diff --git a/clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md b/clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md
index 548e16f..dbd439e 100644
--- a/clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md
+++ b/clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md
@@ -124,3 +124,61 @@ GET /servicePrincipals?$filter=appId eq 'c5df10ae-2aa7-4283-86ef-1884c267a9ac'
 - **Lori old Authenticator to remove:** `da5454c7-eaa8-4b67-9cb8-61ed1486d012` (SM-G975U)
 - **Alexis OATH token to review:** `7d1425ca-27d0-444d-9c36-6b3780c77059`
 - **Scott phone MFA:** +1 5202884444 (only MFA method)
+
+---
+
+## Update: 18:56 PT — Ken BEC Incident Investigation
+
+### Summary
+
+Mike pointed to Syncro ticket #32393 ("Ken Schagel shared a file with you"), which was the incident that triggered the full sweep earlier in this session. Investigated the scope and timeline of Ken's compromise via the remediation tool.
+
+**Confirmed: Ken's account was actively used to send a phishing blast.** Around 21:23-21:26 UTC on 2026-06-08 (2:23 PM Arizona time), the attacker used Ken's M365 account to send a fake SharePoint "shared document" email to approximately 70+ external contacts from Ken's email history. The phishing link was `flowinnactuators.com/work.html` (credential harvesting page). Microsoft's anti-abuse system detected the bulk send and automatically restricted Ken's sending ability — confirmed by an `Office365Alerts@microsoft.com` "High-severity alert: User restricted from sending email" message in Ken's deleted items.
+
+**Mike's incident response (already completed):**
+- Ken's account was sign-in blocked immediately
+- Password reset to temp `B/947405806521av` (force change on login)
+- Account re-enabled approximately 20 minutes later after verification
+- Wrex Watson's password was also reset (sessions revoked, temp `Kittle@1426Wrx!47E742`) as a precaution — a password reset on Wrex's account occurred just before the Ken incident and could not be attributed at the time
+
+**Current state of both accounts:**
+- Ken: accountEnabled=true, one clean Authenticator (iPhone 12 Pro Max), no inbox rules, no SMTP forwarding, no per-user OAuth grants
+- Wrex: accountEnabled=true, clean Authenticator (iPhone 14) + phone MFA, no inbox rules, no SMTP forwarding, no per-user OAuth grants
+
+**Audit log unavailable** — directory audit log returned empty (no Entra P1 = minimal retention). Could not determine via API who initiated Wrex's pre-incident password reset. Recommendation: ask Wrex directly.
+
+**Ken's deleted items:** ~2,699 items, 2,213 unread — primarily NDRs (bounce-backs) and auto-replies from the phishing blast recipients. Sent items show 6,284 items with legitimate construction business emails. The phishing blast sent items were presumably deleted by the attacker to cover tracks.
+
+**April connection — IMAP consent:** The IMAP legacy auth consent (9b504397) revoked in April was granted by Ken's own account (`5fc37e1a`). This indicates the attacker had Ken's credentials as far back as April and used them to consent an IMAP client to his mailbox. Revoking that consent was done, but without a password reset on Ken's account in April, the attacker retained direct login access.
+
+**April classification gap:** The April breach report classified Ken's "Admin" inbox rule (filtering Capital One, Bill.com, @flystucson.com) as `[INFO]` rather than `[WARNING]`. The report noted it "could also be legitimate email organization" and prescribed "confirm with Ken." Ken presumably confirmed he recognized the rule. In hindsight: a rule filtering two specific financial platforms plus a third-party domain in the same rule body should have been `[WARNING]` regardless of the "could be legitimate" caveat, particularly combined with the IMAP consent from his account. The workflow gap: "confirm with the user" is a weak verification step when the account being checked may already be compromised and the attacker has visibility into incoming email.
+
+**Remediation tool classification note:** Both signals in April (financial-hiding inbox rule + IMAP consent from same user object ID `5fc37e1a`) should together trigger automatic escalation to `[WARNING]`. Flagged for checklist update.
+
+### Phishing Blast Recipients (partial — from NDR envelope)
+
+Confirmed external contacts who received the phishing email (from the large NDR in Ken's deleted items):
+Herc Rentals (jacob.henderson, jamie.blasko), Stonhard (ttennant), Saint-Gobain (lauren.watlington, jennifer.diringer), Sellers & Sons (mike), Chasse (conf-room), Sun Valley Supply, Old Tucson (kblondeaux), Aaron Crandell Glass, PH Mechanical (jeff, johnh), Anthony DeCesaris/Smith Detection, Central Insurance (cbush), UPS, Lloyd Construction (sean), Safety Management Group (shanejardine), CFSD16 (accountspayable), Armitek (joe), Stair Parts (fwtsmtp), Pima Community College (vlewis, cebunoha), Pima Air & Space Museum (smarchand), Barker One (sharker), Flooring Systems (gabriel), Cordia Energy (jim.regelbrugge, joel.wagner, mike.buter), MOCA Tucson (dominic), Poster Frost Mirto (jmirto), Brand Crowd, GM Marketing, Global Industrial (hkudumula), Walker Consultants, Bulletproof (kris), IntraAnalytics (lily.evelyn), Climatec (ssanchez), CIS Phoenix (gesquibel2), Six Axis LLC (tmikulec), Vortex Doors (sandrag), BMO Harris fraud center, Plumb Plumbing (ssoneira), Roche (keri.overfield), Broadfence, Cushman & Wakefield (martin.stupka), eSubK, Facility Grid, Amazon (jelopezt, luballes), Netflix, Safety Sign, Sport Master, Crowd Control Warehouse, Crazy Horse Campgrounds AZ, APS, Hensel Phelps (qriley), NAU (jss627), Acousthetics, DH Pace (noel.blythe), Mechanical Systems Inc (apb, jab), Malibu Parts (steve), Clopay (dshrader, marketing), Fastenersplus, American Play Systems, eARC (rockfon), ePlus (osprocurement), Concord Inc, MH Consulting (mharding), Pueblo Mechanical (daniel.arellano, stevec), Achilles AC (kimberly, kayla), Progressive (bob.gardner), iCloud contacts (devinrose520, ernestina47), Amazon bounce, gopuff (ryan.hall), Squarespace form submission — and additional auto-reply senders (jackb@norconindustries, john.mccurry@global.inc).
+
+### Pending Items (carry-forward)
+
+| Priority | Item | Owner |
+|---|---|---|
+| P1 | Update ticket #32393 with full incident timeline and phishing scope | Mike (on PC) |
+| P1 | Bill ticket #32393 for incident response time | Mike (on PC) |
+| P1 | Notify Ken's external contacts — send "disregard that email" from Ken's account now that it is clean | Mike |
+| P1 | Ask Kittle internally (Alexis, Lori, etc.) whether anyone clicked the link at flowinnactuators.com/work.html | Mike |
+| P1 | Ask Wrex directly: did he reset his own password before the Ken incident? | Mike |
+| P2 | Check Ken's Bill.com and Capital One accounts for unauthorized transactions — attacker had access since at least April | Mike/Ken |
+| P2 | Remediation tool checklist update: financial-email-hiding inbox rule + IMAP consent from same user = auto-[WARNING] | Mike |
+| P3 | Entra P1 quote for Kittle — incident demonstrated the cost of flying blind without sign-in logs | Mike |
+| P3 | DKIM/DMARC setup for kittlearizona.com — no DMARC means the phishing could also have been spoofed to other recipients without account access | Mike |
+
+### Reference
+
+- Syncro ticket #32393 (ID: 112381882): https://computerguru.syncromsp.com/tickets/112381882
+- Phishing link: flowinnactuators.com/work.html (credential harvesting — do not visit)
+- Ken's deleted items NDR timestamp: 2026-06-08 21:23-21:26 UTC
+- Microsoft auto-restriction alert: "High-severity alert: User restricted from sending email" (Office365Alerts@microsoft.com → Ken@ + Lori@)
+- IMAP consent from April (revoked): app 9b504397, granted by Ken user object 5fc37e1a
+- Attacker access timeline: at minimum April 2026 through June 8 2026 (~6 weeks confirmed)