azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: Update session log with billing deep check and Bardach finalization

Browse Source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-03-05 17:53:00 -07:00
parent b2874b4728
commit f81872784b
1 changed files with 38 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
session-logs/2026-03-05-session.md
View File

@@ -130,5 +130,42 @@ Two major workstreams: Valley Wide Plastering BEC incident response and Bardach
---
## Update: 15:30 - billing@ Deep Check & Bardach Finalization
### VWP billing@ Deep Investigation (Second Pass)
Full 10-point deep check of billing@valleywideplastering.com:
1. **Inbox Rules:** [OK] All legitimate (Tim Wolf, Pulte x2, hibu disabled)
2. **Sign-in Logs (30 days):** 14 foreign IPs from CN, VN, BR, AR, IT, AL, PH, SG, GN, ZA, CZ, ID, CA - ALL failed (err=50126). Legitimate IP: 4.18.160.106 (Leesburg, FL, 81 sign-ins). CA policy now blocks foreign attempts.
3. **Sent Mail:** [OK] All 12 flagged items are legitimate AR business (Toni - invoices, payments, waivers)
4. **Auth Methods:** [OK] Password (reset today), phone +1 619-244-8933, Samsung S24 (SM-S916U)
5. **Mailbox Settings:** [OK] No auto-replies, no forwarding
6. **Mail Folders:** [OK] Normal - 16 inbox, 16,455 sent, 2,541 deleted
7. **OAuth Grants:** [OK] None
8. **Recent Inbox:** [OK] No Box.com emails, all legitimate
9. **Deleted Items:** [NOTABLE] Dropbox account created for Toni on 3/2-3/3 (verify with user), Box notification forwarded from Jorge Tabares on 3/5, our security notice deleted (expected), self-sent ".com" subject email on 2/27
10. **Archive:** [OK] Empty
**Assessment:** NOT breached. Credential stuffing from 14 countries all failed. Dropbox account creation on 3/2-3/3 needs verification with Toni.
### Bardach Contacts - Email-Based Contact Discovery
- Scanned 57,120 emails (12 months: 4,286 sent + 52,834 inbox)
- Found 1,970 unique addresses in mail, 412 already in contacts
- Filtered to 315 two-way correspondents, then 32 real people (>= 4 exchanges)
- Extracted phone numbers from email signatures for 19 of 32 (55% hit rate)
- Created 32 new contacts via Graph API, all HTTP 201
### Additional Files Created
- `temp/vwp_billing_deep_check.py` - Full billing investigation script
- `temp/vwp_add_mail_send.py` - Added Mail.Send permission to app
- `temp/bardach_email_contacts_scan.py` - Email gap scan (4,286 sent + 52,834 inbox)
- `temp/bardach_missing_real_contacts.py` - Two-way filter + signature phone extraction
- `temp/bardach_create_missing_contacts.py` - Contact creation script
### Procore Phishing Note
billing@ forwarded a Procore "Welcome to Project Team" email to admin@azcomputerguru.com on 3/5, stating she clicked "Open Project" thinking it was legit, and logged in to Procore. This may be a separate phishing vector worth investigating.
---
**Machine:** ACG-M-L5090
**Duration:** ~4 hours
**Duration:** ~6 hours