diff --git a/session-logs/2026-03-05-session.md b/session-logs/2026-03-05-session.md
index 92eba4c..94b7b09 100644
--- a/session-logs/2026-03-05-session.md
+++ b/session-logs/2026-03-05-session.md
@@ -130,5 +130,42 @@ Two major workstreams: Valley Wide Plastering BEC incident response and Bardach
 
 ---
 
+## Update: 15:30 - billing@ Deep Check & Bardach Finalization
+
+### VWP billing@ Deep Investigation (Second Pass)
+Full 10-point deep check of billing@valleywideplastering.com:
+
+1. **Inbox Rules:** [OK] All legitimate (Tim Wolf, Pulte x2, hibu disabled)
+2. **Sign-in Logs (30 days):** 14 foreign IPs from CN, VN, BR, AR, IT, AL, PH, SG, GN, ZA, CZ, ID, CA - ALL failed (err=50126). Legitimate IP: 4.18.160.106 (Leesburg, FL, 81 sign-ins). CA policy now blocks foreign attempts.
+3. **Sent Mail:** [OK] All 12 flagged items are legitimate AR business (Toni - invoices, payments, waivers)
+4. **Auth Methods:** [OK] Password (reset today), phone +1 619-244-8933, Samsung S24 (SM-S916U)
+5. **Mailbox Settings:** [OK] No auto-replies, no forwarding
+6. **Mail Folders:** [OK] Normal - 16 inbox, 16,455 sent, 2,541 deleted
+7. **OAuth Grants:** [OK] None
+8. **Recent Inbox:** [OK] No Box.com emails, all legitimate
+9. **Deleted Items:** [NOTABLE] Dropbox account created for Toni on 3/2-3/3 (verify with user), Box notification forwarded from Jorge Tabares on 3/5, our security notice deleted (expected), self-sent ".com" subject email on 2/27
+10. **Archive:** [OK] Empty
+
+**Assessment:** NOT breached. Credential stuffing from 14 countries all failed. Dropbox account creation on 3/2-3/3 needs verification with Toni.
+
+### Bardach Contacts - Email-Based Contact Discovery
+- Scanned 57,120 emails (12 months: 4,286 sent + 52,834 inbox)
+- Found 1,970 unique addresses in mail, 412 already in contacts
+- Filtered to 315 two-way correspondents, then 32 real people (>= 4 exchanges)
+- Extracted phone numbers from email signatures for 19 of 32 (55% hit rate)
+- Created 32 new contacts via Graph API, all HTTP 201
+
+### Additional Files Created
+- `temp/vwp_billing_deep_check.py` - Full billing investigation script
+- `temp/vwp_add_mail_send.py` - Added Mail.Send permission to app
+- `temp/bardach_email_contacts_scan.py` - Email gap scan (4,286 sent + 52,834 inbox)
+- `temp/bardach_missing_real_contacts.py` - Two-way filter + signature phone extraction
+- `temp/bardach_create_missing_contacts.py` - Contact creation script
+
+### Procore Phishing Note
+billing@ forwarded a Procore "Welcome to Project Team" email to admin@azcomputerguru.com on 3/5, stating she clicked "Open Project" thinking it was legit, and logged in to Procore. This may be a separate phishing vector worth investigating.
+
+---
+
 **Machine:** ACG-M-L5090
-**Duration:** ~4 hours
+**Duration:** ~6 hours