IC3 filed 2026-06-09 12:46 EST. Stamped the submission ID on the report; bank freeze letters
(Truist/First State/Chase) updated with the IC3 # and real Kittle/ACG contacts - now turnkey to send.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Per Kittle bookkeeper (2026-06-09): City of Tucson stopped the payment before any funds reached
the attacker (no completed loss; attempted $130k+). Kittle confirms no Foam Factory relationship,
confirming both receiving accounts are mules. Also: Ken un-restricted from sending (Outbox/Drafts
verified empty first); Lori was never restricted.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Inv #31468 $123,776.75 (confirmed), Inv #31400 ~$8,818, Inv #31453 $41,231 (open);
total identified exposure $130,000+ since the ACH change redirects all City->Kittle payments.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Investigated barbara@bardach.net login issues (account-locked message, INKY SSL
errors). Finding: active distributed password-spray against the tenant (also
hitting admin@), NOT a breach — no successful attacker sign-in, no mailbox/rule/
forwarding changes. Root exposure: MFA not enforced (no Entra P1 -> no CA).
Remediation (Mike confirmed): enabled Security Defaults tenant-wide. Both active
accounts MFA-ready (Authenticator) -> no lockout; legacy auth now blocked.
- 2026-06-05-account-investigation-mfa-enforcement.md (full report)
- 2026-06-05-barbara-note-draft.md (client note, for Mike to send)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- 2026-06-05-tom-message-draft.md: Mike's final relief-framed wording
- 2026-06-05-quo-sql-fix-list.md: 80 live quo call sites across 15 files (C3)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adds the "from emergency to deliberate staged objectives" pacing strategy
(severity unchanged, tempo deliberate - the depth of the Glaz tools estate makes
rushing the bigger risk) and records Steve's blanket approval (Tier A
execution-cleared). Softens the Tom outreach to a partnership / not-a-fire-drill
tone per Mike.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Grok + Gemini consensus reframe of the way forward: ACG-owned containment
(E-bucket, DB de-privilege, WAF, SQL network segmentation) is the real C0
reduction; the audience/network split is real only for the employee surface.
Tom's one within-skill ask = parameterize the 59 quo() SQL queries (ACG hands
him the exact lines); tokenized payments is a deferred scaffolded sub-project.
Steve Eastman gave ACG blanket approval to proceed (Tier A execution-cleared).
Includes a relief-framed draft message to Tom.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Scope (v0.3) for replacing the website's sysadmin login 'tom' with a
least-privilege login: two-phase plan (GTIware co-residency forces keeping
cc_file in Phase 1), Grok + Gemini independent review folded in, and live
RMM recon findings that materially changed the picture - the website is a
cross-office + Sage accounting + payroll + msdb hub on one sysadmin
credential, SQL is centralized on GTI-INV-SQL\GTISQL:3436 (not per-site).
PARKED pending a full network recon. Session log covers the website outage
fix (incomplete E1 ACL hardening) + the scoping + recon.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
