azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
claudetools/clients/internal-infrastructure/reports/2026-04-16-howard-breach-check.md
Mike Swanson 100a491ac6 Session log: multi-user setup, audit + gap fixes, Howard onboarding package 
Two session logs:
- session-logs/2026-04-16-session.md: cross-cutting (multi-user, audit, infrastructure)
- guru-rmm session log appended: MSI installer, Len's Auto Brokerage, Uranus, migration drift

Gap fixes: GrepAI initialized + MCP server added, Ollama models pulling,
settings.json created (bypassPermissions), MCP_SERVERS.md written.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 18:56:26 -07:00

6.8 KiB
Raw Permalink Blame History

Howard — Breach Check (azcomputerguru.com)

Date: 2026-04-16 Tenant: AZ Computer Guru (azcomputerguru.com, ce61461e-81a0-4c84-bb4a-7b354a9a356d) Subject: howard@azcomputerguru.com (object id c99de3bd-ddc1-43f1-907f-e84b91273660) Tool: Claude-MSP-Access / ComputerGuru - AI Remediation — via /remediation-tool check Scope: Read-only

Summary

  • No breach indicators. Every one of the 174 foreign sign-in attempts in the last 30 days FAILED. Zero successful non-US sign-ins.
  • Mailbox clean at the Graph level: 3 inbox rules, all user-authored filters (Telnyx status, Atlas_LNP whitelabel, Facebook notifications). No forward/redirect/delete actions.
  • 4 OAuth grants + 8 app role assignments — all MSP-relevant apps (Syncro, Kaseya SSO, Tailscale, Graph Explorer, Perfect Wiki, ASUS, Uizard). No unfamiliar consents.
  • 6 auth methods — all legitimate MFA (password, SMS, OATH token, 3 Microsoft Authenticator registrations across phone upgrades).
  • Password age: 18 months (last changed 2024-09-24). Rotate as hygiene.
  • Ongoing credential-stuffing campaign: attempts from CN (32), IN (32), KR (28), LU (15, via Azure CLI), BR (14), DE, JP, HK, MA, RU, SE, AE, GM, LA, NO, PT, TN, TW, UA, BG, BN, ID, PE, SO, TH, UG. All blocked.

Target details

Field Value
UPN howard@azcomputerguru.com
Object ID c99de3bd-ddc1-43f1-907f-e84b91273660
Account Enabled true
Created 2024-08-14
Last Password Change 2024-09-24 (18 months ago)

Per-check findings

1. Inbox rules (Graph) — CLEAN

3 rules, all user-authored folder moves:

  • Telnex — Telnyx status notifications (noreply@statuspage.io) -> folder
  • Move all messages from Atlas_LNP@whitelabelcomm.com to whitelabeel — WhiteLabel Comm LNP tickets -> folder
  • facebook — Facebook notification senders -> folder

No Forward/Redirect/Delete actions.

2. Mailbox forwarding / settings — CLEAN

No forwarding via Graph user/mailboxSettings. Exchange REST check blocked (see Gaps).

3. Hidden inbox rules / delegates / SendAs / mailbox-level forwarding — BLOCKED (403)

Exchange REST returned empty bodies — app's service principal lacks Exchange Administrator role in the azcomputerguru tenant. See Gaps.

4. OAuth consents + app role assignments — CLEAN

OAuth grants (user-consented scopes on Microsoft Graph):

Client ID Scopes
bda7b1c9-f852-4916-ba9a-5942623882d8 openid profile User.Read offline_access
0f06016e-1ad1-4996-ad6c-25233e3bd997 offline_access Calendars.ReadWrite
c1ba11bc-9be2-4720-b6ac-7a19d3f31029 openid email profile
fe7fb591-b8ea-4715-87ee-b46375eb32c9 User.Read email profile Team.ReadBasic.All Channel.ReadBasic.All offline_access openid

App role assignments (apps Howard has access to):

Resource Created
Syncro (original) 2021-12-06
Syncro v2 2024-08-27
ASUS Account 2024-11-07
Perfect Wiki 2025-02-11
KaseyaSSO 2025-05-11
Tailscale 2025-06-28
Graph Explorer 2025-11-07
Uizard 2025-11-21

All fit MSP-tech profile. Nothing recent + unknown.

5. Authentication methods — CLEAN

  • Password (2024-09-24)
  • Phone +1 520-585-1310
  • Software OATH token
  • Microsoft Authenticator "Pixel 6 Pro"
  • Microsoft Authenticator "DE2118"
  • Microsoft Authenticator "GooglePixel 6 Pro" (2025-06-25)

Multiple Authenticator entries reflect phone upgrades/re-registrations over time. No method added inside a suspicious window.

6. Sign-ins (30d) — CLEAN (attack active, fully blocked)

200 total sign-ins in 30 days. 174 non-US. Every non-US attempt FAILED. Zero successful foreign sign-ins.

Foreign failure distribution:

Country Attempts App targeted
CN 32 Office 365 Exchange Online
IN 32 Office 365 Exchange Online
KR 28 Office 365 Exchange Online
LU 15 Microsoft Azure CLI
BR 14 Office 365 Exchange Online
DE 8 Azure AD PowerShell
JP 8 Azure AD PowerShell
HK 4 Office 365 Exchange Online
MA 4 Office 365 Exchange Online
RU 3 Office 365 Exchange Online
SE 3 Office 365 Exchange Online
AE, GM, LA, NO, PT, TN, TW, UA 2 each Office 365 Exchange Online
BG, BN, ID, PE, SO, TH, UG 1 each Office 365 Exchange Online

Pattern: broad, distributed credential stuffing. Most attempts target legacy auth against Exchange Online. Luxembourg block specifically targets Azure CLI (corporate cloud-admin path). Germany + Japan targets Azure AD PowerShell. Attacker knows Howard is an MSP admin and is probing admin-grade endpoints.

7. Directory audits (targetResources = Howard) — CLEAN

0 events in 30 days targeting Howard's account. No unauthorized changes.

8. Risky users / risk detections — BLOCKED (403)

IdentityRiskyUser.Read.All not consented in azcomputerguru tenant. See Gaps.

9. Sent items (recent 25) — CLEAN

Normal business correspondence. No blast patterns.

10. Deleted items (recent 25) — CLEAN

Normal marketing/notifications. No deleted security alerts.

Gaps — blocked by missing permissions

Gap #1: Exchange REST (403)

The ComputerGuru - AI Remediation service principal doesn't have Exchange Administrator role in our own azcomputerguru tenant. Blocks:

  • Hidden inbox rules (Get-InboxRule -IncludeHidden)
  • Mailbox permissions / delegates
  • SendAs permissions
  • Mailbox-level forwarding flags

Fix: Entra -> Roles & admins -> Exchange Administrator -> Add assignment -> search "ComputerGuru - AI Remediation" -> Active (permanent).

Gap #2: Identity Protection (403)

IdentityRiskyUser.Read.All not consented in azcomputerguru tenant. Blocks risky user classification and risk detection history.

Fix: Admin consent URL -

https://login.microsoftonline.com/ce61461e-81a0-4c84-bb4a-7b354a9a356d/adminconsent?client_id=fabb3421-8b34-484b-bc17-e46de9703418&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient

Priority actions

  1. Rotate Howard's password — hygiene, 18 months old and he's actively targeted. Good time for a change.
  2. Close the gaps above on our own tenant — we've been running the remediation tool against customer tenants without ever consenting on our own home tenant. That's an oversight.
  3. Review legacy auth exposure tenant-wide. The credential-stuffing targets Exchange Online basic auth and AAD PowerShell — both should be blocked by Conditional Access. Confirm CA policies block legacy auth tenant-wide (not just for Howard).
  4. Consider moving Howard to passwordless / FIDO2 as primary — given the volume of attempts, elevating beyond password+MFA would effectively neutralize the campaign.

Data artifacts

Raw JSON at /tmp/remediation-tool/ce61461e-81a0-4c84-bb4a-7b354a9a356d/user-breach/howard_azcomputerguru_com/

Reference in New Issue View Git Blame Copy Permalink