# Session Log — Kittle Design & Construction **Date:** 2026-04-23 / 2026-04-24 (overnight) **Analyst:** Mike Swanson **Machine:** DESKTOP-0O8A1RL **Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`) ## User - **User:** Mike Swanson (mike) - **Machine:** DESKTOP-0O8A1RL - **Role:** admin --- ## Session Summary Performed a full tenant-wide M365 breach check on kittlearizona.com, identified two high-priority compromise indicators, and executed remediation. Also onboarded the Exchange Operator and Tenant Admin apps into the tenant (consent + role assignment). Created Syncro ticket #32207 for billing. --- ## Breach Check Findings Full report: `clients/kittle-design/reports/2026-04-23-breach-check.md` | Severity | Finding | User | |---|---|---| | [WARNING] | Hidden inbox rule "." routing Howmet emails to Conversation History | alexis@kittlearizona.com | | [WARNING] | Duplicate Authenticator — same device name, two different app versions | alexis@kittlearizona.com | | [INFO] | Inbox rule "Admin" filtering Capital One / Bill.com to folder | Ken@kittlearizona.com | | [INFO] | Two Authenticator devices (different Samsung models — likely phone upgrade) | Lori@kittlearizona.com | | [INFO] | Phone-only MFA, no Authenticator | scott@kittlearizona.com | | [INFO] | IMAP legacy auth consent — single user | unknown | | [INFO] | Large-scope AllPrincipals OAuth consent (c5df10ae) | tenant-wide | --- ## Remediation Actions Taken ### Onboarding Exchange Operator and Tenant Admin apps consented by Kittle admin. Role assignments: - Security Investigator SP (`26e16c7a`): Exchange Administrator — assigned - Exchange Operator SP (`775ec856`): Exchange Administrator — assigned manually (onboard script missed it) - User Manager SP (`ea0277ab`): User Administrator + Authentication Administrator — assigned ### alexis@kittlearizona.com | Action | Result | Detail | |---|---|---| | Hidden "." inbox rule deleted | [OK] | Exchange identity: `alexis\\2866869517449953281` | | 3 hidden Howmet emails restored to inbox | [OK] | All HTTP 201; emails dated Feb 28 and Mar 4, 2025 | | All sign-in sessions revoked | [OK] | `revokeSignInSessions` returned true | | Password reset (temp, force-change) | [OK] | See credentials section below | **Emails recovered:** 1. "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04) 2. "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04) 3. "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28) **Still pending:** - Ask Alexis to count Authenticator entries on her phone. If only one, remove suspicious entry: - Entry to remove: ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (app version 6.8.40, "iPhone 12 Pro Max") ### OAuth Consents Revoked **c5df10ae-2aa7-4283-86ef-1884c267a9ac** (AllPrincipals — 7 grants deleted, all HTTP 204): - `rhDfxacqg0KG7xiEwmeprLz8wKqAnj1KmLeBzb1HLJo` — Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes - `rhDfxacqg0KG7xiEwmeprFhKBKSuvdJJu5jQBa-uOnc` — LicenseManager.AccessAsUser - `rhDfxacqg0KG7xiEwmeprLhRraINEIxGmlMZtBZahO8` — M365AdminPortal.IntegratedApps.ReadWrite, user_impersonation - `rhDfxacqg0KG7xiEwmeprFm5M4Bw4bFKniz6sx5jbAI` — user_impersonation - `rhDfxacqg0KG7xiEwmeprKm4oqODLdhAnY4nYViP4rs` — AllProfiles.Manage, AllSites.FullControl - `rhDfxacqg0KG7xiEwmeprICwF0FoazRErqVlL2xiBFk` — Calendars.ReadWrite.All, Exchange.Manage, MailboxSettings.ReadWrite - `rhDfxacqg0KG7xiEwmeprPl4LqXf8mRPjoQUGmKJt3k` — Vulnerability.Read **9b504397-914d-4af2-b6d9-9081e80da54e** (IMAP legacy auth, 1 grant deleted, HTTP 204): - `l0NQm02R8kq22ZCB6A2lTrz8wKqAnj1KmLeBzb1HLJoafsNfsqzMSLDHPoGZ_dNa` — IMAP.AccessAsUser.All, openid, offline_access, email, profile - Consented by user `5fc37e1a-acb2-48cc-b0c7-3e8199fdd35a` (user object ID — UPN not resolved) ### Ken@kittlearizona.com No action taken. Inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) still present. Awaiting confirmation from Ken whether he created it. If he can't explain it — treat as active compromise and escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions). --- ## Credentials ``` Tenant: kittlearizona.com Tenant ID: 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 alexis@kittlearizona.com Temp password: KittleGwiNUK#2026 (force change on next login — issued 2026-04-23) User object ID: 74a1eae1-c0dd-4544-a98f-3a18f809785a Exchange Operator SP: 775ec856-f032-4dcf-a499-ccf7f9bce07b Tenant Admin SP: 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5 Security Investigator SP: 26e16c7a-0ac8-4f85-bdd7-992611bbd271 User Manager SP: ea0277ab-497c-45f7-b88a-e2d53f54a4c7 ``` --- ## Syncro - **Ticket #32207** — "M365 Security Sweep — Breach Check & Remediation" - Status: Resolved - Line item: 1.0 hr Labor - Remote Business (product_id: 1190473) - Ready to invoice — run `/syncro bill 32207` or manually in GUI --- ## Infrastructure Notes - Kittle has no Entra P1/P2 — sign-in logs and Identity Protection unavailable - SMTP forwarding check not completed — Exchange Admin role was not assigned to Security Investigator at time of breach check (fixed during remediation session) - Token cache location: `/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/` --- ## Files Changed This Session - `clients/kittle-design/reports/2026-04-23-breach-check.md` — breach check report (written 2026-04-23) - `.claude/skills/remediation-tool/scripts/tenant-sweep.sh` — fixed tier name `graph` → `investigator` on line 12 - `.claude/skills/remediation-tool/references/tenants.md` — Kittle row updated from NO to PARTIAL --- ## Pending Items | Priority | Action | Owner | |---|---|---| | P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? Remove `c927402a` if only one. | Mike | | P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? If no → escalate | Mike | | P2 | Verify Alexis received temp password and changed it | Mike | | P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike | | P3 | Enroll Scott in Microsoft Authenticator | Mike | | P3 | Invoice ticket #32207 | Mike |