From deecac745d938863f48df6d097a0a91137372d9e Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Fri, 24 Apr 2026 06:36:42 -0700 Subject: [PATCH] =?UTF-8?q?session=20log:=20kittle=20=E2=80=94=20M365=20br?= =?UTF-8?q?each=20check=20and=20remediation=202026-04-23?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- .../reports/2026-04-23-breach-check.md | 171 ++++++++++++++++++ .../session-logs/2026-04-24-session.md | 137 ++++++++++++++ 2 files changed, 308 insertions(+) create mode 100644 clients/kittle-design/reports/2026-04-23-breach-check.md create mode 100644 clients/kittle-design/session-logs/2026-04-24-session.md diff --git a/clients/kittle-design/reports/2026-04-23-breach-check.md b/clients/kittle-design/reports/2026-04-23-breach-check.md new file mode 100644 index 0000000..348a085 --- /dev/null +++ b/clients/kittle-design/reports/2026-04-23-breach-check.md @@ -0,0 +1,171 @@ +# Breach Check — Kittle Design & Construction +**Date:** 2026-04-23 +**Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`) +**Analyst:** Mike Swanson +**Scope:** Tenant-wide compromised account sweep +**Tool:** ComputerGuru Security Investigator (read-only Graph + Exchange) + +--- + +## Limitations + +- **No Entra ID P1/P2 license** — sign-in logs, risky user detection, and Identity Protection not available +- **Exchange Admin role not yet assigned** to Security Investigator SP — SMTP forwarding and transport rules not checked +- Both limitations can be addressed: assign Security Investigator SP the "View-Only Recipients" Exchange role for forwarding checks; upgrade to Entra P1 for sign-in visibility + +--- + +## Summary + +| Severity | Finding | User | +|---|---|---| +| [WARNING] | Hidden inbox rule (name: ".") routing external emails to folder | alexis@kittlearizona.com | +| [WARNING] | Duplicate Authenticator registrations (same device name, different app versions) | alexis@kittlearizona.com | +| [INFO] | Inbox rule filtering Capital One / Bill.com emails to custom folder | Ken@kittlearizona.com | +| [INFO] | Two Authenticator devices registered (different Samsung models) | Lori@kittlearizona.com | +| [INFO] | Weak MFA — phone only, no Authenticator | scott@kittlearizona.com | +| [INFO] | IMAP legacy auth consent granted (one user) | unknown — see OAuth section | +| [INFO] | Large-scope AllPrincipals OAuth consent — verify is intentional | tenant-wide | + +--- + +## Findings Detail + +### [WARNING] alexis@kittlearizona.com — Hidden inbox rule + +**Rule name:** `.` (single dot) +**Status:** Enabled +**Action:** Move to folder (ID: AQMkAGJiAWNh...) +**Condition:** Sender contains `HOWMET.COM` + +A rule named `.` is a known attacker hiding technique — the single dot renders as blank or near-invisible in many email clients. The rule silently moves incoming emails from Howmet (aerospace/metals company) to a folder. + +**Questions to resolve:** +1. Does Kittle have a business relationship with Howmet Aerospace? +2. Does Alexis recognize this rule? +3. What folder is this routing to? (Confirm it's accessible and not an RSS/hidden folder) + +If Alexis did not create this rule, treat as confirmed compromise indicator and escalate to full breach check with password reset, session revocation, and MFA re-enrollment. + +--- + +### [WARNING] alexis@kittlearizona.com — Duplicate Authenticator registrations + +Two Microsoft Authenticator entries on the same device name: + +| Entry | Display Name | App Version | Created | +|---|---|---|---| +| 1 | iPhone 12 Pro Max | 6.8.41 | not available | +| 2 | iPhone 12 Pro Max | 6.8.40 | not available | + +Both tagged `SoftwareTokenActivated`. Identical device name with different app versions indicates either: +- Legitimate: same phone, app was updated and re-registered (unusual — updates don't re-register) +- Suspicious: attacker registered their own Authenticator under the same device name + +**Action:** Ask Alexis to open Microsoft Authenticator on her phone and count how many Kittle accounts appear. If she only sees one, the second registration is an attacker device — remove entry ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (version 6.8.40) immediately and force MFA re-enrollment. + +--- + +### [INFO] Ken@kittlearizona.com — Inbox rule filtering financial emails + +**Rule name:** `Admin` +**Status:** Enabled +**Action:** Move to folder (ID: AQMkAGNiZTJj...) +**Condition:** Body or subject contains any of: +- `@flystucson.com` +- `capitalone` +- `capitaloneshopping.com` +- `@capitalone.com` +- `capital one ` +- `@inform.bill.com` +- `cwelsh@hq.bill.com` +- `bill.com` + +Filtering Capital One and Bill.com notifications to a folder is a known attacker tactic to hide fraudulent payment activity from the account owner. This could also be legitimate email organization. + +**Action:** Confirm with Ken: +1. Did he create this rule? +2. What folder does it route to, and has he seen the emails landing there? +3. Does Kittle use Bill.com and Capital One for business payments? + +If Ken did not create this rule, it is a confirmed compromise indicator. + +--- + +### [INFO] Lori@kittlearizona.com — Two Authenticator devices + +| Entry | Display Name | App Version | +|---|---|---| +| 1 | SM-F766U (Samsung Galaxy Z Fold series) | 6.2512.8111 | +| 2 | SM-G975U (Samsung Galaxy S10+) | 6.2511.7533 | + +Different device models — consistent with a phone upgrade where the old device wasn't removed. Lower concern than Alexis's case, but should be cleaned up. + +**Action:** Confirm which device is current with Lori. Remove the old registration. + +--- + +### [INFO] scott@kittlearizona.com — Phone-only MFA + +Scott has password + phone number registered but no Microsoft Authenticator. SMS/voice MFA is weaker than Authenticator (susceptible to SIM swap, social engineering). + +**Action:** Enroll Scott in Microsoft Authenticator. + +--- + +### [INFO] IMAP legacy auth consent + +App ID `9b504397-914d-4af2-b6d9-9081e80da54e` has a user-level delegated consent for: +``` +openid offline_access email profile IMAP.AccessAsUser.All +``` + +IMAP is legacy authentication and bypasses Conditional Access policies. This is a user-level (Principal) consent, meaning one specific user authorized it. + +**Action:** Identify which user consented to this app and verify it's a legitimate mail client (e.g., Thunderbird, Apple Mail in legacy mode). If no one recognizes it, revoke the consent grant. + +--- + +### [INFO] Large-scope AllPrincipals OAuth consent + +App ID `c5df10ae-2aa7-4283-86ef-1884c267a9ac` has admin-consented (AllPrincipals) access including: +`Directory.ReadWrite.All`, `User.ReadWrite.All`, `RoleManagement.ReadWrite.Directory`, `Mail.Send`, `Policy.ReadWrite.*`, `SecurityEvents.ReadWrite.All`, and many others. + +This is consistent with a multi-tenant MSP management platform (CIPP, Lighthouse, etc.). Verify this was intentionally granted by Kittle's admin. + +--- + +## Clean checks + +- No mailbox auto-replies active (Alexis and Ken have old OOO content saved but disabled) +- No B2B guest invites in 30 days +- No suspicious directory audits beyond today's Security Investigator consent (expected) +- 13 of 16 users have Authenticator MFA enrolled +- No mailbox forwarding (SMTP forwarding check pending Exchange role assignment) + +--- + +## Recommended Actions + +| Priority | Action | Owner | +|---|---|---| +| P1 | Ask Alexis: does she recognize the "." rule and the Howmet sender? | Mike | +| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? | Mike | +| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? | Mike | +| P2 | Assign Exchange "View-Only Recipients" role to Security Investigator SP to enable SMTP forwarding check | Mike | +| P2 | Identify the IMAP app consent — which user, what client? | Mike | +| P3 | Remove Lori's old Authenticator device after confirming current phone | Mike | +| P3 | Enroll Scott in Microsoft Authenticator | Mike | +| P3 | Verify `c5df10ae` AllPrincipals consent is intentional MSP tooling | Mike | + +--- + +## Escalation criteria + +If Alexis or Ken cannot explain their respective rules → treat as active compromise: +1. Force password reset +2. Revoke all sessions (`revokeSignInSessions`) +3. Remove suspicious Authenticator entry from Alexis +4. Delete the unrecognized inbox rule +5. Run full per-user breach check (sent items, deleted items, OAuth consents for that user) +6. Check if any Bill.com or Capital One transactions were made without authorization (Ken's case) diff --git a/clients/kittle-design/session-logs/2026-04-24-session.md b/clients/kittle-design/session-logs/2026-04-24-session.md new file mode 100644 index 0000000..73f4c13 --- /dev/null +++ b/clients/kittle-design/session-logs/2026-04-24-session.md @@ -0,0 +1,137 @@ +# Session Log — Kittle Design & Construction +**Date:** 2026-04-23 / 2026-04-24 (overnight) +**Analyst:** Mike Swanson +**Machine:** DESKTOP-0O8A1RL +**Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`) + +## User +- **User:** Mike Swanson (mike) +- **Machine:** DESKTOP-0O8A1RL +- **Role:** admin + +--- + +## Session Summary + +Performed a full tenant-wide M365 breach check on kittlearizona.com, identified two high-priority compromise indicators, and executed remediation. Also onboarded the Exchange Operator and Tenant Admin apps into the tenant (consent + role assignment). Created Syncro ticket #32207 for billing. + +--- + +## Breach Check Findings + +Full report: `clients/kittle-design/reports/2026-04-23-breach-check.md` + +| Severity | Finding | User | +|---|---|---| +| [WARNING] | Hidden inbox rule "." routing Howmet emails to Conversation History | alexis@kittlearizona.com | +| [WARNING] | Duplicate Authenticator — same device name, two different app versions | alexis@kittlearizona.com | +| [INFO] | Inbox rule "Admin" filtering Capital One / Bill.com to folder | Ken@kittlearizona.com | +| [INFO] | Two Authenticator devices (different Samsung models — likely phone upgrade) | Lori@kittlearizona.com | +| [INFO] | Phone-only MFA, no Authenticator | scott@kittlearizona.com | +| [INFO] | IMAP legacy auth consent — single user | unknown | +| [INFO] | Large-scope AllPrincipals OAuth consent (c5df10ae) | tenant-wide | + +--- + +## Remediation Actions Taken + +### Onboarding + +Exchange Operator and Tenant Admin apps consented by Kittle admin. Role assignments: +- Security Investigator SP (`26e16c7a`): Exchange Administrator — assigned +- Exchange Operator SP (`775ec856`): Exchange Administrator — assigned manually (onboard script missed it) +- User Manager SP (`ea0277ab`): User Administrator + Authentication Administrator — assigned + +### alexis@kittlearizona.com + +| Action | Result | Detail | +|---|---|---| +| Hidden "." inbox rule deleted | [OK] | Exchange identity: `alexis\\2866869517449953281` | +| 3 hidden Howmet emails restored to inbox | [OK] | All HTTP 201; emails dated Feb 28 and Mar 4, 2025 | +| All sign-in sessions revoked | [OK] | `revokeSignInSessions` returned true | +| Password reset (temp, force-change) | [OK] | See credentials section below | + +**Emails recovered:** +1. "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04) +2. "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04) +3. "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28) + +**Still pending:** +- Ask Alexis to count Authenticator entries on her phone. If only one, remove suspicious entry: + - Entry to remove: ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (app version 6.8.40, "iPhone 12 Pro Max") + +### OAuth Consents Revoked + +**c5df10ae-2aa7-4283-86ef-1884c267a9ac** (AllPrincipals — 7 grants deleted, all HTTP 204): +- `rhDfxacqg0KG7xiEwmeprLz8wKqAnj1KmLeBzb1HLJo` — Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes +- `rhDfxacqg0KG7xiEwmeprFhKBKSuvdJJu5jQBa-uOnc` — LicenseManager.AccessAsUser +- `rhDfxacqg0KG7xiEwmeprLhRraINEIxGmlMZtBZahO8` — M365AdminPortal.IntegratedApps.ReadWrite, user_impersonation +- `rhDfxacqg0KG7xiEwmeprFm5M4Bw4bFKniz6sx5jbAI` — user_impersonation +- `rhDfxacqg0KG7xiEwmeprKm4oqODLdhAnY4nYViP4rs` — AllProfiles.Manage, AllSites.FullControl +- `rhDfxacqg0KG7xiEwmeprICwF0FoazRErqVlL2xiBFk` — Calendars.ReadWrite.All, Exchange.Manage, MailboxSettings.ReadWrite +- `rhDfxacqg0KG7xiEwmeprPl4LqXf8mRPjoQUGmKJt3k` — Vulnerability.Read + +**9b504397-914d-4af2-b6d9-9081e80da54e** (IMAP legacy auth, 1 grant deleted, HTTP 204): +- `l0NQm02R8kq22ZCB6A2lTrz8wKqAnj1KmLeBzb1HLJoafsNfsqzMSLDHPoGZ_dNa` — IMAP.AccessAsUser.All, openid, offline_access, email, profile +- Consented by user `5fc37e1a-acb2-48cc-b0c7-3e8199fdd35a` (user object ID — UPN not resolved) + +### Ken@kittlearizona.com + +No action taken. Inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) still present. Awaiting confirmation from Ken whether he created it. If he can't explain it — treat as active compromise and escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions). + +--- + +## Credentials + +``` +Tenant: kittlearizona.com +Tenant ID: 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 + +alexis@kittlearizona.com + Temp password: KittleGwiNUK#2026 + (force change on next login — issued 2026-04-23) + User object ID: 74a1eae1-c0dd-4544-a98f-3a18f809785a + +Exchange Operator SP: 775ec856-f032-4dcf-a499-ccf7f9bce07b +Tenant Admin SP: 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5 +Security Investigator SP: 26e16c7a-0ac8-4f85-bdd7-992611bbd271 +User Manager SP: ea0277ab-497c-45f7-b88a-e2d53f54a4c7 +``` + +--- + +## Syncro + +- **Ticket #32207** — "M365 Security Sweep — Breach Check & Remediation" +- Status: Resolved +- Line item: 1.0 hr Labor - Remote Business (product_id: 1190473) +- Ready to invoice — run `/syncro bill 32207` or manually in GUI + +--- + +## Infrastructure Notes + +- Kittle has no Entra P1/P2 — sign-in logs and Identity Protection unavailable +- SMTP forwarding check not completed — Exchange Admin role was not assigned to Security Investigator at time of breach check (fixed during remediation session) +- Token cache location: `/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/` + +--- + +## Files Changed This Session + +- `clients/kittle-design/reports/2026-04-23-breach-check.md` — breach check report (written 2026-04-23) +- `.claude/skills/remediation-tool/scripts/tenant-sweep.sh` — fixed tier name `graph` → `investigator` on line 12 +- `.claude/skills/remediation-tool/references/tenants.md` — Kittle row updated from NO to PARTIAL + +--- + +## Pending Items + +| Priority | Action | Owner | +|---|---|---| +| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? Remove `c927402a` if only one. | Mike | +| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? If no → escalate | Mike | +| P2 | Verify Alexis received temp password and changed it | Mike | +| P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike | +| P3 | Enroll Scott in Microsoft Authenticator | Mike | +| P3 | Invoice ticket #32207 | Mike |