# John Trozzi — Spoof Email Report / Follow-up Breach Check

**Date:** 2026-04-20
**Tenant:** Cascades Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498)
**Subject:** John Trozzi (john.trozzi@cascadestucson.com, a638f4b9-6936-4401-a9b7-015b9900e49e)
**Tool:** Claude-MSP-Access / ComputerGuru - AI Remediation (App ID `fabb3421-8b34-484b-bc17-e46de9703418`)
**Scope:** Read-only (no remediation actions executed)
**Trigger:** John told Mike he received a spoof email. He forwarded it to howard@azcomputerguru.com at 12:23 UTC today.

## Summary

- **No breach indicators.** John reported the phishing email himself — he is not a victim. He forwarded the message to Howard and then emailed Mike about it.
- **The phishing lure:** subject `"ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d"` — classic DocuSign/fake-document-expiry style.
- **Mailbox posture is clean across all 10 checks:** zero inbox rules (including hidden), no forwarding, no delegates, no SendAs grants, no new OAuth consents in the attack window, all MFA methods predate the event, sign-ins are 100% Phoenix AZ.
- **Identity Protection `riskyUser.riskState = remediated`** from the prior 2026-04-16 incident (`userPerformedSecuredPasswordReset`). Current risk level `none`. That risk event is closed and unrelated to today's report.
- **Recommended next step:** confirm with John he did not click or enter credentials; block the sender tenant-wide; add to phish training examples. No account action required.

## Target details

| Field | Value |
|---|---|
| UPN | john.trozzi@cascadestucson.com |
| Object ID | a638f4b9-6936-4401-a9b7-015b9900e49e |
| Account Enabled | true |
| Created | 2022-02-18T18:31:39Z |
| Last Password Change | 2026-04-16T16:05:11Z (4 days ago, self-change after admin-initiated IR reset) |

## Per-check findings

### 1. Inbox rules (Graph) — CLEAN
`/users/{upn}/mailFolders/inbox/messageRules` → `value: []`. No rules.

### 2. Mailbox forwarding / settings — CLEAN
- `forwardingSmtpAddress`: null
- Mailbox settings: no forwarding configured.

### 3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox) — CLEAN
- `Get-InboxRule -IncludeHidden`: 0 rules beyond system defaults.
- `Get-MailboxPermission`: only NT AUTHORITY\SELF. No delegates.
- `Get-RecipientPermission` (SendAs): only NT AUTHORITY\SELF. No SendAs grants.
- `Get-Mailbox`: `ForwardingAddress=null`, `ForwardingSmtpAddress=null`, `DeliverToMailboxAndForward=null`.

### 4. OAuth consents + app role assignments — CLEAN
Single longstanding consent:
- **BlueMail** (clientId `3508ac12-63ff-4cc5-8edb-f3bb9ca63e4e`)
  - Graph scope: `User.Read`
  - Exchange Online scope: `EAS.AccessAsUser.All Exchange.Manage`
  - App role assignment created 2022-02-18 (account creation day — legitimate and pre-dates any attack window).
- No new consents in the attack window.

### 5. Authentication methods — CLEAN (strong posture)
- Password (last changed 2026-04-16T16:05:11Z)
- Phone
- 2x Microsoft Authenticator
- FIDO2 security key

All non-password methods predate the 2026-04-16 IR event. No new method added in the attack window.

### 6. Sign-ins (30d, interactive) — CLEAN
- 12 sign-ins, all successful, all from **184.191.143.62 (Phoenix, AZ, US — CenturyLink/Qwest residential)**.
- 0 non-US sign-ins.
- Apps: Microsoft Authentication Broker, My Signins, Microsoft Account Controls V2 (all legitimate portal/auth flows).
- Devices: Android (Chrome Mobile) and Windows 10 (Chrome). Consistent with John's normal devices.

### 7. Directory audits (30d, filtered to John) — CLEAN
41 events, all clustered on 2026-04-16 and attributable to:
- `sysadmin@cascadestucson.com` (MSP admin running the IR reset)
- John himself (self-service password change post-reset)
- Microsoft system actors (Substrate Management, MFA StrongAuthenticationService)

No audit events in the last 3 days. No unauthorized changes.

### 8. Risky users / risk detections
- `riskyUser.riskLevel`: **none**
- `riskyUser.riskState`: **remediated**
- `riskyUser.riskDetail`: **userPerformedSecuredPasswordReset**
- `riskyUser.riskLastUpdatedDateTime`: 2026-04-16T15:45:55Z
- `riskDetections` (30d): **0**

The `remediated` flag is the closure marker for the prior 2026-04-16 incident. No new risk detections since.

### 9. Sent items (recent 25) — CLEAN + evidence of the report
Top of the list is John reporting the phishing to us:

| Sent (UTC) | Subject | To |
|---|---|---|
| 2026-04-20 12:26:51 | Spoof emails | mike@azcomputerguru.com |
| 2026-04-20 12:23:50 | Fw: ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d | howard@azcomputerguru.com |
| 2026-04-17 20:15:58 | 312 FLOORING 2OF 2 | prods_0478@homedepot.com |
| 2026-04-17 20:04:01 | 312 CABINETS 1 OF 2 | prods_0478@homedepot.com |
| 2026-04-17 19:58:12 | FW: Caregivers & medtech | howard@azcomputerguru.com |
| 2026-04-17 18:47:03 | Re: Model 1 Commercial Vehicles Follow Up | AFreer@model1.com |
| 2026-04-17 15:26:51 | RE: Cascades of Tucson - UE Revised Door Access Control Design Estimate | wpeterson@unwiredengineering.com |
| 2026-04-17 14:57:30 | Fw: Cascades of Tucson - UE Revised Door Access Control Design Estimate | mike@azcomputerguru.com |
| 2026-04-16 21:47:22 | Re: license upgrade | meredith.kuhn@cascadestucson.com (+ mike, howard, crystal) |
| ... | ... | ... |

All other outbound is legitimate vendor/internal business correspondence (Home Depot, Model 1, Unwired Engineering, internal Cascades, DirecTV). **No blast patterns, no external bulk sends, no credential-harvest style outbound.**

### 10. Deleted items (recent 25) — CLEAN
Normal marketing (Wayfair, BestBuy, Spotify, Floor & Decor), 8x8 voicemail notifications, vendor promotional email, and a few legitimate business messages. **No deleted security alerts, MFA prompts, or password-reset confirmations** — the tells of an attacker cleaning their tracks are absent.

## Suspicious items

None arising from this check. The only noteworthy item is the phishing email itself, which John handled correctly (reported rather than clicked).

## Gaps — checks not completed

None. All 10 checks completed successfully. Exchange REST and Identity Protection permissions are both in place for this tenant after the 2026-04-16 remediation.

## Relationship to prior investigation

On 2026-04-16, John was flagged as a risky user and an IR sequence was executed (see `clients/cascades-tucson/reports/2026-04-16-john-breach-check.md`). That incident was remediated via self-service secured password reset. Today's event is **separate** — John received a phishing email, recognized it, and reported it. No fresh compromise indicators.

## Next actions

1. **Talk to John** — confirm he did not click the link or enter credentials. Ask if he sees additional copies of the message or variations still arriving. If he did click, run `revoke-sessions` + force password reset immediately.
2. **Block the sender** — pull the original message headers from Howard's inbox; add sender domain to Exchange Online Tenant Allow/Block List or the anti-phish policy.
3. **Check other recipients** — query mail trace for the same Message-ID/subject across the tenant; if other Cascades users received the same lure, flag them for the same conversation.
4. **Add to phishing training catalog** — this is a textbook DocuSign-style impersonation. Worth using as a training example for staff.
5. **No account remediation required** at this time.

## Remediation actions

None executed. Read-only check.

## Data artifacts

Raw JSON at `/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/user-breach/john_trozzi_cascadestucson_com/`:

- 00_user.json
- 01_inbox_rules_graph.json
- 02_mailbox_settings.json
- 03a_InboxRule_hidden.json
- 03b_MailboxPermission.json
- 03c_RecipientPermission.json
- 03d_Mailbox.json
- 04a_oauth_grants.json
- 04b_app_role_assignments.json
- 05_auth_methods.json
- 06_signins.json
- 07_dir_audits.json
- 08a_risky_user.json
- 08b_risk_detections.json
- 09_sent.json
- 10_deleted.json