---
type: client
name: kittle-design
display_name: Kittle Design & Construction
last_compiled: 2026-05-24
compiled_by: DESKTOP-0O8A1RL/claude-main
sources:
  - clients/kittle-design/session-logs/2026-04-24-session.md
---

# Kittle Design & Construction

## Overview

- **Business type:** Design & construction firm
- **M365 tenant:** kittlearizona.com
- **Billing model:** Time and materials [unverified — one ticket observed]
- **Billing rate:** Unknown (Labor - Remote Business, product_id 1190473)
- **Contract status:** Unknown
- **Syncro ticket:** #32207

## Contacts

| Name | UPN | Notes |
|---|---|---|
| Alexis | alexis@kittlearizona.com | Confirmed compromise — hidden inbox rule, duplicate Authenticator, password reset issued |
| Ken | Ken@kittlearizona.com | Suspicious inbox rule "Admin" (Capital One/Bill.com) — status unconfirmed as of session end |
| Lori | Lori@kittlearizona.com | Two Authenticator entries (different Samsung models — likely phone upgrade) |
| Scott | scott@kittlearizona.com | Phone-only MFA, no Authenticator enrolled |

## Infrastructure

- **On-premises servers/workstations:** Not documented.
- **Entra P1/P2:** NOT licensed — sign-in logs and Identity Protection unavailable.
- Token cache location (local): `/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/`

## Network

*(not documented)*

## Cloud / M365

| Property | Value |
|---|---|
| Tenant domain | kittlearizona.com |
| Tenant ID | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 |
| Entra P1/P2 | No — sign-in logs unavailable |
| Exchange Admin role | Assigned to Security Investigator SP (manually) |

### Service Principals (Remediation Tool)

| App | SP Object ID | Role |
|---|---|---|
| Security Investigator | 26e16c7a-0ac8-4f85-bdd7-992611bbd271 | Exchange Administrator |
| Exchange Operator | 775ec856-f032-4dcf-a499-ccf7f9bce07b | Exchange Administrator |
| User Manager | ea0277ab-497c-45f7-b88a-e2d53f54a4c7 | User Administrator + Authentication Administrator |
| Tenant Admin | 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5 | *(role not documented)* |

> [WARNING] Alexis's temp password `KittleGwiNUK#2026` was in the session log. This is a force-change-on-login temp password issued 2026-04-23 — it should already be changed. Do not use. Store any active credentials in vault only.

### Alexis — Compromise Details

- **Hidden inbox rule "."** — was routing Howmet-related emails to Conversation History folder. Deleted.
- **Emails recovered** (moved back to inbox, HTTP 201):
  - "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04)
  - "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04)
  - "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28)
- **Duplicate Authenticator entries** — two entries, same device name "iPhone 12 Pro Max" but different app versions. Suspicious entry ID: `c927402a-75c6-4a55-840a-86d1eea43a9b` (app version 6.8.40). Pending removal after confirmation from Alexis.
- **Sessions revoked** — revokeSignInSessions returned true.
- **Password reset** — temp password issued, force-change enforced.
- **User object ID:** `74a1eae1-c0dd-4544-a98f-3a18f809785a`
- **Exchange identity:** `alexis\2866869517449953281`

### OAuth Consents Revoked

**c5df10ae-2aa7-4283-86ef-1884c267a9ac** (AllPrincipals — 7 grants deleted):
- Had Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes — extremely broad.

**9b504397-914d-4af2-b6d9-9081e80da54e** (IMAP legacy auth — 1 grant deleted):
- IMAP.AccessAsUser.All, openid, offline_access — consented by unknown user.

## GuruRMM

*(not documented)*

## Active Projects / Open Items

| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: count Authenticator entries on phone. If only one, remove suspicious entry `c927402a` | Mike |
| P1 | Ask Ken: does he recognize the "Admin" inbox rule (Capital One, Bill.com, @flystucson.com)? If no → escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions) | Mike |
| P2 | Verify Alexis received temp password `KittleGwiNUK#2026` and has changed it | Mike |
| P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator (currently phone-only MFA) | Mike |
| P3 | Invoice ticket #32207 (1.0 hr Labor - Remote Business, product_id 1190473) | Mike |

## Key Events / History

### 2026-04-23/24 — Full M365 breach check and remediation

Full report: `clients/kittle-design/reports/2026-04-23-breach-check.md`

- Onboarded Exchange Operator and Tenant Admin apps (consent + role assignment).
- Exchange Administrator role was NOT assigned to Security Investigator at time of initial breach check — assigned manually during remediation. SMTP forwarding check was therefore incomplete during the breach check phase.
- Two high-severity findings: Alexis's hidden inbox rule and duplicate Authenticator.
- One unresolved finding: Ken's "Admin" rule — awaiting his response.
- Seven OAuth grants deleted from the AllPrincipals consent (c5df10ae) — very broad scopes including Directory.ReadWrite.All.

## Anti-Patterns / Warnings

- [WARNING] Ken's inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) is unresolved. If Ken cannot explain it, treat as active compromise: password reset, session revocation, rule deletion, check financial accounts immediately.
- [WARNING] SMTP forwarding check was NOT completed — Exchange Admin role was missing on Security Investigator during initial sweep. Re-run SMTP forwarding check on all mailboxes.
- [WARNING] Kittle has NO Entra P1/P2 — sign-in log queries and Identity Protection risky user signals are unavailable. Rely on Exchange audit logs and consent audits only.
- Do not use the AllPrincipals consent app ID c5df10ae for anything — it was a malicious/overbroad app and all its grants have been revoked.

## Backlinks

- *(no related wiki articles yet)*