# User Breach Check: jantar@dataforth.com **Date:** 2026-05-03 (UTC) **Analyst:** Mike Swanson (GURU-BEAST-ROG) **Tenant:** dataforth.com | `7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584` **User:** Jacque Antar | `jantar@dataforth.com` **Object ID:** `daa60027-be31-47a5-87af-d728499a9cc4` **Tool Tiers Used:** `investigator` (Graph read) + `investigator-exo` (Exchange read) + `user-manager` (Graph write — remediation) --- ## Verdict: [OK] NO INDICATORS OF COMPROMISE All 10 breach check points are clean. No malicious forwarding, no unauthorized access, no suspicious sign-in geography, and no hidden inbox rules. --- ## Account Profile | Field | Value | |---|---| | Display Name | Jacque Antar | | UPN | jantar@dataforth.com | | Account Enabled | true | | Created | 2023-12-07 | | Last Password Change | 2026-03-09 (~7 weeks ago) | --- ## Check Results ### 01 - Inbox Rules (Graph): [OK] One rule found, **disabled**: - **Name:** Move Graymail to folder - **Condition:** Header `X-Inky-Graymail: True` - **Action:** Move to folder, stop processing rules - **Status:** Disabled Assessment: Routine graymail filter. Not suspicious. Disabled so not active. --- ### 02 / 03d - Forwarding: [OK] No forwarding configured: - `ForwardingAddress`: null - `ForwardingSmtpAddress`: null - `DeliverToMailboxAndForward`: null - `automaticForwardingEnabled`: null (no mailbox-level block override) --- ### 03a - Hidden Inbox Rules (Exchange): [OK] No hidden rules found. --- ### 03b - Mailbox Permissions: [OK] No non-SELF delegates. User has no third-party mailbox access grants. --- ### 03c - SendAs Permissions: [OK] No non-SELF SendAs trustees. --- ### 04 - OAuth Grants / App Role Assignments: [OK - Known Email Clients] Two OAuth grants (user-specific, `Principal` consent — not tenant-wide): | Client ID | Scopes | Assessment | |---|---|---| | `85e650f8-5eec-4523...` | `openid offline_access EAS.AccessAsUser.All` | Exchange ActiveSync — Apple Internet Accounts | | `25db1c08-f5a0-4f6c...` | `IMAP.AccessAsUser.All EWS.AccessAsUser.All offline_access email openid` | IMAP/EWS — eM Client | App Role Assignments: | App | Created | Assessment | |---|---|---| | Apple Internet Accounts | 2024-04-02 | iOS/macOS Mail — expected | | eM Client | 2024-08-26 | Desktop email client — expected | Apple Internet Accounts is a legitimate active email client (iOS/macOS Mail). eM Client is no longer in use at Dataforth. **Remediation performed 2026-05-03:** - eM Client OAuth grant and app role assignment revoked for jantar@dataforth.com via `user-manager` tier (HTTP 204 each). Verified — only Apple Internet Accounts remains on this user. - Tenant sweep confirmed jantar was the only user with eM Client connected. - eM Client service principal disabled tenant-wide (`accountEnabled: false`) via `tenant-admin` tier (HTTP 204). Verified — no user in this tenant can authorize eM Client going forward. Remaining grant post-remediation: | App | Scopes | Status | |---|---|---| | Apple Internet Accounts | `openid offline_access EAS.AccessAsUser.All` | Active — expected | --- ### 05 - Authentication Methods: [NOTE] | Method | Detail | |---|---| | Password | Configured | | Phone (mobile) | +1 520-245-6929, SMS sign-in ready | MFA is configured via SMS/phone. No authenticator app (TOTP/push) registered. **[NOTE]** SMS-based MFA is less phishing-resistant than Microsoft Authenticator or FIDO2. Not an indicator of compromise, but a policy hardening recommendation. --- ### 06 - Sign-ins (30 days): [OK] 8 successful interactive sign-ins. All from the same IP and location: | IP | City | Country | Count | Apps | |---|---|---|---|---| | 67.206.163.122 | Salt Lake City | US | 8 | Dime Client (7), One Outlook Web (1) | - All Windows 10, all status 0 (success) - No foreign logins - No impossible travel - Consistent single IP **[NOTE]** "Dime Client" is the primary app (7/8 sign-ins). This appears to be a Dataforth internal or custom application — not a standard Microsoft app. Flagged for awareness; not suspicious given consistent IP and location. --- ### 07 - Directory Audits (30 days): [OK] | Date | Activity | Initiated By | |---|---|---| | 2026-04-23 | Update user | System (automated) | | 2026-04-10 | Update user | System (automated) | | 2026-04-06 | Update user | System (automated) | | 2026-04-06 | Add member to group | dcenter@dataforth.com | | 2026-04-06 | Add member to group | dcenter@dataforth.com | Routine admin activity. Group additions initiated by `dcenter@dataforth.com` (appears to be a service/admin account). No suspicious changes. --- ### 08 - Identity Protection / Risk: [N/A - 403] - Risky user check: `403 Forbidden` — tenant has not consented to `IdentityRiskyUser.Read.All` scope for the Security Investigator app. - Risk detections endpoint: 0 detections returned from available endpoint. To enable full risk checks, a Global Admin must consent the app in this tenant: ``` https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent ``` --- ### 09 / 10 - Sent / Deleted Items: [OK] - Sent (recent 25): 25 items found — normal mail activity - Deleted (recent 25): 3 items — minimal deletions, nothing suspicious --- ## Recommendations | Priority | Item | |---|---| | [INFO] | Upgrade MFA from SMS to Microsoft Authenticator (push/TOTP) for improved phishing resistance | | [INFO] | Identify "Dime Client" app — confirm it is an authorized internal application | | [INFO] | Consider consenting IdentityRiskyUser scope for full risk signal visibility | --- ## Raw Artifacts ``` /tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/user-breach/jantar_dataforth_com/ ``` Files: `00_user.json`, `01_inbox_rules_graph.json`, `02_mailbox_settings.json`, `03a_InboxRule_hidden.json`, `03b_MailboxPermission.json`, `03c_RecipientPermission.json`, `03d_Mailbox.json`, `04a_oauth_grants.json`, `04b_app_role_assignments.json`, `05_auth_methods.json`, `06_signins.json`, `07_dir_audits.json`, `08a_risky_user.json`, `08b_risk_detections.json`, `09_sent.json`, `10_deleted.json`