azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

session log: kittle — M365 breach check and remediation 2026-04-23

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-04-24 06:36:42 -07:00
parent 327dc329ab
commit deecac745d
2 changed files with 308 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

171
clients/kittle-design/reports/2026-04-23-breach-check.md Normal file
View File

@@ -0,0 +1,171 @@
# Breach Check — Kittle Design & Construction
**Date:** 2026-04-23
**Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`)
**Analyst:** Mike Swanson
**Scope:** Tenant-wide compromised account sweep
**Tool:** ComputerGuru Security Investigator (read-only Graph + Exchange)
---
## Limitations
- **No Entra ID P1/P2 license** — sign-in logs, risky user detection, and Identity Protection not available
- **Exchange Admin role not yet assigned** to Security Investigator SP — SMTP forwarding and transport rules not checked
- Both limitations can be addressed: assign Security Investigator SP the "View-Only Recipients" Exchange role for forwarding checks; upgrade to Entra P1 for sign-in visibility
---
## Summary
| Severity | Finding | User |
|---|---|---|
| [WARNING] | Hidden inbox rule (name: ".") routing external emails to folder | alexis@kittlearizona.com |
| [WARNING] | Duplicate Authenticator registrations (same device name, different app versions) | alexis@kittlearizona.com |
| [INFO] | Inbox rule filtering Capital One / Bill.com emails to custom folder | Ken@kittlearizona.com |
| [INFO] | Two Authenticator devices registered (different Samsung models) | Lori@kittlearizona.com |
| [INFO] | Weak MFA — phone only, no Authenticator | scott@kittlearizona.com |
| [INFO] | IMAP legacy auth consent granted (one user) | unknown — see OAuth section |
| [INFO] | Large-scope AllPrincipals OAuth consent — verify is intentional | tenant-wide |
---
## Findings Detail
### [WARNING] alexis@kittlearizona.com — Hidden inbox rule
**Rule name:** `.` (single dot)
**Status:** Enabled
**Action:** Move to folder (ID: AQMkAGJiAWNh...)
**Condition:** Sender contains `HOWMET.COM`
A rule named `.` is a known attacker hiding technique — the single dot renders as blank or near-invisible in many email clients. The rule silently moves incoming emails from Howmet (aerospace/metals company) to a folder.
**Questions to resolve:**
1. Does Kittle have a business relationship with Howmet Aerospace?
2. Does Alexis recognize this rule?
3. What folder is this routing to? (Confirm it's accessible and not an RSS/hidden folder)
If Alexis did not create this rule, treat as confirmed compromise indicator and escalate to full breach check with password reset, session revocation, and MFA re-enrollment.
---
### [WARNING] alexis@kittlearizona.com — Duplicate Authenticator registrations
Two Microsoft Authenticator entries on the same device name:
| Entry | Display Name | App Version | Created |
|---|---|---|---|
| 1 | iPhone 12 Pro Max | 6.8.41 | not available |
| 2 | iPhone 12 Pro Max | 6.8.40 | not available |
Both tagged `SoftwareTokenActivated`. Identical device name with different app versions indicates either:
- Legitimate: same phone, app was updated and re-registered (unusual — updates don't re-register)
- Suspicious: attacker registered their own Authenticator under the same device name
**Action:** Ask Alexis to open Microsoft Authenticator on her phone and count how many Kittle accounts appear. If she only sees one, the second registration is an attacker device — remove entry ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (version 6.8.40) immediately and force MFA re-enrollment.
---
### [INFO] Ken@kittlearizona.com — Inbox rule filtering financial emails
**Rule name:** `Admin`
**Status:** Enabled
**Action:** Move to folder (ID: AQMkAGNiZTJj...)
**Condition:** Body or subject contains any of:
- `@flystucson.com`
- `capitalone`
- `capitaloneshopping.com`
- `@capitalone.com`
- `capital one `
- `@inform.bill.com`
- `cwelsh@hq.bill.com`
- `bill.com`
Filtering Capital One and Bill.com notifications to a folder is a known attacker tactic to hide fraudulent payment activity from the account owner. This could also be legitimate email organization.
**Action:** Confirm with Ken:
1. Did he create this rule?
2. What folder does it route to, and has he seen the emails landing there?
3. Does Kittle use Bill.com and Capital One for business payments?
If Ken did not create this rule, it is a confirmed compromise indicator.
---
### [INFO] Lori@kittlearizona.com — Two Authenticator devices
| Entry | Display Name | App Version |
|---|---|---|
| 1 | SM-F766U (Samsung Galaxy Z Fold series) | 6.2512.8111 |
| 2 | SM-G975U (Samsung Galaxy S10+) | 6.2511.7533 |
Different device models — consistent with a phone upgrade where the old device wasn't removed. Lower concern than Alexis's case, but should be cleaned up.
**Action:** Confirm which device is current with Lori. Remove the old registration.
---
### [INFO] scott@kittlearizona.com — Phone-only MFA
Scott has password + phone number registered but no Microsoft Authenticator. SMS/voice MFA is weaker than Authenticator (susceptible to SIM swap, social engineering).
**Action:** Enroll Scott in Microsoft Authenticator.
---
### [INFO] IMAP legacy auth consent
App ID `9b504397-914d-4af2-b6d9-9081e80da54e` has a user-level delegated consent for:
```
openid offline_access email profile IMAP.AccessAsUser.All
```
IMAP is legacy authentication and bypasses Conditional Access policies. This is a user-level (Principal) consent, meaning one specific user authorized it.
**Action:** Identify which user consented to this app and verify it's a legitimate mail client (e.g., Thunderbird, Apple Mail in legacy mode). If no one recognizes it, revoke the consent grant.
---
### [INFO] Large-scope AllPrincipals OAuth consent
App ID `c5df10ae-2aa7-4283-86ef-1884c267a9ac` has admin-consented (AllPrincipals) access including:
`Directory.ReadWrite.All`, `User.ReadWrite.All`, `RoleManagement.ReadWrite.Directory`, `Mail.Send`, `Policy.ReadWrite.*`, `SecurityEvents.ReadWrite.All`, and many others.
This is consistent with a multi-tenant MSP management platform (CIPP, Lighthouse, etc.). Verify this was intentionally granted by Kittle's admin.
---
## Clean checks
- No mailbox auto-replies active (Alexis and Ken have old OOO content saved but disabled)
- No B2B guest invites in 30 days
- No suspicious directory audits beyond today's Security Investigator consent (expected)
- 13 of 16 users have Authenticator MFA enrolled
- No mailbox forwarding (SMTP forwarding check pending Exchange role assignment)
---
## Recommended Actions
| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: does she recognize the "." rule and the Howmet sender? | Mike |
| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? | Mike |
| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? | Mike |
| P2 | Assign Exchange "View-Only Recipients" role to Security Investigator SP to enable SMTP forwarding check | Mike |
| P2 | Identify the IMAP app consent — which user, what client? | Mike |
| P3 | Remove Lori's old Authenticator device after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator | Mike |
| P3 | Verify `c5df10ae` AllPrincipals consent is intentional MSP tooling | Mike |
---
## Escalation criteria
If Alexis or Ken cannot explain their respective rules → treat as active compromise:
1. Force password reset
2. Revoke all sessions (`revokeSignInSessions`)
3. Remove suspicious Authenticator entry from Alexis
4. Delete the unrecognized inbox rule
5. Run full per-user breach check (sent items, deleted items, OAuth consents for that user)
6. Check if any Bill.com or Capital One transactions were made without authorization (Ken's case)

137
clients/kittle-design/session-logs/2026-04-24-session.md Normal file
View File

@@ -0,0 +1,137 @@
# Session Log — Kittle Design & Construction
**Date:** 2026-04-23 / 2026-04-24 (overnight)
**Analyst:** Mike Swanson
**Machine:** DESKTOP-0O8A1RL
**Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`)
## User
- **User:** Mike Swanson (mike)
- **Machine:** DESKTOP-0O8A1RL
- **Role:** admin
---
## Session Summary
Performed a full tenant-wide M365 breach check on kittlearizona.com, identified two high-priority compromise indicators, and executed remediation. Also onboarded the Exchange Operator and Tenant Admin apps into the tenant (consent + role assignment). Created Syncro ticket #32207 for billing.
---
## Breach Check Findings
Full report: `clients/kittle-design/reports/2026-04-23-breach-check.md`
| Severity | Finding | User |
|---|---|---|
| [WARNING] | Hidden inbox rule "." routing Howmet emails to Conversation History | alexis@kittlearizona.com |
| [WARNING] | Duplicate Authenticator — same device name, two different app versions | alexis@kittlearizona.com |
| [INFO] | Inbox rule "Admin" filtering Capital One / Bill.com to folder | Ken@kittlearizona.com |
| [INFO] | Two Authenticator devices (different Samsung models — likely phone upgrade) | Lori@kittlearizona.com |
| [INFO] | Phone-only MFA, no Authenticator | scott@kittlearizona.com |
| [INFO] | IMAP legacy auth consent — single user | unknown |
| [INFO] | Large-scope AllPrincipals OAuth consent (c5df10ae) | tenant-wide |
---
## Remediation Actions Taken
### Onboarding
Exchange Operator and Tenant Admin apps consented by Kittle admin. Role assignments:
- Security Investigator SP (`26e16c7a`): Exchange Administrator — assigned
- Exchange Operator SP (`775ec856`): Exchange Administrator — assigned manually (onboard script missed it)
- User Manager SP (`ea0277ab`): User Administrator + Authentication Administrator — assigned
### alexis@kittlearizona.com
| Action | Result | Detail |
|---|---|---|
| Hidden "." inbox rule deleted | [OK] | Exchange identity: `alexis\\2866869517449953281` |
| 3 hidden Howmet emails restored to inbox | [OK] | All HTTP 201; emails dated Feb 28 and Mar 4, 2025 |
| All sign-in sessions revoked | [OK] | `revokeSignInSessions` returned true |
| Password reset (temp, force-change) | [OK] | See credentials section below |
**Emails recovered:**
1. "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04)
2. "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04)
3. "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28)
**Still pending:**
- Ask Alexis to count Authenticator entries on her phone. If only one, remove suspicious entry:
- Entry to remove: ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (app version 6.8.40, "iPhone 12 Pro Max")
### OAuth Consents Revoked
**c5df10ae-2aa7-4283-86ef-1884c267a9ac** (AllPrincipals — 7 grants deleted, all HTTP 204):
- `rhDfxacqg0KG7xiEwmeprLz8wKqAnj1KmLeBzb1HLJo` — Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes
- `rhDfxacqg0KG7xiEwmeprFhKBKSuvdJJu5jQBa-uOnc` — LicenseManager.AccessAsUser
- `rhDfxacqg0KG7xiEwmeprLhRraINEIxGmlMZtBZahO8` — M365AdminPortal.IntegratedApps.ReadWrite, user_impersonation
- `rhDfxacqg0KG7xiEwmeprFm5M4Bw4bFKniz6sx5jbAI` — user_impersonation
- `rhDfxacqg0KG7xiEwmeprKm4oqODLdhAnY4nYViP4rs` — AllProfiles.Manage, AllSites.FullControl
- `rhDfxacqg0KG7xiEwmeprICwF0FoazRErqVlL2xiBFk` — Calendars.ReadWrite.All, Exchange.Manage, MailboxSettings.ReadWrite
- `rhDfxacqg0KG7xiEwmeprPl4LqXf8mRPjoQUGmKJt3k` — Vulnerability.Read
**9b504397-914d-4af2-b6d9-9081e80da54e** (IMAP legacy auth, 1 grant deleted, HTTP 204):
- `l0NQm02R8kq22ZCB6A2lTrz8wKqAnj1KmLeBzb1HLJoafsNfsqzMSLDHPoGZ_dNa` — IMAP.AccessAsUser.All, openid, offline_access, email, profile
- Consented by user `5fc37e1a-acb2-48cc-b0c7-3e8199fdd35a` (user object ID — UPN not resolved)
### Ken@kittlearizona.com
No action taken. Inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) still present. Awaiting confirmation from Ken whether he created it. If he can't explain it — treat as active compromise and escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions).
---
## Credentials
```
Tenant: kittlearizona.com
Tenant ID: 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
alexis@kittlearizona.com
Temp password: KittleGwiNUK#2026
(force change on next login — issued 2026-04-23)
User object ID: 74a1eae1-c0dd-4544-a98f-3a18f809785a
Exchange Operator SP: 775ec856-f032-4dcf-a499-ccf7f9bce07b
Tenant Admin SP: 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5
Security Investigator SP: 26e16c7a-0ac8-4f85-bdd7-992611bbd271
User Manager SP: ea0277ab-497c-45f7-b88a-e2d53f54a4c7
```
---
## Syncro
- **Ticket #32207** — "M365 Security Sweep — Breach Check & Remediation"
- Status: Resolved
- Line item: 1.0 hr Labor - Remote Business (product_id: 1190473)
- Ready to invoice — run `/syncro bill 32207` or manually in GUI
---
## Infrastructure Notes
- Kittle has no Entra P1/P2 — sign-in logs and Identity Protection unavailable
- SMTP forwarding check not completed — Exchange Admin role was not assigned to Security Investigator at time of breach check (fixed during remediation session)
- Token cache location: `/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/`
---
## Files Changed This Session
- `clients/kittle-design/reports/2026-04-23-breach-check.md` — breach check report (written 2026-04-23)
- `.claude/skills/remediation-tool/scripts/tenant-sweep.sh` — fixed tier name `graph``investigator` on line 12
- `.claude/skills/remediation-tool/references/tenants.md` — Kittle row updated from NO to PARTIAL
---
## Pending Items
| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? Remove `c927402a` if only one. | Mike |
| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? If no → escalate | Mike |
| P2 | Verify Alexis received temp password and changed it | Mike |
| P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator | Mike |
| P3 | Invoice ticket #32207 | Mike |