diff --git a/session-logs/2026-03-05-session.md b/session-logs/2026-03-05-session.md
new file mode 100644
index 0000000..92eba4c
--- /dev/null
+++ b/session-logs/2026-03-05-session.md
@@ -0,0 +1,134 @@
+# Session Log - 2026-03-05
+
+## Summary
+Two major workstreams: Valley Wide Plastering BEC incident response and Bardach contacts cleanup continuation.
+
+---
+
+## 1. Valley Wide Plastering - BEC Incident Response
+
+**Client:** Valley Wide Plastering (valleywideplastering.com)
+**Tenant ID:** 5c53ae9f-7071-4248-b834-8685b646450f
+**Reported Issue:** JR Guerrero (j-r@valleywideplastering.com) receiving reports he's sending malicious emails
+
+### Investigation Findings
+- **Two malicious inbox rules** found: ".." (triggers on "box.com") and "." (catch-all) - both move to Archive, mark read, stop processing
+- **Box.com phishing campaign**: Attacker shared malicious file "Valley Wide Plastering, INC......pdf" (Box file ID 2155046839008) via JR's identity to ~175 contacts
+- **Attacker MFA device**: iPhone 12 Pro Max registered (JR has iPhone 16 Pro Max)
+- **Attacker IPs**: 23.234.100.200 (Chicago, 30x), 23.234.100.73 (Chicago, 9x), 23.234.101.73 (Brooklyn, 5x)
+- **447 messages** hidden in Archive by attacker rules
+
+### Remediation Actions
+- [x] Deleted both malicious inbox rules
+- [x] Removed attacker MFA device (iPhone 12 Pro Max)
+- [x] Moved 447 Archive messages back to Inbox
+- [x] Password reset + force change (done by sysadmin)
+- [x] All sign-in sessions revoked
+- [x] Created Conditional Access policy "Block Sign-ins Outside US" (enforced)
+  - Policy ID: db34605c-c778-4b37-bf25-9a3a7cdbee0c
+  - Named location: "Allowed Countries - US Only" (14ea32d1-dd6f-4fb1-83f7-d6f840df82fa)
+  - Excludes: sysadmin@ (break-glass)
+
+### billing@ Investigation
+- Attacker IPs appeared in sign-in logs but mailbox NOT compromised
+- Inbox rules all legitimate, no malicious sent mail
+- Password reset manually (API returned 403)
+- Sessions revoked
+
+### Phishing Victim Notification
+- Extracted 133 unique victim email addresses from Exchange (125 external + 8 VWP internal)
+- Sent notification email from JR's account (all victims in BCC) warning about malicious Box.com file
+- HTTP 202 - delivered successfully
+
+### Outstanding
+- [ ] Box.com file takedown (file ID 2155046839008)
+- [ ] Confirm JR's MFA phone (+1 480-797-6102) is his
+- [ ] Confirm billing's MFA phone (+1 619-244-8933) and Samsung S24
+- [ ] Monitor for attacker IP recurrence (30 days)
+- [ ] Review other VWP accounts - investigation flagged 11 of 33 with foreign sign-ins
+- [ ] Consider universal MFA enforcement
+
+### Files Created
+- `temp/vwp_bec_jr.py` - JR investigation script
+- `temp/vwp_bec_billing.py` - Billing investigation + remediation
+- `temp/vwp_bec_investigation.py` - Full tenant investigation
+- `temp/vwp_bec_results.json` - Raw investigation results
+- `temp/vwp_extract_victim_emails.py` - Box notification parsing
+- `temp/vwp_exchange_trace.py` - Exchange sent items search
+- `temp/vwp_exchange_recipients.json` - Victim email addresses
+- `temp/vwp_send_notification.py` - Notification email script
+- `temp/vwp_bec_incident_notes.md` - Internal tracking notes
+
+---
+
+## 2. Bardach Contacts Cleanup (Continuation from 2026-03-03)
+
+**Client:** Barbara Bardach (bardach.net)
+**Tenant ID:** dd4a82e8-85a3-44ac-8800-07945ab4d95f
+**User:** barbara@bardach.net
+
+### Work Done Today
+
+#### Internal Duplicate Cleanup
+- Found 18 duplicate pairs in Main Contacts folder
+- 3 required merging before delete (Akala Jacobson - email, Annette Rivas - email, Barbara Bardach - phone)
+- 15 straight deletes (no unique data on duplicate)
+- All 18 resolved, 0 errors
+
+#### Reviewed Remaining Items
+- 28 "duplicate notes" groups - analyzed and determined most are coincidental (spouse names like "Tom", "Rick" shared across unrelated contacts). Actual duplicate contacts already handled by dedup.
+- 111 "promotable" phone numbers in notes - decided to skip. Numbers in notes may belong to spouse/partner/colleague, not the contact themselves. Can't safely auto-promote.
+- 8 promotable emails - skipped for same reason.
+
+#### Email-to-Contact Gap Analysis (NEW)
+- Scanned 12 months of email: 4,286 sent + 52,834 inbox messages
+- Found 1,970 unique email addresses in mail
+- 412 already in contacts
+- 1,388 missing from contacts
+- Filtered to 315 two-way correspondents (sent_count > 0)
+- Further filtered to 32 real people with >= 4 message exchanges
+
+#### Auto-Created Missing Contacts
+- Created 32 new contacts from frequent email correspondents
+- 19 of 32 had phone numbers extracted from email signatures
+- Phone label mapping: Cell->mobilePhone, Office/Direct->businessPhones
+- Fax numbers and Barbara's own number correctly filtered out
+- Name parsing handled "Last, First" format and title suffixes
+
+#### Client Summary Email
+- Created `temp/bardach_contacts_summary_email.md` - plain language summary for Barbara explaining all changes
+
+### Final Contact Count: ~6,086
+
+### Files Created
+- `temp/bardach_main_dupes.py` - Duplicate analysis script
+- `temp/bardach_main_dupes_analysis.json` - Duplicate analysis results
+- `temp/bardach_main_dupes_fix.py` - Merge and delete script
+- `temp/bardach_email_contacts_scan.py` - Email-to-contact gap scan
+- `temp/bardach_missing_contacts.json` - Full missing contacts list
+- `temp/bardach_missing_real_contacts.py` - Two-way correspondent filter + phone extraction
+- `temp/bardach_missing_real_contacts.json` - Filtered results with phones
+- `temp/bardach_create_missing_contacts.py` - Contact creation script
+- `temp/bardach_contacts_summary_email.md` - Client-facing summary
+
+---
+
+## Credentials Used
+
+### VWP (Valley Wide Plastering)
+- Tenant: 5c53ae9f-7071-4248-b834-8685b646450f
+- App: fabb3421-8b34-484b-bc17-e46de9703418 (Claude-MSP-Access)
+- Secret: ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
+- JR ID: 0af923d0-48c5-4cc1-8553-c60625802815
+- Billing ID: 4f708b80-e537-4f63-92d3-5feedfa28244
+
+### Bardach
+- Tenant: dd4a82e8-85a3-44ac-8800-07945ab4d95f
+- App: fabb3421-8b34-484b-bc17-e46de9703418 (Claude-MSP-Access)
+- Secret: ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
+- User: barbara@bardach.net
+
+---
+
+**Machine:** ACG-M-L5090
+**Duration:** ~4 hours