# QuantumWMS — M365 Read-Only Review

- **Date (UTC):** 2026-06-01
- **Reviewer:** Howard Enos (Howard-Home)
- **Tenant:** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` — "Quantum Wealth Management" (`quantumwms.com` primary, `quantumwms.onmicrosoft.com` initial)
- **Method:** Read-only Microsoft Graph via ComputerGuru Security Investigator app (`bfbc12a4-...`). **No changes made to the tenant.**
- **Raw artifacts:** `/tmp/remediation-tool/2fd0092b-.../signins/all.json`

> NOTE: This is the **current production tenant** (Pax8-provisioned 2026-05-27). The old GoDaddy/johnvelez tenant (`8f7eaff4-...` / `NETORGFT2570783`) and the dormant GoDaddy `ddf3d2c9-...` tenant are bypassed and not in use.

---

## Headline: active password-spray attack on john@quantumwms.com

`john@quantumwms.com` shows **102 sign-in events 2026-05-27 → 2026-06-01: 98 failures from 98 unique IPs**, only 4 successes (all his own enrollment from the Tucson office on 5/27).

| Attribute | Detail |
|---|---|
| Failure codes | 94× **50053** (Microsoft blocked — "IP address with malicious activity"), 4× **50126** (invalid password) |
| Unique source IPs | 98 — datacenter/proxy IPv6 ranges (`2600:3c02`, `2605:6400`, `2a01:7e04`) + **Amsterdam NL** (`192.42.116.61`, flagged malicious) + **Praha CZ** (`130.193.15.79`, password guess) |
| Successful logins | 4, all from Tucson office `69.254.197.173` on 2026-05-27 (Microsoft Office + Authentication Broker) |
| Verdict | Distributed credential-stuffing/spray. **Every attempt failing. Account NOT breached.** |

**Risk despite no breach:**
- John is **NOT MFA-registered** (`isMfaRegistered: false`).
- His initial password is weak/OSINT-guessable (recorded plaintext in the 2026-05-27 session log).
- CA policies that would block this (require-MFA, block-non-US) are **report-only — not enforcing.**
- Only protections currently active: Entra malicious-IP reputation + attacker not yet having the password.
- Operational risk: spray-induced smart-lockout (50053) could lock John out during the licensing window.

## Identity & licensing

| User | Role | License | MFA registered | Notes |
|---|---|---|---|---|
| `john@quantumwms.com` | Member | Business Premium (SPB) | **No** | Under spray attack; Office activated 5/27 |
| `sheila@quantumwms.com` | Member | Business Premium (SPB) | **No** | 8 sign-ins all clean; Office activated 5/27 |
| `sysadmin@quantumwms.com` (Mike) | Global Admin | none | Yes (Authenticator + TOTP) | Daily admin |
| `breakglass@…onmicrosoft.com` | Global Admin | none | No (by design) | Emergency, CA-excluded, vaulted |

- **SubscribedSkus:** 2× SPB (Business Premium), both consumed. Matches plan. [OK]
- **App suite:** all 5 ComputerGuru apps consented w/ correct directory roles. [OK]
- **Mailboxes:** John & Sheila — no forwarding, no inbox rules (mailboxes still near-empty; mail not yet cut from Intermedia). [OK]

## Security controls — the gap

- **Security Defaults: ON** — but only protects users who have **registered** MFA. Neither real user has → MFA is effectively **not protecting John or Sheila** yet.
- **3 Conditional Access policies, all `enabledForReportingButNotEnforced`** (enforcing nothing):
  - CA001 Require MFA (all users) — excludes break-glass
  - CA002 Block legacy auth — excludes break-glass
  - CA003 Block sign-in outside United States — excludes break-glass

## Minor / benign

- `admin@quantumwms.onmicrosoft.com`: 2 successful Admin-portal logins 5/27 from Leesburg VA, but user **no longer exists** (`Request_ResourceNotFound`) — Pax8 provisioning admin, since removed. Benign.

## 6/03 deadline status (M365 Personal lapse)

**Deadline-critical objective MET** — both users Business-Premium licensed AND Office activated (signed into Microsoft Office from the office 5/27). They will not lose Office apps on 2026-06-03.

## Recommendations (no action taken)

1. **Force-reset John's password** (strong/random, `forceChangePasswordNextSignIn = true`) — weak, sprayed, and in a plaintext log.
2. **Drive John + Sheila through MFA registration** — until then Security Defaults shields neither.
3. **Enforce CA001 (require MFA) + CA003 (block non-US) now** — would hard-block 100% of observed attacks; break-glass already excluded. (Hold CA002 block-legacy until after mail cutover per original plan.)
4. Watch for John hitting smart-lockout before the licensing/migration work.