# Kittle Design & Construction — Full M365 Sweep **Date:** 2026-06-08 **Tenant:** kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0) **Performed by:** ComputerGuru Security Investigator (read-only) **Scope:** All 13 licensed mailboxes — inbox rules, SMTP forwarding, OAuth consents, MFA methods --- ## Summary All critical findings from the 2026-04-23 breach check are confirmed resolved. No new active compromises found. Three legacy MFA cleanup items remain open (carried over from April). --- ## SMTP Forwarding — All Clean [OK] This check was skipped in April (Exchange Admin role was missing on Security Investigator SP at that time). Now confirmed: | Mailbox | ForwardingAddress | ForwardingSmtpAddress | Status | |---|---|---|---| | Accounting | none | none | [OK] | | Admin | none | none | [OK] | | Alexis | none | none | [OK] | | Brandon | none | none | [OK] | | Hayden | none | none | [OK] | | Jason | none | none | [OK] | | Joshua | none | none | [OK] | | Ken | none | none | [OK] | | Lori | none | none | [OK] | | Marco | none | none | [OK] | | Neal | none | none | [OK] | | Scott | none | none | [OK] | | Wrex | none | none | [OK] | --- ## Inbox Rules | Mailbox | Rules Found | Status | |---|---|---| | Accounting | None | [OK] | | Admin | None | [OK] | | Alexis | None | [OK] — hidden rule "." confirmed deleted | | Brandon | None | [OK] | | Hayden | None | [OK] | | Jason | None | [OK] | | Joshua | None | [OK] | | Ken | "Christina Micek" (copy-to-folder on emails sent TO Christina) | [OK] — benign org rule | | Lori | None | [OK] | | Marco | None | [OK] | | Neal | None | [OK] | | Scott | None | [OK] | | Wrex | None | [OK] | **Ken's prior "Admin" rule (Capital One/Bill.com/@flystucson.com filter) — CONFIRMED GONE [RESOLVED]** --- ## OAuth App Consents — No Suspicious Grants | App | Publisher | Grant Type | Scope | Verdict | |---|---|---|---|---| | iOS Accounts | Apple Inc. (verified) | AllPrincipals | EAS.AccessAsUser.All, EWS.AccessAsUser.All | [OK] — standard iOS native mail | | SharePoint Online Web Client Extensibility | Microsoft | AllPrincipals | Files.ReadWrite.All, Sites.FullControl.All, etc. | [OK] — Microsoft SP | | Microsoft Teams | Microsoft | AllPrincipals | standard Teams scopes | [OK] | | ComputerGuru AI Remediation | Arizona Computer Guru LLC (verified) | AllPrincipals | User.Read | [OK] — our app | | QuickBooks Desktop | Intuit (verified) | Accounting only | Mail.Send | [OK] — QB uses it to send email | | Gmail | Google LLC (verified) | Scott only | EAS.AccessAsUser.All, offline_access | [OK] — Scott using Gmail as email client | | MyFiles (Samsung) | Samsung (unverified) | Jason only | Files.ReadWrite, User.Read | [OK] — Samsung My Files app (SM-X218U tablet) | | One Calendar | Code Spark (verified) | Wrex only | Calendars.ReadWrite, Contacts.Read | [OK] — calendar sync app | | Read AI | Unverified | Marco only | User.Read, email, offline_access | [OK] — meeting notes AI, low scope | | Virtru | Unverified | AllPrincipals | User.Read only | [INFO] — email encryption, no mail access | | BMO Secure Email (Echoworx) | Echoworx (verified) | AllPrincipals | User.Read only | [OK] — secure email portal | **Old malicious app c5df10ae (Directory.ReadWrite.All, Mail.Send, 50+ scopes) — CONFIRMED GONE [RESOLVED]** --- ## MFA Authentication Methods | User | Authenticator | Phone | Software OATH | Status | |---|---|---|---|---| | Accounting | SM-F731U1 | — | — | [OK] | | Admin (Kimberly) | moto g power 5G | — | — | [OK] | | Alexis | iPhone 12 Pro Max (x2) | +1 5206280921 | Yes (7d1425ca) | [WARNING] see below | | Brandon | SM-F741U | — | — | [OK] | | Hayden | iPhone 12 Pro Max | — | — | [OK] | | Jason | SM-X218U | — | — | [OK] | | Joshua | iPad Pro 11" (2nd gen) | — | — | [OK] | | Ken | iPhone 12 Pro Max | — | — | [OK] | | Lori | SM-G975U + SM-F766U | — | — | [WARNING] see below | | Marco | iPhone 14 | — | — | [OK] | | Neal | iPhone 16 Pro | — | — | [OK] | | Scott | — | +1 5202884444 | — | [WARNING] no Authenticator app | | Wrex | iPhone 14 | +1 5209122806 | — | [OK] | ### MFA Open Items **[WARNING] Alexis — suspicious Authenticator still present:** - Entry `c927402a-75c6-4a55-840a-86d1eea43a9b` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated - Entry `7365a870-4809-4fdc-9e9b-dcd76eddb8ef` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated - Both entries identical display names, both SoftwareTokenActivated. One is legitimate; one should be removed. - Action: Ask Alexis how many Authenticator entries she sees in her Microsoft Authenticator app. If she sees only one kittlearizona.com account, remove `c927402a`. - Alexis also has a software OATH token (7d1425ca) — if she doesn't use a hardware TOTP key, remove this too. **[WARNING] Lori — old Samsung device still registered:** - SM-G975U (Samsung S10+) — old phone - SM-F766U (Samsung Z Flip) — current phone (presumably) - Action: Confirm with Lori which is her current phone, then remove the old entry. **[WARNING] Scott — phone-only MFA:** - Only MFA method is SMS/call to +1 5202884444 - No Microsoft Authenticator enrolled - SMS MFA is significantly weaker than app-based MFA - Action: Enroll Scott in Microsoft Authenticator --- ## Resolved Findings (from 2026-04-23) | Finding | Status | |---|---| | Alexis hidden inbox rule "." (routing Howmet emails) | [RESOLVED] — confirmed gone | | Ken "Admin" inbox rule (Capital One/Bill.com/@flystucson.com) | [RESOLVED] — confirmed gone | | Malicious OAuth app c5df10ae (Directory.ReadWrite.All + 50 scopes) | [RESOLVED] — confirmed gone | | IMAP legacy auth grant 9b504397 | [RESOLVED] — confirmed gone | | SMTP forwarding check (was incomplete in April) | [RESOLVED] — all clean, confirmed 2026-06-08 | --- ## Outstanding Items | Priority | Item | Owner | |---|---|---| | P1 | Ask Alexis: count Authenticator entries on phone. If only one, remove `c927402a`. Also remove software OATH token if unused. | Mike | | P2 | Ask Lori: confirm current phone is the Z Flip (SM-F766U), then remove SM-G975U entry | Mike | | P3 | Enroll Scott in Microsoft Authenticator (replace phone-only MFA) | Mike | | P3 | Invoice ticket #32207 (1.0 hr Labor - Remote Business) | Mike | --- ## Vault Paths Accessed - `msp-tools/computerguru-security-investigator.sops.yaml` (investigator + investigator-exo tiers)