sign-in Check — 2026-07-14
|
||||||
|
|
||||||
|
Tenant: mvan.onmicrosoft.com (5affaf1e-de89-416b-a655-1b2cf615d5b1), domain mvaninc.com
|
||||||
|
Requested by: Mike (Discord thread 1526651647214882956), context: ticket #32554 (mailbox
|
||||||
|
re-sync symptoms) — ruling out account compromise.
|
||||||
|
Tier used: investigator (read-only, cert auth). Window: sign-ins 2026-06-30 → 2026-07-14 (126 events).
|
||||||
|
|
||||||
|
## Verdict
|
||||||
|
|
||||||
|
**No evidence of compromise.** Zero successful anomalous/foreign sign-ins in the window.
|
||||||
|
All successful sign-ins are consistent US locations (Boise ID home ISP prefix 2605:59ca for
|
||||||
|
June/Mitch; Jason from Oklahoma City; tocurtis@cox.net from Ashburn VA). Identity Protection:
|
||||||
|
0 active risk detections.
|
||||||
|
|
||||||
|
**BUT: mitch.v@mvaninc.com is under an active, ongoing distributed credential attack.**
|
||||||
|
|
||||||
|
## Findings
|
||||||
|
|
||||||
|
### 1. Credential-stuffing / password-spray against Mitch (ongoing)
|
||||||
|
- mitch.v@mvaninc.com: 77 sign-in events, **72 failures from 73 unique IPs** across US, CA,
|
||||||
|
DE, IT, RO, NL. Errors: 50053 (sign-in blocked / smart lockout) and 50126 (bad password).
|
||||||
|
Attempts continuing through today (last 2026-07-14 11:57 UTC).
|
||||||
|
- m.vandeveer@modernstile.com (Mitch's second account, same tenant): 14 attempts, all failed,
|
||||||
|
from JP, NL, NP — latest 2026-07-14 18:57 UTC.
|
||||||
|
- Every attack attempt FAILED. Mitch's real sign-ins (Boise) succeeded normally.
|
||||||
|
- Mitch's password was already reset 2026-05-18 (riskState remediated,
|
||||||
|
userPerformedSecuredPasswordReset).
|
||||||
|
|
||||||
|
### 2. MFA posture
|
||||||
|
| Account | MFA registered |
|
||||||
|
|---|---|
|
||||||
|
| mitch.v@mvaninc.com | YES (Hello, Authenticator push, OTP, phone, email) |
|
||||||
|
| june.b@mvaninc.com | YES |
|
||||||
|
| jason.r@mvaninc.com | YES |
|
||||||
|
| sienna.v@mvaninc.com | YES |
|
||||||
|
| sysadmin@mvaninc.com | YES |
|
||||||
|
| **m.vandeveer@modernstile.com** | **NO — and actively targeted** |
|
||||||
|
| **kyeri.b@mvaninc.com** | **NO** |
|
||||||
|
| **invoicing@mvaninc.com** | **NO** |
|
||||||
|
| **j.bradford@modernstile.com** | **NO** |
|
||||||
|
|
||||||
|
### 3. Stale risky-user record
|
||||||
|
- j.bradford@modernstile.com: riskLevel medium / atRisk — last updated 2020-12-25 (stale,
|
||||||
|
pre-dates current management; candidate for dismissal after MFA is fixed).
|
||||||
|
|
||||||
|
## Recommendations
|
||||||
|
1. Register/enforce MFA on the 4 uncovered accounts — priority m.vandeveer@modernstile.com
|
||||||
|
(actively targeted, no MFA). If modernstile accounts are unused, disable them.
|
||||||
|
2. Consider CA policy blocking legacy auth / requiring MFA tenant-wide (report-only first,
|
||||||
|
break-glass excluded).
|
||||||
|
3. The attack is being absorbed by smart lockout + MFA; repeated 50053 lockouts can
|
||||||
|
occasionally cause auth prompts / sync stalls on Mitch's Outlook — possibly related to
|
||||||
|
the ticket #32554 symptoms on his machine, worth noting during troubleshooting.
|
||||||
|
4. Dismiss the stale 2020 risky-user record once MFA is addressed.
|
||||||
|
|
||||||
|
## Remediation performed (2026-07-14, approved by Mike via Discord)
|
||||||
|
|
||||||
|
- **Disabled** `m.vandeveer@modernstile.com` (never a successful sign-in, unlicensed, no MFA,
|
||||||
|
actively targeted) — PATCH accountEnabled=false, verified.
|
||||||
|
- **Disabled** `j.bradford@modernstile.com` (never a successful sign-in, unlicensed, no MFA) —
|
||||||
|
verified. This also moots the stale 2020 risky-user record on this account.
|
||||||
|
- Findings posted to Syncro #32554 as internal comment (id 423730614).
|
||||||
|
- Account status detail: kyeri.b@mvaninc.com ACTIVE (successful sign-in 2026-07-14 05:10 UTC,
|
||||||
|
licensed) — needs MFA enrollment. invoicing@mvaninc.com dormant since 2025-09-24 (licensed) —
|
||||||
|
disable-or-MFA decision pending.
|
||||||
|
|
||||||
|
## Consent refresh + CA policy (2026-07-14, later same day)
|
||||||
|
|
||||||
|
- Mike re-consented the Tenant Admin app interactively — token now carries the full manifest
|
||||||
|
(Policy.Read.All, Sites.FullControl.All, Intune scopes, etc.). Consent-audit AMBER resolved
|
||||||
|
for tenant-admin. (Exchange Operator re-consent URL was also provided; verify on next EXO task.)
|
||||||
|
- Created CA policy **"ACG - Require MFA for all users (report-only)"**
|
||||||
|
(id `f69d7b41-bf13-4631-b1cd-ccf449ef06b9`), state `enabledForReportingButNotEnforced`,
|
||||||
|
all users / all apps, grant = MFA, exclude break-glass `sysadmin@mvaninc.com`
|
||||||
|
(547852a1-4ced-4e36-abe5-52779a53b4b1). Security defaults confirmed off. Pre-existing
|
||||||
|
policies: only the 2 Microsoft-managed ones (device-code block, risky-sign-in MFA).
|
||||||
|
- NEXT: review report-only impact in Entra sign-in logs after a few days of traffic; get
|
||||||
|
explicit confirmation before flipping to `enabled`. kyeri.b and invoicing must enroll MFA
|
||||||
|
before enforcement or they will be blocked.
|
||||||
|
|
||||||
|
## Artifacts
|
||||||
|
- Raw sign-ins JSON: `.mvan-signins.json` (scripts scratch dir, 14-day window)
|
||||||
|
- Related: Syncro ticket #32554 — https://computerguru.syncromsp.com/tickets/113827636
|
||||||
@@ -94,3 +94,44 @@ cause, and the awaiting-client questions. Bot alert posted to #bot-alerts.
|
|||||||
- Discord thread: 1526651647214882956 (#tech-department, Arizona Computer Guru)
|
- Discord thread: 1526651647214882956 (#tech-department, Arizona Computer Guru)
|
||||||
- Wiki: `wiki/clients/mvan-enterprises.md` (GPS client, Syncro cid 29462761)
|
- Wiki: `wiki/clients/mvan-enterprises.md` (GPS client, Syncro cid 29462761)
|
||||||
- Vault: `clients/mvan-inc/m365.sops.yaml`, `msp-tools/syncro-winter`
|
- Vault: `clients/mvan-inc/m365.sops.yaml`, `msp-tools/syncro-winter`
|
||||||
|
|
||||||
|
## Update: 15:28 AZ — RMM restore, risky sign-in check, MFA remediation (requested by Mike)
|
||||||
|
|
||||||
|
Follow-on work in the same Discord thread, requested by **Mike Swanson** (@azcomputerguru).
|
||||||
|
|
||||||
|
### RMM / ScreenConnect
|
||||||
|
- MVAN RMM footprint: 1 agent — "June" (92f583bc-1095-400c-8cd3-2e15a881ab3d), offline since
|
||||||
|
2026-07-12 05:05 UTC despite the machine being in active use.
|
||||||
|
- ScreenConnect session JUNE (0737c201-61a0-4f07-b7b8-68dcc5796cad) was online (June Bradford
|
||||||
|
logged in, Win 11 Pro). CP1 tag has a typo: "MVAN Enterprised" (fix pending).
|
||||||
|
- Reinstalled GuruRMM agent via SC send-command using site installer one-liner
|
||||||
|
(site Main, code LOWER-FORGE-6736). Agent checked back in at 18:28 UTC (11:28 AZ). Verified online.
|
||||||
|
|
||||||
|
### Risky sign-in check (remediation-tool, tenant 5affaf1e-de89-416b-a655-1b2cf615d5b1)
|
||||||
|
- **No compromise**: 0 active risk detections, 0 successful anomalous sign-ins (14-day window,
|
||||||
|
126 events). Legit sign-ins from Boise ID (June/Mitch), OKC (Jason).
|
||||||
|
- **Active distributed credential attack**: mitch.v@mvaninc.com — 72 fails / 73 unique IPs /
|
||||||
|
6 countries (US CA DE IT RO NL), err 50053/50126, ongoing. m.vandeveer@modernstile.com —
|
||||||
|
14 fails (JP NL NP), account had NO MFA.
|
||||||
|
- MFA gaps found: m.vandeveer@modernstile.com, j.bradford@modernstile.com, kyeri.b@mvaninc.com,
|
||||||
|
invoicing@mvaninc.com.
|
||||||
|
- Full report: `clients/mvan-inc/reports/2026-07-14-risky-signin-check.md`
|
||||||
|
|
||||||
|
### Remediation (approved by Mike in-thread)
|
||||||
|
- Internal comment with findings posted to Syncro #32554 (comment 423730614) + bot alert.
|
||||||
|
- **Disabled** m.vandeveer@modernstile.com and j.bradford@modernstile.com (never a successful
|
||||||
|
sign-in, unlicensed, no MFA) — PATCH accountEnabled=false via user-manager tier, verified
|
||||||
|
after ~20s replication lag (204 + immediate read-back showed stale true; re-read confirmed).
|
||||||
|
- Consent audit was AMBER (tenant-admin missing Policy.Read.All → 403 on CA endpoints).
|
||||||
|
Mike re-consented interactively; refreshed token shows full manifest.
|
||||||
|
- Created CA policy "ACG - Require MFA for all users (report-only)"
|
||||||
|
(f69d7b41-bf13-4631-b1cd-ccf449ef06b9), enabledForReportingButNotEnforced, all users/apps,
|
||||||
|
MFA grant, break-glass sysadmin@mvaninc.com excluded. Security defaults off; only the 2
|
||||||
|
Microsoft-managed policies pre-existed.
|
||||||
|
|
||||||
|
### Pending
|
||||||
|
- MVAN answers for ticket #32554 (affected users, mail client, browser vs desktop view change).
|
||||||
|
- kyeri.b (active) + invoicing (dormant since 2025-09) MFA enrollment or disable decision.
|
||||||
|
- Review report-only CA impact after a few days; explicit go before flipping to enabled.
|
||||||
|
- SC CP1 typo fix ("MVAN Enterprised" -> "MVAN Enterprises").
|
||||||
|
- Exchange Operator consent still AMBER (Mail.ReadWrite) — verify on next EXO task.
|
||||||
|
|||||||
Reference in New Issue
Block a user