# Breach Incident Report — Kittle Design & Construction (kittlearizona.com) **Date:** 2026-06-08 UTC **Requested by:** Mike Swanson **Tenant ID:** 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 **Syncro Ticket:** #32393 **Status:** ACTIVE INCIDENT — CONTAINED --- ## Incident Summary Active BEC (Business Email Compromise). Ken Schagel's Global Admin account was compromised. Attacker accessed the account for ~8 hours before launching a 1,000-recipient phishing campaign posing as an OneDrive file share. Attacker planted malicious inbox rules on 3 mailboxes and created a Global Admin backdoor on Lori Schagel's account. All remediated. --- ## Attack Timeline | UTC | Event | |-----|-------| | 09:03 | Normal Outlook sync (Microsoft IPs) — pre-compromise | | 13:24 | **[BREACH START]** First OWA login — 64.44.131.168 (Chicago, Nexeon Technologies VPN/hosting) | | 13:37 | Ken's T-Mobile phone access (legitimate, unaware) | | 15:00 | Attacker returns — 64.44.131.168 | | 15:17 | Ken sends legitimate email via Cox Communications (Phoenix AZ) | | 15:32 | Attacker sends test email from OWA — **concurrent with Ken's legitimate use** | | 16:14 | Attacker sends second test email from OWA | | 18:36 | Contact harvest starts — python-httpx/0.28.1 from Azure 40.126.41.96 (250+ MailItemsAccessed events) | | 18:52 | Attacker reviews Sent/Deleted/RSS Feeds folders from OWA | | 18:53 | Contact harvest ends | | 21:14 | Phishing batch 1: 17 recipients | | 21:16 | Phishing batch 2: 300 recipients | | 21:20 | Phishing batch 3: 300 recipients | | 21:23 | Phishing batch 4: 300 recipients | | 21:26 | Phishing batch 5: 83 recipients — 45.134.224.220 (Kansas City MO, PacketHub S.A.) | | 21:27 | Ken's password reset (SSPR) | | ~21:30 | Howard (ACG) receives phishing email, incident detected | | 21:41 | Mike manually blocks Ken's sign-in in portal, sets temp password | | ~22:00 | ACG investigation and remediation begins | --- ## Attacker Infrastructure | IP | Use | Geolocation | ASN | |----|-----|-------------|-----| | 64.44.131.168 | OWA browser access (initial + ongoing) | Chicago, IL | AS20278 Nexeon Technologies (VPN/hosting) | | 40.126.41.96 | Contact scraping via python-httpx | Microsoft Azure | Microsoft Corp | | 45.134.224.220 | Bulk phishing send | Kansas City, MO | AS147049 PacketHub S.A. (hosting) | **Attacker tool:** python-httpx/0.28.1 with OAuth token for Microsoft Desktop app (`d3590ed6-52b3-4102-aeff-aad2292ab01c`) **AAD Session:** `0031c64a-94a8-7629-20ad-c42db69d76c7` --- ## Phishing Campaign Stats | Metric | Value | |--------|-------| | Total sent | 1,000 | | Delivered | 747 | | Failed/bounced | 227 | | Pending | 25 | | Subject | "Ken Schagel shared a file with you" | | Lure | Fake OneDrive/SharePoint file-share notification | | Victim notification sent | 740 (automated addresses filtered) | --- ## Malicious Artifacts Found and Removed ### Inbox Rules (planted by attacker across 3 mailboxes) | Mailbox | Rule Name | Action | Status | |---------|-----------|--------|--------| | Ken@kittlearizona.com | "." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | DELETED | | Ken@kittlearizona.com | "Admin" | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | DELETED | | alexis@kittlearizona.com | "..." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | DELETED | | Accounting@kittlearizona.com | ".." | Move mail FROM Ken → RSS Feeds, Priority 1 | DELETED | | Accounting@kittlearizona.com | "..." | Move ALL mail → RSS Feeds, Priority 2 | DELETED | **Note:** Accounting ".." + "..." rules were actively suppressing ALL incoming mail at time of discovery. Mail flow restored on deletion. **Note:** Ken's mailbox has a "Christina Micek" rule (StopProcessingRules:true, no action) that predates the incident. Needs investigation — possibly legitimate, possibly attacker remnant. ### Backdoor Admin Account Lori@kittlearizona.com had 10 admin roles assigned — **including Global Administrator**. All 10 roles stripped, sessions revoked. Roles removed: Global Administrator, Exchange Administrator, User Administrator, Teams Administrator, SharePoint Administrator, Helpdesk Administrator, AI Administrator, Global Reader, Service Support Administrator, User Experience Success Manager **Role assignment timing — RESOLVED:** directoryAudits confirmed no "Add member to role" events for any user in the last 30 days except ACG's own remediation actions. Lori's roles were **pre-existing** (assigned >30 days before the incident). The attacker did NOT plant a backdoor — Lori was already a Global Admin before the compromise. This means the tenant had two GA accounts (Ken + Lori) going into the incident. Recommend reviewing whether Lori legitimately requires GA access, or if it was an oversight during initial tenant setup. --- ## Remediation Actions Completed | Action | Status | |--------|--------| | Ken sessions revoked | [OK] | | Ken admin roles stripped (10 roles) | [OK] | | Ken sign-in blocked (by Mike in portal) | [OK] | | Ken temp password set: B/947405806521av | [OK] — vaulted | | Ken malicious inbox rules deleted: "." + "Admin" | [OK] | | Wrex sessions revoked | [OK] | | Wrex password reset: Kittle@1426Wrx!47E742 | [OK] | | Alexis PERFECTDATA OAuth grant revoked | [OK] | | Alexis Alignable OAuth grant revoked (offline_access + Contacts.Read) | [OK] | | Alexis malicious inbox rule "..." deleted | [OK] | | Accounting malicious rules ".." + "..." deleted | [OK] | | Lori backdoor admin roles stripped (10 roles, all pre-existing not attacker-planted) | [OK] | | Lori sessions revoked | [OK] | | Lori re-assigned User Administrator (legitimate scope) | [OK] | | Victim notification sent (740 recipients) | [OK] — via admin@kittlearizona.com | | Syncro ticket #32393 updated with temp passwords | [OK] | --- ## Open Items / Recommendations 1. **Re-enable Ken's account** — DONE (Mike re-enabled). Ken's MFA verified clean (single iPhone 12 Pro Max, no attacker devices). Ken's admin roles still need to be re-added after incident is declared closed. 2. **Christina Micek inbox rule on Ken** — rule has StopProcessingRules:true, no action, no filter. Unknown if legitimate or attacker-planted. Needs Ken to confirm before declaring his mailbox fully clean. 3. **Lori's role assignment timing** — RESOLVED: pre-existing. Roles were assigned >30 days before the incident (no Add member to role events found in directoryAudits for the last 30 days). Attacker did NOT plant a backdoor. Recommend reviewing whether Lori legitimately needs GA access or if it should be downscoped. 4. **Phishing URL unknown** — email body not recoverable (message purged when account disabled). Submit `45.134.224.220` (PacketHub send IP) to threat intel if needed. 5. **Entra ID P1 licensing** — sign-in logs blocked. Without P1, foreign sign-in detection is blind. Tenant appears to be on O365 E3 (not M365 E3). Recommend Entra P1 add-on or upgrade to M365 E3. 6. **MFA review for all users** — Alexis duplicate Authenticator ("iPhone 12 Pro Max" x2 — one may be a legacy registration), Lori two Authenticator devices (SM-G975U + SM-F766U, likely old device not removed). Both can self-serve at mysignins.microsoft.com or ACG can reset for them. 7. **Alignable OAuth on Alexis** — Contacts.Read scope, unverified publisher. Decision deferred to Alexis — revoke if she doesn't recognize it. 8. **Ken admin roles** — all 10 stripped during remediation. Re-add appropriate roles (Global Admin + Exchange Admin at minimum) once incident is closed and Ken's account is verified clean. 9. **DKIM/DMARC** — not configured on kittlearizona.com. A DMARC policy would have allowed Microsoft to classify the phishing emails as DMARC fail, reducing delivery. Recommend implementing. 10. **Lori GA access review** — with GA confirmed pre-existing (not attacker-planted), assess if Lori legitimately needs Global Administrator. If not, downscope to Exchange Administrator or appropriate role. Two GA accounts on a small tenant is unnecessary exposure. --- ## Vault Entries Created - `vault/clients/kittle/m365-ken-schagel-incident.sops.yaml` — Ken's temp password and incident notes --- ## Limitations | Check | Status | Reason | |-------|--------|--------| | Sign-in logs (Graph API) | BLOCKED | Tenant lacks Entra P1 (O365 E3 vs M365 E3) | | Risky users (Graph API) | BLOCKED | Same | | Directory audit (role assignment timing) | BLOCKED | Requires AuditLog.Read.All + P1 | | Phishing email body/URL | UNAVAILABLE | Message purged when Ken's account was disabled |