# Session Log - 2026-03-05

## Summary
Two major workstreams: Valley Wide Plastering BEC incident response and Bardach contacts cleanup continuation.

---

## 1. Valley Wide Plastering - BEC Incident Response

**Client:** Valley Wide Plastering (valleywideplastering.com)
**Tenant ID:** 5c53ae9f-7071-4248-b834-8685b646450f
**Reported Issue:** JR Guerrero (j-r@valleywideplastering.com) receiving reports he's sending malicious emails

### Investigation Findings
- **Two malicious inbox rules** found: ".." (triggers on "box.com") and "." (catch-all) - both move to Archive, mark read, stop processing
- **Box.com phishing campaign**: Attacker shared malicious file "Valley Wide Plastering, INC......pdf" (Box file ID 2155046839008) via JR's identity to ~175 contacts
- **Attacker MFA device**: iPhone 12 Pro Max registered (JR has iPhone 16 Pro Max)
- **Attacker IPs**: 23.234.100.200 (Chicago, 30x), 23.234.100.73 (Chicago, 9x), 23.234.101.73 (Brooklyn, 5x)
- **447 messages** hidden in Archive by attacker rules

### Remediation Actions
- [x] Deleted both malicious inbox rules
- [x] Removed attacker MFA device (iPhone 12 Pro Max)
- [x] Moved 447 Archive messages back to Inbox
- [x] Password reset + force change (done by sysadmin)
- [x] All sign-in sessions revoked
- [x] Created Conditional Access policy "Block Sign-ins Outside US" (enforced)
  - Policy ID: db34605c-c778-4b37-bf25-9a3a7cdbee0c
  - Named location: "Allowed Countries - US Only" (14ea32d1-dd6f-4fb1-83f7-d6f840df82fa)
  - Excludes: sysadmin@ (break-glass)

### billing@ Investigation
- Attacker IPs appeared in sign-in logs but mailbox NOT compromised
- Inbox rules all legitimate, no malicious sent mail
- Password reset manually (API returned 403)
- Sessions revoked

### Phishing Victim Notification
- Extracted 133 unique victim email addresses from Exchange (125 external + 8 VWP internal)
- Sent notification email from JR's account (all victims in BCC) warning about malicious Box.com file
- HTTP 202 - delivered successfully

### Outstanding
- [ ] Box.com file takedown (file ID 2155046839008)
- [ ] Confirm JR's MFA phone (+1 480-797-6102) is his
- [ ] Confirm billing's MFA phone (+1 619-244-8933) and Samsung S24
- [ ] Monitor for attacker IP recurrence (30 days)
- [ ] Review other VWP accounts - investigation flagged 11 of 33 with foreign sign-ins
- [ ] Consider universal MFA enforcement

### Files Created
- `temp/vwp_bec_jr.py` - JR investigation script
- `temp/vwp_bec_billing.py` - Billing investigation + remediation
- `temp/vwp_bec_investigation.py` - Full tenant investigation
- `temp/vwp_bec_results.json` - Raw investigation results
- `temp/vwp_extract_victim_emails.py` - Box notification parsing
- `temp/vwp_exchange_trace.py` - Exchange sent items search
- `temp/vwp_exchange_recipients.json` - Victim email addresses
- `temp/vwp_send_notification.py` - Notification email script
- `temp/vwp_bec_incident_notes.md` - Internal tracking notes

---

## 2. Bardach Contacts Cleanup (Continuation from 2026-03-03)

**Client:** Barbara Bardach (bardach.net)
**Tenant ID:** dd4a82e8-85a3-44ac-8800-07945ab4d95f
**User:** barbara@bardach.net

### Work Done Today

#### Internal Duplicate Cleanup
- Found 18 duplicate pairs in Main Contacts folder
- 3 required merging before delete (Akala Jacobson - email, Annette Rivas - email, Barbara Bardach - phone)
- 15 straight deletes (no unique data on duplicate)
- All 18 resolved, 0 errors

#### Reviewed Remaining Items
- 28 "duplicate notes" groups - analyzed and determined most are coincidental (spouse names like "Tom", "Rick" shared across unrelated contacts). Actual duplicate contacts already handled by dedup.
- 111 "promotable" phone numbers in notes - decided to skip. Numbers in notes may belong to spouse/partner/colleague, not the contact themselves. Can't safely auto-promote.
- 8 promotable emails - skipped for same reason.

#### Email-to-Contact Gap Analysis (NEW)
- Scanned 12 months of email: 4,286 sent + 52,834 inbox messages
- Found 1,970 unique email addresses in mail
- 412 already in contacts
- 1,388 missing from contacts
- Filtered to 315 two-way correspondents (sent_count > 0)
- Further filtered to 32 real people with >= 4 message exchanges

#### Auto-Created Missing Contacts
- Created 32 new contacts from frequent email correspondents
- 19 of 32 had phone numbers extracted from email signatures
- Phone label mapping: Cell->mobilePhone, Office/Direct->businessPhones
- Fax numbers and Barbara's own number correctly filtered out
- Name parsing handled "Last, First" format and title suffixes

#### Client Summary Email
- Created `temp/bardach_contacts_summary_email.md` - plain language summary for Barbara explaining all changes

### Final Contact Count: ~6,086

### Files Created
- `temp/bardach_main_dupes.py` - Duplicate analysis script
- `temp/bardach_main_dupes_analysis.json` - Duplicate analysis results
- `temp/bardach_main_dupes_fix.py` - Merge and delete script
- `temp/bardach_email_contacts_scan.py` - Email-to-contact gap scan
- `temp/bardach_missing_contacts.json` - Full missing contacts list
- `temp/bardach_missing_real_contacts.py` - Two-way correspondent filter + phone extraction
- `temp/bardach_missing_real_contacts.json` - Filtered results with phones
- `temp/bardach_create_missing_contacts.py` - Contact creation script
- `temp/bardach_contacts_summary_email.md` - Client-facing summary

---

## Credentials Used

### VWP (Valley Wide Plastering)
- Tenant: 5c53ae9f-7071-4248-b834-8685b646450f
- App: fabb3421-8b34-484b-bc17-e46de9703418 (Claude-MSP-Access)
- Secret: ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
- JR ID: 0af923d0-48c5-4cc1-8553-c60625802815
- Billing ID: 4f708b80-e537-4f63-92d3-5feedfa28244

### Bardach
- Tenant: dd4a82e8-85a3-44ac-8800-07945ab4d95f
- App: fabb3421-8b34-484b-bc17-e46de9703418 (Claude-MSP-Access)
- Secret: ~QJ8Q~NyQSs4OcGqHZyPrA2CVnq9KBfKiimntbMO
- User: barbara@bardach.net

---

## Update: 15:30 - billing@ Deep Check & Bardach Finalization

### VWP billing@ Deep Investigation (Second Pass)
Full 10-point deep check of billing@valleywideplastering.com:

1. **Inbox Rules:** [OK] All legitimate (Tim Wolf, Pulte x2, hibu disabled)
2. **Sign-in Logs (30 days):** 14 foreign IPs from CN, VN, BR, AR, IT, AL, PH, SG, GN, ZA, CZ, ID, CA - ALL failed (err=50126). Legitimate IP: 4.18.160.106 (Leesburg, FL, 81 sign-ins). CA policy now blocks foreign attempts.
3. **Sent Mail:** [OK] All 12 flagged items are legitimate AR business (Toni - invoices, payments, waivers)
4. **Auth Methods:** [OK] Password (reset today), phone +1 619-244-8933, Samsung S24 (SM-S916U)
5. **Mailbox Settings:** [OK] No auto-replies, no forwarding
6. **Mail Folders:** [OK] Normal - 16 inbox, 16,455 sent, 2,541 deleted
7. **OAuth Grants:** [OK] None
8. **Recent Inbox:** [OK] No Box.com emails, all legitimate
9. **Deleted Items:** [NOTABLE] Dropbox account created for Toni on 3/2-3/3 (verify with user), Box notification forwarded from Jorge Tabares on 3/5, our security notice deleted (expected), self-sent ".com" subject email on 2/27
10. **Archive:** [OK] Empty

**Assessment:** NOT breached. Credential stuffing from 14 countries all failed. Dropbox account creation on 3/2-3/3 needs verification with Toni.

### Bardach Contacts - Email-Based Contact Discovery
- Scanned 57,120 emails (12 months: 4,286 sent + 52,834 inbox)
- Found 1,970 unique addresses in mail, 412 already in contacts
- Filtered to 315 two-way correspondents, then 32 real people (>= 4 exchanges)
- Extracted phone numbers from email signatures for 19 of 32 (55% hit rate)
- Created 32 new contacts via Graph API, all HTTP 201

### Additional Files Created
- `temp/vwp_billing_deep_check.py` - Full billing investigation script
- `temp/vwp_add_mail_send.py` - Added Mail.Send permission to app
- `temp/bardach_email_contacts_scan.py` - Email gap scan (4,286 sent + 52,834 inbox)
- `temp/bardach_missing_real_contacts.py` - Two-way filter + signature phone extraction
- `temp/bardach_create_missing_contacts.py` - Contact creation script

### Procore Phishing Note
billing@ forwarded a Procore "Welcome to Project Team" email to admin@azcomputerguru.com on 3/5, stating she clicked "Open Project" thinking it was legit, and logged in to Procore. This may be a separate phishing vector worth investigating.

---

**Machine:** ACG-M-L5090
**Duration:** ~6 hours