--- type: client name: kittle display_name: Kittle Design & Construction LLC last_compiled: 2026-06-09 compiled_by: GURU-5070/claude-main sources: - wiki/clients/kittle.md - wiki/clients/kittle-design.md - clients/kittle/session-logs/2026-06/2026-06-08-mike-bec-incident-remediation.md - clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-ach-fraud-ic3.md - clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-marco-remediation.md - clients/kittle/reports/2026-06-09-ic3-bec-fraud-report.md - clients/kittle/reports/2026-06-08-breach-check.md - clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md - clients/kittle-design/session-logs/2026-04-24-session.md - clients/kittle/docs/overview.md - clients/kittle/docs/servers/server.md - clients/kittle/docs/network/topology.md - clients/kittle/docs/network/firewall.md - clients/kittle/session-logs/2026-05-08-howard-joshua-onsite-and-gururmm-onboarding.md backlinks: - "[[clients/kittle-design]]" - "[[projects/gururmm]]" - "[[clients/internal-infrastructure]]" --- # Kittle Design & Construction LLC ## Profile - **Business type:** General contractor / design-build (construction) - **Contract type:** Break-fix - **Syncro customer ID:** 32460233 - **Managed devices (Syncro assets):** 2 - **Open tickets:** 0 (all June 2026 incident tickets Invoiced/Resolved as of 2026-06-09) - **Billing rate:** (verify — Labor - Remote Business, product_id 1190473 observed) - **Hours remaining:** N/A (Break-fix, no prepaid block) - **Address:** 2539 N Balboa Ave #125, Tucson, AZ 85705 - **Phone:** 520.299.0404 | **Fax:** 520.299.0477 - **Website:** kittlearizona.com - **Status:** Active — ongoing post-incident hardening ### Key Contacts | Name | Title | Email | Notes | |------|-------|-------|-------| | Ken Schagel | Owner / Primary Contact | ken@kittlearizona.com | Was Global Admin; roles stripped during incident, need to re-add appropriate admin role once fully cleared | | Kimberly Ross | Office Admin ("Kim") | admin@kittlearizona.com | Admin@ mailbox; MFA reset 2026-06-09 to phone-only | | Darline Cabrera | Bookkeeper | accounting@kittlearizona.com | Role account (AD: accountant); impersonated by attacker during ACH fraud — (verify: internal employee or external contractor?) | | Joshua Sutherland | Employee (new 2026-05-08) | joshua@kittlearizona.com | Replaced Wrex; FullAccess + SendAs to Wrex's former shared mailbox | | Lori Schagel | (verify role) | Lori@kittlearizona.com | Had 10 pre-existing admin roles incl. GA — stripped and downscoped to User Administrator 2026-06-08 | | Alexis Schagel | (verify role) | alexis@kittlearizona.com | Compromised in April 2026; remediated | | Marco Fragoso | Employee | marco@kittlearizona.com | Compromised June 2026; password reset + sessions revoked 2026-06-09 | | Hayden Schagel | Employee | hayden@kittlearizona.com | | | Scott Zehner | Employee | scott@kittlearizona.com | Phone-only MFA (no Authenticator) | | Howard Enos | MSP Tech (ACG) | — | AD account: sysadmin (Domain Admin) | **Additional M365 users (licensed):** - Office 365 E3 (No Teams): Alexis Schagel, Kalvin Hairston, Ken Schagel, Wrex Watson - Business Standard: Accounting, Admin (Kimberly Ross), Brandon Blazer, Hayden Schagel, Jason Stubblefield, Johnny Calhoun, Joshua Sutherland, Lori Schagel, Marco Fragoso, Michael Sanchez, Neal Crusius, Scott Zehner --- ## Infrastructure ### Servers | Hostname | IP | OS | Role | Hardware | Notes | |----------|----|----|------|----------|-------| | SERVER (asset: SERVER2021) | 10.0.0.5 | Windows Server 2025 Standard **EVALUATION** | Primary DC, DNS, File Server, Print Server | HPE ProLiant MicroServer Gen11, Intel Xeon E-2414 (4 cores), 80 GB RAM | [WARNING] EVALUATION license — expires 180 days from install. Shuts down hourly after expiry. Check: `slmgr /dlv` | **[WARNING] NO BACKUP EXISTS.** No Windows Server Backup, no third-party agent, no cloud backup. SERVER is the only DC; failure = loss of AD, DNS, file shares, and QuickBooks data permanently. **SERVER storage:** | Drive | Label | Size | Notes | |-------|-------|------|-------| | C: | OS | ~11 TB | Primary volume (NTFS) | | Secondary | Server2 2022_03_31 | ~2 TB | Purpose unknown — possibly old server backup/migration data | ### Workstations | AD Name | OS | Notes | |---------|----|-------| | FRONTDESK | Windows 11 Pro | Syncro asset id 11122225 | | ACCOUNTING | Windows 11 Pro for Workstations | `accountant` role account | | CHRISTINE-WIN10 | Windows 11 Pro | Legacy name; actually Win11 | | DESKTOP-2560Q7R | Windows 11 Pro | Was Wrex — now Joshua Sutherland; needs rename | | WINDOWS-QV1B0EL | Windows 11 Pro | User unknown — needs onsite correlation + rename | | DESKTOP-R0KA2UG | Windows 11 Pro | User unknown — needs onsite correlation + rename | | DESKTOP-9B2SMD9 | Windows 11 Pro | User unknown — needs onsite correlation + rename | ### Active Directory - **Domain:** kittle.lan (NetBIOS: KITTLE) - **Domain Admins:** Administrator, sysadmin (ACG) - **Total domain users:** 12 (including joshua.sutherland added 2026-05-08) - **Total workstations:** 7 **[WARNING]** Role-based AD accounts (`accountant`, `frontdesk`) should be replaced with individual named accounts. **[WARNING]** Three workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) user-to-machine mapping unconfirmed. ### Installed Software (SERVER) | Software | Notes | |----------|-------| | QuickBooks Pro 2024 (v34) | [WARNING] Should NOT be on a DC — migrate to ACCOUNTING workstation; data at C:\Shares\Home\QBooks | | ScreenConnect | Remote access agent | **ScreenConnect note:** Command runner defaults to `cmd` context — PowerShell scripts MUST be prefixed with `#!ps` or they fail silently. ### Network - **Subnet:** Single flat 10.0.0.0/24 — no VLANs, no segmentation - **Gateway:** 10.0.0.1 (ISP router — consumer-grade, acts as gateway + DHCP + only "firewall") - **Switch:** UniFi USW-Lite-16-PoE at 10.0.0.122 (MAC: 0C:EA:14:8A:8D:7F); managed by ACG's self-hosted UniFi controller - **~31 devices** on network (most unidentified) **[WARNING] NO dedicated firewall.** ISP router is the only perimeter device. No stateful inspection, IDS/IPS, content filtering, or granular rules. Recommendation: Deploy pfSense or commercial UTM (FortiGate, SonicWall). **DHCP:** [WARNING] Runs on ISP router (10.0.0.1), NOT on SERVER. Windows DHCP role installed on SERVER but has zero scopes. Unknown what DNS server is handed out via DHCP — AD name resolution may be broken for domain clients. **Internal DNS:** Windows DNS on SERVER (10.0.0.5), AD-integrated. Forwarder: 10.0.0.1 only. No reverse lookup zone. No secondary forwarder. **External DNS (kittlearizona.com):** Hybrid NSOne + Squarespace nameservers. ### File Shares (SERVER) | Share | Path | Notes | |-------|------|-------| | Home | C:\Shares\Home | User home folders; mapped via HomeFolder GPO | | QBooks | C:\Shares\Home\QBooks | QuickBooks data files | | NETLOGON / SYSVOL | (default) | AD logon scripts / Group Policy | **GPO Note:** HomeFolder GPO drive map MUST stay as `Update` (not `Replace`). Replace tears down and recreates the drive connection every ~90 min GP refresh cycle, killing open Explorer windows. --- ## Cloud / M365 ### Tenant | Field | Value | |-------|-------| | Tenant domain | kittlearizona.com | | Tenant ID | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 | | Primary domain | kittlearizona.com | | Entra licensing | **Entra ID P2** (P2 added 2026-06-09; was Business Premium / P1 only before) | | Admin portal | https://admin.microsoft.com | ### Licensing (as of 2026-06-09) | License | Qty | |---------|-----| | Microsoft 365 Business Standard (BUSINESS_PREMIUM) | 12 | | Office 365 E3 No Teams | 4 | | Entra ID P2 | (added 2026-06-09 by Mike — qty covers all users) | ACG `sysadmin` account is unlicensed. ### Security Posture (post-hardening, 2026-06-09) | Control | Status | |---------|--------| | Security Defaults | **DISABLED** (replaced by CA 2026-06-09) | | Conditional Access | **ENFORCED** — three policies active (see below) | | Legacy auth (IMAP/POP/EAS) | Still enabled tenant-wide — [WARNING] disable | | DKIM | **MISSING** — HIGH PRIORITY | | DMARC | **MISSING** — HIGH PRIORITY | | Entra P2 / Identity Protection | Available as of 2026-06-09 | **Conditional Access policies (active as of 2026-06-09):** - `ACG - Require MFA for all users` — enforced; break-glass `sysadmin@` excluded - `ACG - Block legacy authentication` — enforced; sysadmin@ excluded - `ACG - Block non-US sign-ins` — enforced; named location "United States (ACG)"; sysadmin@ excluded ### Email DNS (kittlearizona.com) | Record | Status | Value | |--------|--------|-------| | MX | [OK] | kittlearizona-com.mail.protection.outlook.com | | SPF | [OK] | v=spf1 include:spf.protection.outlook.com -all | | DKIM | [WARNING] MISSING | Not configured — HIGH PRIORITY | | DMARC | [WARNING] MISSING | Not configured — HIGH PRIORITY | External DNS registrar: Unknown — needs identification. ### MSP App Service Principals (in-tenant) | App | SP Object ID (in Kittle tenant) | Role | |-----|----------------------------------|------| | Security Investigator | 26e16c7a-0ac8-4f85-bdd7-992611bbd271 | Exchange Administrator | | Exchange Operator | 775ec856-f032-4dcf-a499-ccf7f9bce07b | Exchange Administrator | | User Manager | ea0277ab-497c-45f7-b88a-e2d53f54a4c7 | User Administrator + Authentication Administrator | | Tenant Admin | 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5 | (including JIT Privileged Authentication Administrator — MUST be removed; see Open Items) | | ComputerGuru AI Remediation | 2fd24cfa-8533-460f-9cbb-53cc4a32d3f5 | — | ### SharePoint / OneDrive Confirmed clean post-incident (2026-06-08): no attacker-created files, pages, or external sharing links. --- ## GuruRMM | Field | Value | |-------|-------| | Client name | Kittle Design & Construction LLC | | Client ID | d8b08837-78e0-441e-b824-e0abbf0254ed | | Client code | KITTLE | | Site name | Main Office | | Site ID | 851376d1-33be-46ee-9e48-be44767e4a0a | | Site code | SILVER-HAWK-7639 | | API key (enrollment) | Vault: `clients/kittle/gururmm-site-main.sops.yaml` | | Dashboard | https://rmm.azcomputerguru.com | GuruRMM client + site created 2026-05-08 (Howard onsite). Agent deployment in progress: - SERVER (SERVER2021) — agent install initiated 2026-05-08; confirm enrolled - Workstations — rollout pending; deploy to FRONTDESK + others --- ## Access - **RDP / Remote (SERVER):** ScreenConnect (installed) | `\\10.0.0.5` on-prem - **M365 Admin Portal:** https://admin.microsoft.com (tenant: kittlearizona.com) - **Entra Portal:** https://entra.microsoft.com - **GuruRMM Dashboard:** https://rmm.azcomputerguru.com (site: SILVER-HAWK-7639) - **Vault path (M365 incident credentials):** `clients/kittle/m365-ken-schagel-incident.sops.yaml` - **Vault path (GuruRMM enrollment key):** `clients/kittle/gururmm-site-main.sops.yaml` - **Vault path (SERVER admin):** `clients/kittle/server2021.sops.yaml` (migrate from Syncro plaintext — see Open Items) - **Known Outlook accounts in Syncro notes (plaintext — migrate to vault):** kittletucson@outlook.com, kittletucson2@outlook.com **[WARNING]** SERVER admin password and Outlook credentials are currently stored as plaintext in Syncro customer notes. Migrate to vault and strip from Syncro. --- ## BEC / ACH Fraud Incident — June 2026 This section documents the major Business Email Compromise and attempted ACH payment-redirection fraud of June 2026. It is the canonical incident record; detail sources are listed in the frontmatter. ### Incident Summary A nation-state or organized-crime threat actor compromised Ken Schagel's Microsoft 365 account (entry point: credential theft in or before April 2026) and used it to attempt ACH payment-redirection fraud against two Arizona government agencies — the City of Tucson (invoices totaling $130,000+) and the Town of Marana. **The fraud was PREVENTED; no funds moved.** The FBI IC3 complaint was filed 2026-06-09 (Submission ID: `aa2ef50482ca4c05a54ae0f6cb56ffa0`). ### Root Cause and Entry Point Ken Schagel's credentials were compromised on or before April 2026. The evidence: an IMAP legacy-auth OAuth consent (app 9b504397) was granted FROM Ken's account object ID (`5fc37e1a`) in April 2026. The **April 2026 remediation session revoked that OAuth consent but did not reset Ken's password or revoke his sessions.** As a result, the attacker retained valid credentials and persisted undetected for approximately two months until the June 2026 breach. Access method: legacy IMAP/OAuth using Microsoft Desktop app `d3590ed6-52b3-4102-aeff-aad2292ab01c` with python-httpx/0.28.1, bypassing MFA (Security Defaults only; no Conditional Access; IMAP/POP/EAS enabled on all mailboxes). The original phishing lure that stole Ken's credentials is not forensically recoverable (mailbox dumpster retention does not go back to the infection date). ### Attack Timeline | Date/Time (UTC) | Event | |-----------------|-------| | 2026-04 (approx) | Ken's credentials stolen (proven via IMAP consent granted from Ken's object ID). April remediation revokes consent but does NOT reset password — attacker persists. | | 2026-04-23 | ACG April breach check: Alexis fully remediated. Ken's "Admin" inbox rule classified [INFO] (not [WARNING]). Incomplete remediation. | | 2026-06-05 ~11:52 UTC | Attacker inserts `Accounting.kittlearizona@gmx.com` into live Kittle↔City of Tucson invoice thread (thread poisoning, 3 days before main breach). | | 2026-06-08 09:03 | Normal Outlook sync (Microsoft IPs) — pre-compromise. | | 2026-06-08 13:24 | **[BREACH START]** Attacker OWA login from 64.44.131.168 (Chicago IL, AS20278 Nexeon Technologies — VPN/hosting). | | 2026-06-08 13:37 | Ken's T-Mobile phone accesses account legitimately (Ken is unaware of compromise). | | 2026-06-08 14:51–21:09 | Attacker accesses Accounting@ mailbox as delegate (Ken had FullAccess to Accounting) — 21 MailItemsAccessed events across Inbox\Customers, Assured Partners, Employees, Sent, Deleted. | | 2026-06-08 15:32 / 16:14 | Attacker sends two "test" emails from OWA. | | 2026-06-08 15:52 / 16:45 / 18:52 / 20:29 | Attacker sends fraudulent "EFT UPDATE" / ACH banking-change emails from Accounting@ (SendOnBehalf) to Randi Arnett at City of Tucson BSD/AP. Hard-deletes the thread from both Ken@ and Accounting@ after each send to conceal. | | 2026-06-08 18:36–18:53 | Contact harvest: python-httpx/0.28.1 from Azure IP 40.126.41.96, 250+ MailItemsAccessed events. | | 2026-06-08 21:14–21:26 | Phishing blast: 1,000 "Ken Schagel shared a file with you" (fake OneDrive lure) sent in 5 batches from 45.134.224.220 (Kansas City MO, AS147049 PacketHub S.A.). 747 delivered, 227 bounced. Phishing link: `flowinnactuators.com/work.html` (credential harvesting). | | 2026-06-08 ~21:30 | Howard (ACG) receives phishing email — incident detected. | | 2026-06-08 21:41 | Mike manually blocks Ken's sign-in in Entra portal, sets temp password. | | 2026-06-08 ~22:00 | ACG investigation and remediation begins. 5 malicious inbox rules deleted. Lori's 10 admin roles stripped. 740 victim-notification emails sent from admin@ via EWS SOAP. | | 2026-06-09 (morning) | ACG discovers the ACH fraud angle via audit-log + message-trace analysis; recovers deleted fraud emails + the BSD ACH APPLICATION.pdf from Recoverable Items dumpster. | | 2026-06-09 | Discovery of marco@ compromise: 2 additional hidden inbox rules filtering Marana AP emails and internal accounting/ken emails. Marco had sent fraudulent "Application for Payment" and "EFT Form Update" emails to the Town of Marana AP (delivered ~17:05 UTC 2026-06-09). | | 2026-06-09 | Kittle (Darline Cabrera) contacts City of Tucson: **City stops the payment — no funds transferred.** Marana also confirms no ACH cleared after a human contact from Kittle. Attacker had also phoned Marana (vishing) to pressure the change. | | 2026-06-09 12:46 PM EST | FBI IC3 complaint filed. Submission ID: `aa2ef50482ca4c05a54ae0f6cb56ffa0`. | | 2026-06-09 | Conditional Access deployed (Security Defaults disabled, CA enforced). Entra P2 added. | | 2026-06-09 | Ken's password reset in person on-site by Mike. | ### Targeted Payers and Financial Exposure **City of Tucson (BSD/AP):** - Contact in fraud thread: Randi Arnett (Finance Manager, Randi.Arnett@tucsonaz.gov); AP: HCDAccountsPayable-Finance@tucsonaz.gov - Fraudulent ACH/EFT banking-change form (BSD ACH Application) submitted impersonating Darline Cabrera (bookkeeper) - Exposed invoices: #31468 ($123,776.75 — MMC Generator Upgrade), #31400 (~$8,818 — COT Knights Inn Fire Suppression, EFT scheduled 2026-06-09), #31453 ($41,231 — due 2026-06-28) - **Total identified exposure: $130,000+** (all future City-of-Tucson payments would have been redirected by an approved ACH change) - **OUTCOME: City stopped payment before any transfer. $0 actual loss.** **Town of Marana:** - Contacts targeted: accountspayable@maranaaz.gov, mmurray@maranaaz.gov, sfields@maranaaz.gov - Fraudulent "Application for Payment" + "EFT Form Update" emails sent FROM marco@ 2026-06-09 - Attacker also phoned Marana (vishing from phone 659-221-9243) to pressure the bank change - **OUTCOME: Fraud prevented. No ACH cleared.** **Mule (fraudulent receiving) accounts:** | Bank | Routing | Account | Name | |------|---------|---------|------| | Truist Bank | 053201607 | 1410020505238 | "Kittle Design & Construction" (fraudulent) | | First State Bank of East Detroit (MI) | 072410165 | 62100616 | FOAM FACTORY INCORPORATED | | JPMorgan Chase Bank, N.A. | 021000021 (wire) / 072000326 (ACH) | 2906183268 | FOAM FACTORY INCORPORATED | Kittle confirmed it has no relationship with Foam Factory Incorporated. ### Attacker Infrastructure | IP / Domain | Type | Use | Notes | |-------------|------|-----|-------| | 64.44.131.168 | IP | OWA access, fraud email sends, evidence deletion | Chicago IL, AS20278 Nexeon Technologies (VPN/hosting) — CA blocked | | 45.134.224.220 | IP | Phishing blast (1,000 emails) | Kansas City MO, AS147049 PacketHub S.A. — CA blocked | | 40.126.41.96 | IP | Contact harvest via python-httpx | Microsoft Azure — CA blocked | | 66.179.30.87 + IPv6 | IP | (threat-intel: nation-state indicator) | CA blocked | | Accounting.kittlearizona@gmx.com | Email | Thread poisoning / reply-chain hijack | GMX free account; inserted into Kittle↔City invoice thread 2026-06-05 | | kittlarizona.com | Lookalike domain | Attacker CC reply address (missing 'e') | Namecheap registrar / Zoho email hosting; registered 2026-06-09 15:34 UTC; blocked in-tenant + abuse reports to Zoho + Namecheap | | tucsonoz.com | Lookalike domain | Impersonating tucsonaz.gov | PublicDomainRegistry / Titan email hosting; used in fraud email (randi.arnett@tucsonoz.com) — blocked in-tenant + abuse reports | | (659) 221-9243 | Phone | Vishing — pressured Marana to process bank change | Listed on fraudulent ACH form | | d3590ed6-52b3-4102-aeff-aad2292ab01c | OAuth App | Microsoft Desktop app used for IMAP/token access | First-party app ID, not malicious by itself; used with stolen credentials + python-httpx | ### Malicious Artifacts Removed **Inbox rules (6/8 — 5 rules across 3 mailboxes):** | Mailbox | Rule Name | Action | Discovered | |---------|-----------|--------|------------| | Ken@kittlearizona.com | "." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | 2026-06-08 | | Ken@kittlearizona.com | "Admin" | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | 2026-06-08 | | alexis@kittlearizona.com | "..." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | 2026-06-08 | | Accounting@kittlearizona.com | ".." | Move mail FROM Ken → RSS Feeds (Priority 1) | 2026-06-08 — suppressing ALL inbound at discovery | | Accounting@kittlearizona.com | "..." | Move ALL mail → RSS Feeds (Priority 2) | 2026-06-08 — suppressing ALL inbound at discovery | **Inbox rules (6/9 — 2 more on marco@):** | Mailbox | Action | Subject filter | |---------|--------|----------------| | marco@kittlearizona.com | Move to RSS Feeds, MarkAsRead, StopProcessing | "EFT Form Update" / "KDC - Application for Payment #1 Job No. 5654.25" / sender @maranaaz.gov | | marco@kittlearizona.com | Move to RSS Feeds, MarkAsRead, StopProcessing | Internal: accounting@, ken@ | **Pre-existing April rule (not attacker-planted — confirmed 2026-06-08):** - Ken "Christina Micek" rule — StopProcessingRules:true, no action/filter. Confirmed benign by Mike (2026-06-08 full sweep). **OAuth grants revoked on alexis@ (2026-06-08):** - PERFECTDATA app — Mail.ReadWrite, Files.ReadWrite (immediately revoked — clearly malicious) - Alignable app — offline_access, User.Read, Contacts.Read (revoked at Mike's direction) **April OAuth revocations (pre-incident, 2026-04-23):** - c5df10ae AllPrincipals app — 7 grants deleted including Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes - IMAP legacy auth app 9b504397 — IMAP.AccessAsUser.All (consented by Ken's account object; password NOT reset at the time — root cause of persistence) **Privilege excess corrected:** - Lori Schagel: 10 pre-existing admin roles (including Global Administrator) stripped 2026-06-08; re-assigned User Administrator only. Confirmed pre-existing (not attacker-planted) via directoryAudits. - Ken FullAccess to Accounting@ removed (2026-06-09 remediation) — this delegate access was the vector for attacker to operate the finance mailbox. ### Remediation Actions Completed | Action | Date | Status | |--------|------|--------| | Ken sign-in blocked + temp password set | 2026-06-08 | [OK] — vault: clients/kittle/m365-ken-schagel-incident.sops.yaml | | Ken sessions revoked + all 10 admin roles stripped | 2026-06-08 | [OK] | | Ken re-enabled; MFA verified clean | 2026-06-08 | [OK] — single iPhone 12 Pro Max, no attacker devices | | Ken password reset in person on-site | 2026-06-09 | [OK] — prior temp values superseded/stale | | Ken outbound-spam send restriction removed | 2026-06-09 | [OK] | | 5 malicious inbox rules deleted (Ken x2, Alexis x1, Accounting x2) | 2026-06-08 | [OK] — Accounting mail flow restored immediately | | Alexis PERFECTDATA + Alignable OAuth grants revoked | 2026-06-08 | [OK] | | Lori 10 admin roles stripped → re-assigned User Administrator | 2026-06-08 | [OK] | | Lori sessions revoked | 2026-06-08 | [OK] | | 740 victim-notification emails sent from admin@ | 2026-06-08 | [OK] — via EWS SOAP; 7 automated addresses filtered | | Wrex sessions revoked + password reset | 2026-06-08 | [OK] | | marco@ 2 hidden inbox rules deleted | 2026-06-09 | [OK] | | marco@ password reset (force-change) + sessions revoked | 2026-06-09 | [OK] | | admin@ (Kim) password reset (force-change) + sessions revoked | 2026-06-09 | [OK] | | admin@ MFA reset: added phone as default, removed Authenticator | 2026-06-09 | [OK] | | Ken FullAccess to Accounting@ removed | 2026-06-09 | [OK] | | Wrex offboarded: disabled, sessions revoked, mailbox → shared | 2026-06-09 | [OK] | | Joshua FullAccess + SendAs to Wrex's former mailbox | 2026-06-09 | [OK] | | kittlarizona.com blocked in Kittle tenant Allow/Block List | 2026-06-09 | [OK] | | tucsonoz.com blocked in-tenant | 2026-06-09 | [OK] | | Abuse reports sent: Zoho + Namecheap re: kittlarizona.com | 2026-06-09 | [OK] — awaiting takedown response | | Security Defaults DISABLED; CA policies ENFORCED | 2026-06-09 | [OK] | | Entra P2 added (all users) | 2026-06-09 | [OK] — Identity Protection now available | | FBI IC3 complaint filed (aa2ef50482ca4c05a54ae0f6cb56ffa0) | 2026-06-09 | [OK] | | Syncro tickets updated; billing applied | 2026-06-08/09 | [OK] | ### Incident Evidence (preserved by ACG) All evidence retained locally at `C:\Users\guru\Downloads\Kittle-IC3-Package\` on GURU-5070: - FRAUD_BSD_ACH_APPLICATION.pdf — fraudulent ACH change form submitted to City of Tucson (Truist bank details) - Ken_ACH-FoamFactory.pdf — second ACH form (Foam Factory Inc accounts) - recovered-fraud-emails.txt — full EFT UPDATE / ACH thread recovered from Recoverable Items dumpster - attacker-audit-events.csv — 171-event M365 Unified Audit Log export - IC3-fill-sheet.txt + IC3 complaint report PDF + BANK-FRAUD-NOTIFICATIONS PDF - resolution-confirmation.txt — City of Tucson payment stop confirmation --- ## Patterns & Known Issues ### [CRITICAL PATTERN] Incomplete remediation = attacker persistence **What happened:** April 2026 remediation revoked an IMAP OAuth consent that was provably granted by Ken's account. The correct response was: revoke consent + reset Ken's password + revoke Ken's sessions. Instead, only the consent was revoked. The attacker still had Ken's valid password, so they retained full OWA access for ~2 months until June 2026. **Rule:** Whenever an OAuth consent or suspicious sign-in is attributed to a specific user account object ID, that account's password MUST be reset and all sessions revoked — not just the consent or the artifact. Revoking an OAuth consent while the underlying credential is still valid accomplishes nothing if the attacker can simply log in directly. ### [CRITICAL PATTERN] Signal misclassification: financial-platform inbox rule + legacy-auth consent = auto-[WARNING] **What happened:** The April breach check classified Ken's "Admin" inbox rule (filtering Capital One + Bill.com + @flystucson.com) as [INFO] with "confirm with user" guidance. Combined with the IMAP consent from the same user object, these two signals together should have triggered a mandatory [WARNING] and forced password reset — not a "ask Ken to confirm" deferral. "Confirm with the user" is unreliable when the account may already be compromised and the attacker can read incoming verification emails. **Rule:** Financial-platform filtering inbox rule + legacy-auth IMAP consent from the same user object = treat as [WARNING] regardless of "could be legitimate" explanations. Escalate to password reset + session revocation. Do not defer to user confirmation without first containing the account. ### [PATTERN] Lookalike domain + reply-chain hijack + in-mailbox ACH fraud This incident used a layered attack pattern: 1. Register a lookalike domain (kittlarizona.com vs kittlearizona.com) for reply-chain insertion. 2. Insert the lookalike address into a legitimate invoice email thread days before accessing the real mailbox (thread poisoning as of 2026-06-05, 3 days early). 3. Once inside the real mailbox, send from the REAL company email address (not the lookalike) for maximum legitimacy. 4. Hard-delete the evidence immediately after each send. 5. Supplement with vishing — phoning the target AP to verbally pressure approval. **Rule:** ACH/bank-change requests received via email (even from a known email address) should ALWAYS require a callback to a pre-known phone number to verify. Email alone is insufficient authorization for banking changes, even from a trusted sender. The attacker was operating the real mailbox, not just spoofing it. ### [PATTERN] Dual-target simultaneous fraud The attacker targeted TWO government AP departments simultaneously (City of Tucson from Ken/Accounting; Town of Marana from marco@), indicating prior reconnaissance of Kittle's active government billing relationships. Investigate scope of attacker's knowledge when post-mortems are conducted. ### [PATTERN] No Conditional Access + legacy protocols enabled = MFA bypass Security Defaults-only protection does not block legacy auth clients (IMAP, POP, EAS, MAPI over HTTP). The attacker used IMAP/OAuth to authenticate without triggering MFA. Without a `Block legacy authentication` CA policy, Security Defaults' MFA enforcement is trivially bypassed by any attacker who can consent or steal a legacy-auth token. **Rule:** Every tenant in the ACG fleet should have at minimum: `Block legacy authentication` CA policy. The `Require MFA for all users` + `Block non-US` combination adds additional depth. Security Defaults alone is not sufficient for clients with financial operations. ### [PATTERN] Privilege excess amplifies BEC impact Ken was Global Admin AND had standing FullAccess (delegate) to the Accounting/finance mailbox. With a single credential compromise, the attacker could operate as the owner AND the bookkeeper simultaneously. Attacker leveraged Ken's delegate access to send fraudulent bank-change forms from the bookkeeper's real identity (not the lookalike). **Rule:** Owners and executives should not hold standing FullAccess to financial mailboxes. If access is genuinely needed, use JIT (just-in-time) access grants, not permanent delegate permissions. Separate the owner identity from the finance identity. ### [PATTERN] Evidence deletion + dumpster recovery Attacker hard-deleted the entire fraud email thread from both mailboxes immediately after each send. The deleted emails + PDF attachment were recovered from the M365 Recoverable Items dumpster (30-day default retention) via Graph API. **The dumpster saved this investigation.** Without it, the ACH fraud angle would not have been discovered. **Rule:** Always check the Recoverable Items dumpster (`/mailFolders/recoverableitemsdeletions/messages`) during any BEC investigation. Attacker cleanup is incomplete — they can hard-delete from the mailbox but not from the dumpster without the purge permission they don't hold. ### [PATTERN] Lori GA exposure — pre-existing oversight Lori Schagel had 10 admin roles including Global Administrator as a pre-existing condition, predating the incident by more than 30 days. Not attacker-planted. Two GA accounts on a 14-user small-business tenant represents unnecessary attack surface. If either is compromised, the other becomes the recovery path — but also becomes an extra target. **Rule:** Small-business tenants should have exactly one active GA account (or two, with the second being a break-glass with a very strong password and no MFA registration, NOT a named-user account). Review GA assignments at every breach check. Strip and downscope unnecessary GA on sight. ### [WARNING] IMAP/POP/EAS still enabled tenant-wide Legacy protocols remain enabled as of 2026-06-09. The CA `Block legacy authentication` policy now blocks sign-in via legacy auth, but the protocols themselves are still enabled and could represent residual risk (e.g., if the CA policy is ever accidentally disabled). Disable IMAP/POP/EAS at the mailbox level tenant-wide as defense in depth. ### [WARNING] ScreenConnect command runner defaults to `cmd` context PowerShell scripts run via ScreenConnect MUST be prefixed with `#!ps`. `Invoke-WebRequest`, `ConvertTo-SecureString`, etc. silently fail without it. ### [WARNING] Do NOT run `Add-LocalGroupMember` on the DC DCs have no local SAM; the command will fail with "Group Administrators was not found." Run on the target workstation instead. ### [WARNING] SERVER is the sole domain controller with no backup Any outage = complete loss of AD, DNS, file shares, and QuickBooks data. No failover. No backup. Address before any other infrastructure work. ### [WARNING] QuickBooks Pro 2024 is on the DC Do not migrate or decommission SERVER without a proper QuickBooks migration plan. Data is at `C:\Shares\Home\QBooks`. --- ## Active Work ### CRITICAL — Residual Incident Items - [ ] **Remove Privileged Authentication Administrator from Tenant Admin SP in Kittle Entra portal.** (JIT role granted during reset-password.sh for Ken reset on 6/9; script cannot self-remove; MUST be done manually at https://entra.microsoft.com.) See coord todo or track in Syncro. - [ ] **Disable IMAP/POP/EAS tenant-wide** — CA now blocks legacy auth, but protocols remain enabled. Defense-in-depth: disable at mailbox level. - [ ] **Confirm bank freeze calls completed** (Truist 844-487-8478 / Enterprise Fraud Mgmt 866-802-4955; First State Bank fraud 866-372-1275; Chase Global Bank Recoveries 866-954-3718 opt 4 / gb.fraud.recovery@jpmorgan.com). - [ ] **Re-add appropriate admin role to Ken** — all 10 stripped during containment; Ken is owner/GA by function. Re-add Global Administrator + Exchange Administrator once incident is formally closed. - [ ] **alexis@ duplicate Authenticator cleanup** — entry `c927402a-75c6-4a55-840a-86d1eea43a9b` ("iPhone 12 Pro Max", app ver 6.8.40). Confirm with Alexis how many Kittle accounts are on her phone; remove if only one. Also review OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` if unused. - [ ] **Wrex license removal** — mailbox converted to shared, user disabled; free the Business Standard license. - [ ] **Christina Micek inbox rule on Ken** — confirmed benign during 6/8 sweep (copy rule, no suppression). Still worth Ken confirming explicitly for documentation closure. - [ ] **Warn Ken's phished external contacts** — 740+ recipients received the "Ken Schagel shared a file with you" phishing email; link was `flowinnactuators.com/work.html` (credential harvesting). Formal notification recommended. - [ ] **Run Entra P2 Identity Protection risky-users scan** — P2 now licensed; first risky-users sweep not yet run. - [ ] **Confirm kittlarizona.com Zoho + Namecheap takedown** — abuse reports sent 2026-06-09; confirm suspension/removal. - [ ] **Enable SSPR (Self-Service Password Reset) — portal-only mode** — reduces future recovery friction; limit to portal not mobile/email to avoid account-takeover via SSPR. - [ ] **Confirm City of Tucson follow-up** — exact invoice amounts (especially #31400 ~$8,818), written documentation of payment stop, any City-side IC3 filing. ### HIGH Priority — Infrastructure - [ ] **Activate Windows Server 2025 full license on SERVER** — evaluation expires 180 days from install; hourly shutdown after expiry. Check: `slmgr /dlv`. - [ ] **Implement backup for SERVER** — no backup of any kind. Options: Windows Server Backup to USB/NAS, Veeam Free, cloud backup (Backblaze B2/Wasabi). - [ ] **Configure DKIM for kittlearizona.com** — guide at `clients/kittle/docs/email/dkim-dmarc-setup.md`. - [ ] **Add DMARC for kittlearizona.com** — start `p=none`, escalate to `p=quarantine` after 1 week clean. - [ ] **Migrate credentials from Syncro plaintext to SOPS vault** — SERVER admin, Outlook accounts. - [ ] **Migrate QuickBooks off the DC** — QB should run on ACCOUNTING workstation. - [ ] **Deploy dedicated firewall** — ISP router only; no stateful inspection. ### MEDIUM Priority - [ ] GuruRMM agent enrollment confirmation — confirm agents running on SERVER and workstations. - [ ] Lori GA review — discuss with Ken whether she needs any admin role; User Administrator is current scope. - [ ] Migrate DHCP from ISP router to Windows Server; verify DNS option hands out 10.0.0.5. - [ ] Replace role-based AD accounts (accountant, frontdesk) with individual named accounts. - [ ] Rename workstations with generic DESKTOP-xxx / WINDOWS-xxx names. - [ ] Identify and map 3 unknown workstations. - [ ] Investigate port 8019 on SERVER (likely QuickBooks or ScreenConnect). - [ ] Lori old Samsung S10+ Authenticator entry da5454c7 — remove if she's confirmed on current phone. - [ ] Enroll Scott in Microsoft Authenticator (phone-only MFA currently). --- ## History Highlights | Date | Event | |------|-------| | 2026-04-16 | Client directory structure applied; onboarding started. | | 2026-04-23 | ACG April M365 breach check (ticket #32207): Alexis hidden inbox rule + duplicate Authenticator remediated; malicious OAuth (c5df10ae AllPrincipals) + IMAP consent (9b504397, GRANTED BY KEN'S ACCOUNT) revoked. Ken "Admin" rule classified [INFO]; password NOT reset — **critical incomplete remediation that enabled 2-month attacker persistence.** | | 2026-05-08 | Howard onsite: AD user joshua.sutherland created; GuruRMM client + Main Office site created; agent deployment begun. | | 2026-06-08 | **BEC BREACH DAY.** Ken@ compromised via OWA (13:24 UTC) from Nexeon VPN IP. Attacker used Ken's FullAccess delegate to Accounting@ to send fraudulent ACH banking-change forms to City of Tucson. 1,000-recipient phishing blast sent; 747 delivered. ACG detects at ~21:30 UTC (Howard receives phishing email). Mike blocks Ken at 21:41. Full remediation overnight: 5 malicious inbox rules deleted, Lori's 10 admin roles stripped + re-scoped, 740 victim notifications sent. Syncro ticket #32393 opened. | | 2026-06-08 (same day, pre-breach) | ACG full M365 security sweep (ticket #32394) confirms April remediation complete, SMTP forwarding clean on all 13 mailboxes. Sweep ran hours before the main breach was detected. | | 2026-06-09 | ACH fraud discovered: attacker had sent fraudulent BSD ACH bank-change forms to City of Tucson; evidence hard-deleted but recovered from Recoverable Items dumpster. marco@ additional compromise found: 2 hidden inbox rules + fraudulent Marana AP emails. marco@ remediated. Kim (admin@) remediated. Wrex offboarded. CA hardening deployed (Security Defaults disabled, 3 CA policies enforced). Entra P2 added. FBI IC3 filed (#aa2ef50482ca4c05a54ae0f6cb56ffa0). Ken's password changed in person on-site. Tickets #32393/#32394 invoiced. | | 2026-06-09 | **FRAUD PREVENTED.** City of Tucson stopped payment before any funds transferred (~$130,000+ exposure). Town of Marana confirms no ACH cleared. Attacker used phone (659-221-9243) for vishing against Marana. Total actual financial loss: $0. | --- ## Tickets (Incident-Related) | Ticket | Description | Date | Status | |--------|-------------|------|--------| | #32207 | April M365 breach check + Alexis remediation | 2026-04-23 | Invoiced — 1.0 hr | | #32393 | BEC incident — Ken phishing blast, initial remediation (rules, Lori, notifications) | 2026-06-08 | Invoiced | | #32394 (ID: 112389608) | Full sweep (pre-incident) + CA hardening + marco remediation + ACH fraud investigation + IC3; 1.5h emergency remote | 2026-06-09 | Invoiced — 1.5h @ $225 = $337.50 (invoice 1650625794) | --- ## Backlinks - [[clients/kittle-design]] — pre-merge article (April breach history); superseded by this article - [[projects/gururmm]] — GuruRMM agents deployed to Kittle; active RMM client as of 2026-05-08 - [[clients/internal-infrastructure]] — ACG UniFi controller manages Kittle's UniFi switch