--- type: client name: barbaragrygutis display_name: Barbara Grygutis Sculpture LLC last_compiled: 2026-05-29 compiled_by: GURU-BEAST-ROG/discord-bot sources: - session-logs/2026-05-29-barbara-grygutis-m365-review.md backlinks: [] --- # Barbara Grygutis Sculpture LLC Artist / sculptor. ACG-hosted client. M365 tenant onboarded to ComputerGuru MSP app suite 2026-05-29. --- ## Profile - **Primary email:** barbara@barbaragrygutis.com - **Syncro customer ID:** 133348 - **Also in Syncro:** ID 641406 (email: grygutisstudios@dokotacom.net) — possible duplicate or secondary contact --- ## M365 / Identity - **Domain:** barbaragrygutis.com - **Tenant ID:** 25998ddc-49e6-4234-9396-6c152ce4ea69 - **MX:** barbaragrygutis-com.mail.protection.outlook.com (M365, NOT Neptune Exchange) - **Licenses:** Exchange Online Plan 2, Power Automate Free - **Account created:** 2021-12-22 - **Cloud-only:** Yes (no on-prem sync) ### MSP App Onboarding Onboarded 2026-05-29. All 5 ComputerGuru tiered apps consented and directory roles assigned: | App | Role Assigned | |---|---| | Security Investigator | Exchange Administrator | | Exchange Operator | Exchange Administrator | | Tenant Admin | Conditional Access Administrator | | User Manager | User Administrator, Authentication Administrator | | Defender Add-on | Skipped (no MDE license) | --- ## User Account: Barbara Grygutis | Field | Value | |---|---| | UPN | Barbara@barbaragrygutis.com | | Account enabled | Yes | | User type | Member | | Password last changed | 2021-12-24 (~4.5 years ago) | | MFA device | iPhone 13 Pro Max (Microsoft Authenticator 6.8.1) | | MFA phone | None registered | | OAuth grants | EAS.AccessAsUser.All (Exchange ActiveSync — normal) | --- ## Security Status (as of 2026-05-29) - **[WARNING] Active credential spray attack:** 100+ blocked attempts May 27-29, all blocked (error 50053 — malicious IP) - **Attack infrastructure:** Tor exit nodes (185.220.101.x), Linode VPS (2600:3c02/3c03), Hurricane Electric tunnels, European proxy nodes (Germany) - **Apps targeted:** Azure CLI, OfficeHome, Microsoft Online Services, One Outlook Web - **Zero successful sign-ins** in 30-day log window - **No mail forwarding configured** - **No inbox rules found** - **[CRITICAL] No Conditional Access policies on tenant** — no MFA enforcement, no legacy auth block - **Auto-reply active** (scheduled) — may confirm account liveness to attackers ### Recommended Actions (pending) - [ ] Confirm Barbara still controls the iPhone 13 Pro Max with Authenticator - [ ] Force password reset - [ ] Deploy CA: Require MFA for all users - [ ] Deploy CA: Block legacy authentication - [ ] Consider geo-restriction (US-only) given attack pattern --- ## History | Date | Event | |---|---| | 2021-12-22 | Account created in M365 | | 2021-12-24 | Password set (last change) | | 2026-05-27 | Credential spray attack begins | | 2026-05-29 | ACG onboarded tenant to MSP app suite; security review performed |