sync: Auto-sync from ACG-M-L5090 at 2026-03-10 19:11:00

Synced files:
- Quote wizard frontend (all components, hooks, types, config)
- API updates (config, models, routers, schemas, services)
- Client work (bg-builders, gurushow)
- Scripts (BGB Lesley termination, CIPP, Datto, migration)
- Temp files (Bardach contacts, VWP investigation, misc)
- Credentials and session logs
- Email service, PHP API, session logs

Machine: ACG-M-L5090
Timestamp: 2026-03-10 19:11:00

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

temp/vwp_bec_incident_notes.md

@@ -0,0 +1,122 @@
+# Valley Wide Plastering - BEC Incident Notes
+**Date:** 2026-03-05
+**Tenant:** valleywideplastering.com (5c53ae9f-7071-4248-b834-8685b646450f)
+**Reported by:** JR Guerrero - reports contacts receiving malicious emails from his account
+
+---
+
+## Timeline
+
+- **~2026-03-04 or earlier:** Attacker gains access to j-r@valleywideplastering.com
+- **2026-03-04 18:56 UTC:** Attacker MFA device (iPhone 12 Pro Max) token refreshed
+- **2026-03-04 20:21 UTC:** 27 rapid failed sign-ins from 23.234.100.200 (Chicago) using app "ppuxdevcenter" - blocked by Conditional Access after policy was applied
+- **2026-03-05 ~15:00 UTC:** Sysadmin notified, investigation begins
+- **2026-03-05 15:08 UTC:** Password reset by sysadmin, sessions revoked
+- **2026-03-05 15:39 UTC:** Attacker iPhone 12 Pro Max authenticator removed, JR re-enrolled iPhone 16 Pro Max
+- **2026-03-05:** Investigation, remediation, CA policy creation, victim notification
+
+---
+
+## Compromise Details
+
+**Compromised account:** j-r@valleywideplastering.com (JR Guerrero)
+**User ID:** 0af923d0-48c5-4cc1-8553-c60625802815
+
+**Attack method:** Box.com phishing campaign
+- Attacker shared malicious file "Valley Wide Plastering, INC......pdf" via Box.com using JR's identity
+- File ID on Box: 2155046839008
+- Invitations sent to JR's business contacts through Box sharing feature
+
+**Attacker persistence mechanisms found:**
+1. Inbox rule ".." (two dots) - Condition: body/subject contains "box.com" - Action: move to Archive, mark read, stop processing
+2. Inbox rule "." (single dot) - No visible conditions (catch-all) - Action: move to Archive, mark read, stop processing
+3. MFA device registered: iPhone 12 Pro Max (not JR's - he has iPhone 16 Pro Max)
+
+**Attacker IPs:**
+- 23.234.100.200 - Chicago, IL (30 sign-ins, 27 failed after CA policy)
+- 23.234.100.73 - Chicago, IL (9 sign-ins)
+- 23.234.101.73 - Brooklyn, NY (5 sign-ins, some successful)
+
+---
+
+## Remediation Actions Taken
+
+- [x] Password reset + force change on next sign-in
+- [x] All sign-in sessions revoked
+- [x] Malicious inbox rule ".." deleted (HTTP 204)
+- [x] Malicious inbox rule "." deleted (HTTP 204)
+- [x] Attacker MFA device (iPhone 12 Pro Max) removed
+- [x] 447 messages moved from Archive back to Inbox (hidden by attacker rules)
+- [x] Conditional Access policy created: "Block Sign-ins Outside US" (enforced)
+  - Policy ID: db34605c-c778-4b37-bf25-9a3a7cdbee0c
+  - Named location: "Allowed Countries - US Only" (14ea32d1-dd6f-4fb1-83f7-d6f840df82fa)
+  - Excludes: sysadmin@ (break-glass)
+- [x] Notification email sent to 133 victims (BCC) from JR's account
+
+---
+
+## billing@ Investigation
+
+**Account:** billing@valleywideplastering.com (4f708b80-e537-4f63-92d3-5feedfa28244)
+
+- Attacker IPs (23.234.100.200, 23.234.101.73) appeared in billing sign-in logs
+- Inbox rules reviewed: all legitimate (Tim Wolf, Pulte, hibu)
+- Sent mail reviewed: no malicious activity detected
+- Auth methods: Samsung S24, phone - appear legitimate
+- **Assessment:** Targeted but NOT compromised at mailbox level
+- Password reset attempted via API (403 - insufficient privileges), user reset manually
+- Sessions revoked
+
+---
+
+## Phishing Impact
+
+**Total identified victims:** 133 notified (125 external + 8 internal VWP)
+**~175 total who clicked** (from Box acceptance notifications, not all emails resolved)
+
+**VWP internal users targeted:**
+- billing@, customerservice@, estimating@, ferminm@, franciscoa@, jesse@, ron@, teresa@
+
+**Top affected external organizations:**
+- Brewer Companies: 12 recipients
+- Austin Companies: 11
+- Pulte/PulteGroup/Del Webb: 12
+- Diversified Roofing: 6
+- 3-G Construction: 6
+- MCR Trust: 6
+- Paul Johnson Drywall: 5
+- VW Connect LLC: 3
+- Fairbanks AZ: 3
+- SRP: 3
+
+---
+
+## Outstanding / Follow-up
+
+- [ ] Box.com file takedown - "Valley Wide Plastering, INC......pdf" (file ID 2155046839008) still live on Box. Contact Box support or access Box admin to revoke sharing.
+- [ ] Confirm JR's MFA phone (+1 480-797-6102) is his
+- [ ] Confirm billing's MFA phone (+1 619-244-8933) and Samsung S24 are hers
+- [ ] ~42 victim names could not be resolved to email addresses (no email found in Exchange)
+- [ ] Monitor sign-in logs for attacker IP recurrence over next 30 days
+- [ ] Consider enabling MFA for all VWP accounts if not already universal
+- [ ] Review other VWP accounts for foreign sign-ins (investigation flagged 11 of 33 accounts with foreign country sign-ins - may warrant broader remediation)
+- [ ] Check if attacker exfiltrated any data via Box or email forwarding
+
+---
+
+## Files / Artifacts
+
+| File | Description |
+|------|-------------|
+| vwp_bec_jr.py | JR investigation script |
+| vwp_bec_billing.py | Billing investigation + remediation script |
+| vwp_bec_investigation.py | Full tenant investigation (sign-ins, lateral movement) |
+| vwp_bec_results.json | Raw investigation results |
+| vwp_extract_victim_emails.py | Box notification email parsing |
+| vwp_exchange_trace.py | Exchange sent items search for recipient emails |
+| vwp_exchange_recipients.json | All identified victim email addresses |
+| vwp_resolve_victims.py | Name-to-email resolution via contacts/mail search |
+| vwp_resolved_victims.json | Resolution results |
+| vwp_send_notification.py | Notification email send script |
+| vwp_signins_raw.json | Raw sign-in log data |
+| vwp_investigation_output.txt | Full investigation console output |