azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2625800885fa794ca4d311cdd3e08b29ecf79df2
claudetools/wiki/clients/kittle.md

38 KiB
Raw Blame History

type, name, display_name, last_compiled, compiled_by, sources, backlinks
type name display_name last_compiled compiled_by sources backlinks
client kittle Kittle Design & Construction LLC 2026-06-09 GURU-5070/claude-main
wiki/clients/kittle.md
wiki/clients/kittle-design.md
clients/kittle/session-logs/2026-06/2026-06-08-mike-bec-incident-remediation.md
clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-ach-fraud-ic3.md
clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-marco-remediation.md
clients/kittle/reports/2026-06-09-ic3-bec-fraud-report.md
clients/kittle/reports/2026-06-08-breach-check.md
clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md
clients/kittle-design/session-logs/2026-04-24-session.md
clients/kittle/docs/overview.md
clients/kittle/docs/servers/server.md
clients/kittle/docs/network/topology.md
clients/kittle/docs/network/firewall.md
clients/kittle/session-logs/2026-05-08-howard-joshua-onsite-and-gururmm-onboarding.md
clients/kittle-design
projects/gururmm
clients/internal-infrastructure

Kittle Design & Construction LLC

Profile

  • Business type: General contractor / design-build (construction)
  • Contract type: Break-fix
  • Syncro customer ID: 32460233
  • Managed devices (Syncro assets): 2
  • Open tickets: 0 (all June 2026 incident tickets Invoiced/Resolved as of 2026-06-09)
  • Billing rate: (verify — Labor - Remote Business, product_id 1190473 observed)
  • Hours remaining: N/A (Break-fix, no prepaid block)
  • Address: 2539 N Balboa Ave #125, Tucson, AZ 85705
  • Phone: 520.299.0404 | Fax: 520.299.0477
  • Website: kittlearizona.com
  • Status: Active — ongoing post-incident hardening

Key Contacts

Name Title Email Notes
Ken Schagel Owner / Primary Contact ken@kittlearizona.com Was Global Admin; roles stripped during incident, need to re-add appropriate admin role once fully cleared
Kimberly Ross Office Admin ("Kim") admin@kittlearizona.com Admin@ mailbox; MFA reset 2026-06-09 to phone-only
Darline Cabrera Bookkeeper accounting@kittlearizona.com Role account (AD: accountant); impersonated by attacker during ACH fraud — (verify: internal employee or external contractor?)
Joshua Sutherland Employee (new 2026-05-08) joshua@kittlearizona.com Replaced Wrex; FullAccess + SendAs to Wrex's former shared mailbox
Lori Schagel (verify role) Lori@kittlearizona.com Had 10 pre-existing admin roles incl. GA — stripped and downscoped to User Administrator 2026-06-08
Alexis Schagel (verify role) alexis@kittlearizona.com Compromised in April 2026; remediated
Marco Fragoso Employee marco@kittlearizona.com Compromised June 2026; password reset + sessions revoked 2026-06-09
Hayden Schagel Employee hayden@kittlearizona.com
Scott Zehner Employee scott@kittlearizona.com Phone-only MFA (no Authenticator)
Howard Enos MSP Tech (ACG) AD account: sysadmin (Domain Admin)

Additional M365 users (licensed):

  • Office 365 E3 (No Teams): Alexis Schagel, Kalvin Hairston, Ken Schagel, Wrex Watson
  • Business Standard: Accounting, Admin (Kimberly Ross), Brandon Blazer, Hayden Schagel, Jason Stubblefield, Johnny Calhoun, Joshua Sutherland, Lori Schagel, Marco Fragoso, Michael Sanchez, Neal Crusius, Scott Zehner

Infrastructure

Servers

Hostname IP OS Role Hardware Notes
SERVER (asset: SERVER2021) 10.0.0.5 Windows Server 2025 Standard EVALUATION Primary DC, DNS, File Server, Print Server HPE ProLiant MicroServer Gen11, Intel Xeon E-2414 (4 cores), 80 GB RAM [WARNING] EVALUATION license — expires 180 days from install. Shuts down hourly after expiry. Check: slmgr /dlv

[WARNING] NO BACKUP EXISTS. No Windows Server Backup, no third-party agent, no cloud backup. SERVER is the only DC; failure = loss of AD, DNS, file shares, and QuickBooks data permanently.

SERVER storage:

Drive Label Size Notes
C: OS ~11 TB Primary volume (NTFS)
Secondary Server2 2022_03_31 ~2 TB Purpose unknown — possibly old server backup/migration data

Workstations

AD Name OS Notes
FRONTDESK Windows 11 Pro Syncro asset id 11122225
ACCOUNTING Windows 11 Pro for Workstations accountant role account
CHRISTINE-WIN10 Windows 11 Pro Legacy name; actually Win11
DESKTOP-2560Q7R Windows 11 Pro Was Wrex — now Joshua Sutherland; needs rename
WINDOWS-QV1B0EL Windows 11 Pro User unknown — needs onsite correlation + rename
DESKTOP-R0KA2UG Windows 11 Pro User unknown — needs onsite correlation + rename
DESKTOP-9B2SMD9 Windows 11 Pro User unknown — needs onsite correlation + rename

Active Directory

  • Domain: kittle.lan (NetBIOS: KITTLE)
  • Domain Admins: Administrator, sysadmin (ACG)
  • Total domain users: 12 (including joshua.sutherland added 2026-05-08)
  • Total workstations: 7

[WARNING] Role-based AD accounts (accountant, frontdesk) should be replaced with individual named accounts. [WARNING] Three workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) user-to-machine mapping unconfirmed.

Installed Software (SERVER)

Software Notes
QuickBooks Pro 2024 (v34) [WARNING] Should NOT be on a DC — migrate to ACCOUNTING workstation; data at C:\Shares\Home\QBooks
ScreenConnect Remote access agent

ScreenConnect note: Command runner defaults to cmd context — PowerShell scripts MUST be prefixed with #!ps or they fail silently.

Network

  • Subnet: Single flat 10.0.0.0/24 — no VLANs, no segmentation
  • Gateway: 10.0.0.1 (ISP router — consumer-grade, acts as gateway + DHCP + only "firewall")
  • Switch: UniFi USW-Lite-16-PoE at 10.0.0.122 (MAC: 0C:EA:14:8A:8D:7F); managed by ACG's self-hosted UniFi controller
  • ~31 devices on network (most unidentified)

[WARNING] NO dedicated firewall. ISP router is the only perimeter device. No stateful inspection, IDS/IPS, content filtering, or granular rules. Recommendation: Deploy pfSense or commercial UTM (FortiGate, SonicWall).

DHCP: [WARNING] Runs on ISP router (10.0.0.1), NOT on SERVER. Windows DHCP role installed on SERVER but has zero scopes. Unknown what DNS server is handed out via DHCP — AD name resolution may be broken for domain clients.

Internal DNS: Windows DNS on SERVER (10.0.0.5), AD-integrated. Forwarder: 10.0.0.1 only. No reverse lookup zone. No secondary forwarder.

External DNS (kittlearizona.com): Hybrid NSOne + Squarespace nameservers.

File Shares (SERVER)

Share Path Notes
Home C:\Shares\Home User home folders; mapped via HomeFolder GPO
QBooks C:\Shares\Home\QBooks QuickBooks data files
NETLOGON / SYSVOL (default) AD logon scripts / Group Policy

GPO Note: HomeFolder GPO drive map MUST stay as Update (not Replace). Replace tears down and recreates the drive connection every ~90 min GP refresh cycle, killing open Explorer windows.

Cloud / M365

Tenant

Field Value
Tenant domain kittlearizona.com
Tenant ID 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
Primary domain kittlearizona.com
Entra licensing Entra ID P2 (P2 added 2026-06-09; was Business Premium / P1 only before)
Admin portal https://admin.microsoft.com

Licensing (as of 2026-06-09)

License Qty
Microsoft 365 Business Standard (BUSINESS_PREMIUM) 12
Office 365 E3 No Teams 4
Entra ID P2 (added 2026-06-09 by Mike — qty covers all users)

ACG sysadmin account is unlicensed.

Security Posture (post-hardening, 2026-06-09)

Control Status
Security Defaults DISABLED (replaced by CA 2026-06-09)
Conditional Access ENFORCED — three policies active (see below)
Legacy auth (IMAP/POP/EAS) Still enabled tenant-wide — [WARNING] disable
DKIM MISSING — HIGH PRIORITY
DMARC MISSING — HIGH PRIORITY
Entra P2 / Identity Protection Available as of 2026-06-09

Conditional Access policies (active as of 2026-06-09):

  • ACG - Require MFA for all users — enforced; break-glass sysadmin@ excluded
  • ACG - Block legacy authentication — enforced; sysadmin@ excluded
  • ACG - Block non-US sign-ins — enforced; named location "United States (ACG)"; sysadmin@ excluded

Email DNS (kittlearizona.com)

Record Status Value
MX [OK] kittlearizona-com.mail.protection.outlook.com
SPF [OK] v=spf1 include:spf.protection.outlook.com -all
DKIM [WARNING] MISSING Not configured — HIGH PRIORITY
DMARC [WARNING] MISSING Not configured — HIGH PRIORITY

External DNS registrar: Unknown — needs identification.

MSP App Service Principals (in-tenant)

App SP Object ID (in Kittle tenant) Role
Security Investigator 26e16c7a-0ac8-4f85-bdd7-992611bbd271 Exchange Administrator
Exchange Operator 775ec856-f032-4dcf-a499-ccf7f9bce07b Exchange Administrator
User Manager ea0277ab-497c-45f7-b88a-e2d53f54a4c7 User Administrator + Authentication Administrator
Tenant Admin 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5 (including JIT Privileged Authentication Administrator — MUST be removed; see Open Items)
ComputerGuru AI Remediation 2fd24cfa-8533-460f-9cbb-53cc4a32d3f5

SharePoint / OneDrive

Confirmed clean post-incident (2026-06-08): no attacker-created files, pages, or external sharing links.

GuruRMM

Field Value
Client name Kittle Design & Construction LLC
Client ID d8b08837-78e0-441e-b824-e0abbf0254ed
Client code KITTLE
Site name Main Office
Site ID 851376d1-33be-46ee-9e48-be44767e4a0a
Site code SILVER-HAWK-7639
API key (enrollment) Vault: clients/kittle/gururmm-site-main.sops.yaml
Dashboard https://rmm.azcomputerguru.com

GuruRMM client + site created 2026-05-08 (Howard onsite). Agent deployment in progress:

  • SERVER (SERVER2021) — agent install initiated 2026-05-08; confirm enrolled
  • Workstations — rollout pending; deploy to FRONTDESK + others

Access

  • RDP / Remote (SERVER): ScreenConnect (installed) | \\10.0.0.5 on-prem
  • M365 Admin Portal: https://admin.microsoft.com (tenant: kittlearizona.com)
  • Entra Portal: https://entra.microsoft.com
  • GuruRMM Dashboard: https://rmm.azcomputerguru.com (site: SILVER-HAWK-7639)
  • Vault path (M365 incident credentials): clients/kittle/m365-ken-schagel-incident.sops.yaml
  • Vault path (GuruRMM enrollment key): clients/kittle/gururmm-site-main.sops.yaml
  • Vault path (SERVER admin): clients/kittle/server2021.sops.yaml (migrate from Syncro plaintext — see Open Items)
  • Known Outlook accounts in Syncro notes (plaintext — migrate to vault): kittletucson@outlook.com, kittletucson2@outlook.com

[WARNING] SERVER admin password and Outlook credentials are currently stored as plaintext in Syncro customer notes. Migrate to vault and strip from Syncro.

BEC / ACH Fraud Incident — June 2026

This section documents the major Business Email Compromise and attempted ACH payment-redirection fraud of June 2026. It is the canonical incident record; detail sources are listed in the frontmatter.

Incident Summary

A nation-state or organized-crime threat actor compromised Ken Schagel's Microsoft 365 account (entry point: credential theft in or before April 2026) and used it to attempt ACH payment-redirection fraud against two Arizona government agencies — the City of Tucson (invoices totaling $130,000+) and the Town of Marana. The fraud was PREVENTED; no funds moved. The FBI IC3 complaint was filed 2026-06-09 (Submission ID: aa2ef50482ca4c05a54ae0f6cb56ffa0).

Root Cause and Entry Point

Ken Schagel's credentials were compromised on or before April 2026. The evidence: an IMAP legacy-auth OAuth consent (app 9b504397) was granted FROM Ken's account object ID (5fc37e1a) in April 2026. The April 2026 remediation session revoked that OAuth consent but did not reset Ken's password or revoke his sessions. As a result, the attacker retained valid credentials and persisted undetected for approximately two months until the June 2026 breach.

Access method: legacy IMAP/OAuth using Microsoft Desktop app d3590ed6-52b3-4102-aeff-aad2292ab01c with python-httpx/0.28.1, bypassing MFA (Security Defaults only; no Conditional Access; IMAP/POP/EAS enabled on all mailboxes). The original phishing lure that stole Ken's credentials is not forensically recoverable (mailbox dumpster retention does not go back to the infection date).

Attack Timeline

Date/Time (UTC) Event
2026-04 (approx) Ken's credentials stolen (proven via IMAP consent granted from Ken's object ID). April remediation revokes consent but does NOT reset password — attacker persists.
2026-04-23 ACG April breach check: Alexis fully remediated. Ken's "Admin" inbox rule classified [INFO] (not [WARNING]). Incomplete remediation.
2026-06-05 ~11:52 UTC Attacker inserts Accounting.kittlearizona@gmx.com into live Kittle↔City of Tucson invoice thread (thread poisoning, 3 days before main breach).
2026-06-08 09:03 Normal Outlook sync (Microsoft IPs) — pre-compromise.
2026-06-08 13:24 [BREACH START] Attacker OWA login from 64.44.131.168 (Chicago IL, AS20278 Nexeon Technologies — VPN/hosting).
2026-06-08 13:37 Ken's T-Mobile phone accesses account legitimately (Ken is unaware of compromise).
2026-06-08 14:5121:09 Attacker accesses Accounting@ mailbox as delegate (Ken had FullAccess to Accounting) — 21 MailItemsAccessed events across Inbox\Customers, Assured Partners, Employees, Sent, Deleted.
2026-06-08 15:32 / 16:14 Attacker sends two "test" emails from OWA.
2026-06-08 15:52 / 16:45 / 18:52 / 20:29 Attacker sends fraudulent "EFT UPDATE" / ACH banking-change emails from Accounting@ (SendOnBehalf) to Randi Arnett at City of Tucson BSD/AP. Hard-deletes the thread from both Ken@ and Accounting@ after each send to conceal.
2026-06-08 18:3618:53 Contact harvest: python-httpx/0.28.1 from Azure IP 40.126.41.96, 250+ MailItemsAccessed events.
2026-06-08 21:1421:26 Phishing blast: 1,000 "Ken Schagel shared a file with you" (fake OneDrive lure) sent in 5 batches from 45.134.224.220 (Kansas City MO, AS147049 PacketHub S.A.). 747 delivered, 227 bounced. Phishing link: flowinnactuators.com/work.html (credential harvesting).
2026-06-08 ~21:30 Howard (ACG) receives phishing email — incident detected.
2026-06-08 21:41 Mike manually blocks Ken's sign-in in Entra portal, sets temp password.
2026-06-08 ~22:00 ACG investigation and remediation begins. 5 malicious inbox rules deleted. Lori's 10 admin roles stripped. 740 victim-notification emails sent from admin@ via EWS SOAP.
2026-06-09 (morning) ACG discovers the ACH fraud angle via audit-log + message-trace analysis; recovers deleted fraud emails + the BSD ACH APPLICATION.pdf from Recoverable Items dumpster.
2026-06-09 Discovery of marco@ compromise: 2 additional hidden inbox rules filtering Marana AP emails and internal accounting/ken emails. Marco had sent fraudulent "Application for Payment" and "EFT Form Update" emails to the Town of Marana AP (delivered ~17:05 UTC 2026-06-09).
2026-06-09 Kittle (Darline Cabrera) contacts City of Tucson: City stops the payment — no funds transferred. Marana also confirms no ACH cleared after a human contact from Kittle. Attacker had also phoned Marana (vishing) to pressure the change.
2026-06-09 12:46 PM EST FBI IC3 complaint filed. Submission ID: aa2ef50482ca4c05a54ae0f6cb56ffa0.
2026-06-09 Conditional Access deployed (Security Defaults disabled, CA enforced). Entra P2 added.
2026-06-09 Ken's password reset in person on-site by Mike.

Targeted Payers and Financial Exposure

City of Tucson (BSD/AP):

  • Contact in fraud thread: Randi Arnett (Finance Manager, Randi.Arnett@tucsonaz.gov); AP: HCDAccountsPayable-Finance@tucsonaz.gov
  • Fraudulent ACH/EFT banking-change form (BSD ACH Application) submitted impersonating Darline Cabrera (bookkeeper)
  • Exposed invoices: #31468 ($123,776.75 — MMC Generator Upgrade), #31400 (~$8,818 — COT Knights Inn Fire Suppression, EFT scheduled 2026-06-09), #31453 ($41,231 — due 2026-06-28)
  • Total identified exposure: $130,000+ (all future City-of-Tucson payments would have been redirected by an approved ACH change)
  • OUTCOME: City stopped payment before any transfer. $0 actual loss.

Town of Marana:

Mule (fraudulent receiving) accounts:

Bank Routing Account Name
Truist Bank 053201607 1410020505238 "Kittle Design & Construction" (fraudulent)
First State Bank of East Detroit (MI) 072410165 62100616 FOAM FACTORY INCORPORATED
JPMorgan Chase Bank, N.A. 021000021 (wire) / 072000326 (ACH) 2906183268 FOAM FACTORY INCORPORATED

Kittle confirmed it has no relationship with Foam Factory Incorporated.

Attacker Infrastructure

IP / Domain Type Use Notes
64.44.131.168 IP OWA access, fraud email sends, evidence deletion Chicago IL, AS20278 Nexeon Technologies (VPN/hosting) — CA blocked
45.134.224.220 IP Phishing blast (1,000 emails) Kansas City MO, AS147049 PacketHub S.A. — CA blocked
40.126.41.96 IP Contact harvest via python-httpx Microsoft Azure — CA blocked
66.179.30.87 + IPv6 IP (threat-intel: nation-state indicator) CA blocked
Accounting.kittlearizona@gmx.com Email Thread poisoning / reply-chain hijack GMX free account; inserted into Kittle↔City invoice thread 2026-06-05
kittlarizona.com Lookalike domain Attacker CC reply address (missing 'e') Namecheap registrar / Zoho email hosting; registered 2026-06-09 15:34 UTC; blocked in-tenant + abuse reports to Zoho + Namecheap
tucsonoz.com Lookalike domain Impersonating tucsonaz.gov PublicDomainRegistry / Titan email hosting; used in fraud email (randi.arnett@tucsonoz.com) — blocked in-tenant + abuse reports
(659) 221-9243 Phone Vishing — pressured Marana to process bank change Listed on fraudulent ACH form
d3590ed6-52b3-4102-aeff-aad2292ab01c OAuth App Microsoft Desktop app used for IMAP/token access First-party app ID, not malicious by itself; used with stolen credentials + python-httpx

Malicious Artifacts Removed

Inbox rules (6/8 — 5 rules across 3 mailboxes):

Mailbox Rule Name Action Discovered
Ken@kittlearizona.com "." Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing 2026-06-08
Ken@kittlearizona.com "Admin" Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing 2026-06-08
alexis@kittlearizona.com "..." Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing 2026-06-08
Accounting@kittlearizona.com ".." Move mail FROM Ken → RSS Feeds (Priority 1) 2026-06-08 — suppressing ALL inbound at discovery
Accounting@kittlearizona.com "..." Move ALL mail → RSS Feeds (Priority 2) 2026-06-08 — suppressing ALL inbound at discovery

Inbox rules (6/9 — 2 more on marco@):

Mailbox Action Subject filter
marco@kittlearizona.com Move to RSS Feeds, MarkAsRead, StopProcessing "EFT Form Update" / "KDC - Application for Payment #1 Job No. 5654.25" / sender @maranaaz.gov
marco@kittlearizona.com Move to RSS Feeds, MarkAsRead, StopProcessing Internal: accounting@, ken@

Pre-existing April rule (not attacker-planted — confirmed 2026-06-08):

  • Ken "Christina Micek" rule — StopProcessingRules:true, no action/filter. Confirmed benign by Mike (2026-06-08 full sweep).

OAuth grants revoked on alexis@ (2026-06-08):

  • PERFECTDATA app — Mail.ReadWrite, Files.ReadWrite (immediately revoked — clearly malicious)
  • Alignable app — offline_access, User.Read, Contacts.Read (revoked at Mike's direction)

April OAuth revocations (pre-incident, 2026-04-23):

  • c5df10ae AllPrincipals app — 7 grants deleted including Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes
  • IMAP legacy auth app 9b504397 — IMAP.AccessAsUser.All (consented by Ken's account object; password NOT reset at the time — root cause of persistence)

Privilege excess corrected:

  • Lori Schagel: 10 pre-existing admin roles (including Global Administrator) stripped 2026-06-08; re-assigned User Administrator only. Confirmed pre-existing (not attacker-planted) via directoryAudits.
  • Ken FullAccess to Accounting@ removed (2026-06-09 remediation) — this delegate access was the vector for attacker to operate the finance mailbox.

Remediation Actions Completed

Action Date Status
Ken sign-in blocked + temp password set 2026-06-08 [OK] — vault: clients/kittle/m365-ken-schagel-incident.sops.yaml
Ken sessions revoked + all 10 admin roles stripped 2026-06-08 [OK]
Ken re-enabled; MFA verified clean 2026-06-08 [OK] — single iPhone 12 Pro Max, no attacker devices
Ken password reset in person on-site 2026-06-09 [OK] — prior temp values superseded/stale
Ken outbound-spam send restriction removed 2026-06-09 [OK]
5 malicious inbox rules deleted (Ken x2, Alexis x1, Accounting x2) 2026-06-08 [OK] — Accounting mail flow restored immediately
Alexis PERFECTDATA + Alignable OAuth grants revoked 2026-06-08 [OK]
Lori 10 admin roles stripped → re-assigned User Administrator 2026-06-08 [OK]
Lori sessions revoked 2026-06-08 [OK]
740 victim-notification emails sent from admin@ 2026-06-08 [OK] — via EWS SOAP; 7 automated addresses filtered
Wrex sessions revoked + password reset 2026-06-08 [OK]
marco@ 2 hidden inbox rules deleted 2026-06-09 [OK]
marco@ password reset (force-change) + sessions revoked 2026-06-09 [OK]
admin@ (Kim) password reset (force-change) + sessions revoked 2026-06-09 [OK]
admin@ MFA reset: added phone as default, removed Authenticator 2026-06-09 [OK]
Ken FullAccess to Accounting@ removed 2026-06-09 [OK]
Wrex offboarded: disabled, sessions revoked, mailbox → shared 2026-06-09 [OK]
Joshua FullAccess + SendAs to Wrex's former mailbox 2026-06-09 [OK]
kittlarizona.com blocked in Kittle tenant Allow/Block List 2026-06-09 [OK]
tucsonoz.com blocked in-tenant 2026-06-09 [OK]
Abuse reports sent: Zoho + Namecheap re: kittlarizona.com 2026-06-09 [OK] — awaiting takedown response
Security Defaults DISABLED; CA policies ENFORCED 2026-06-09 [OK]
Entra P2 added (all users) 2026-06-09 [OK] — Identity Protection now available
FBI IC3 complaint filed (aa2ef50482ca4c05a54ae0f6cb56ffa0) 2026-06-09 [OK]
Syncro tickets updated; billing applied 2026-06-08/09 [OK]

Incident Evidence (preserved by ACG)

All evidence retained locally at C:\Users\guru\Downloads\Kittle-IC3-Package\ on GURU-5070:

  • FRAUD_BSD_ACH_APPLICATION.pdf — fraudulent ACH change form submitted to City of Tucson (Truist bank details)
  • Ken_ACH-FoamFactory.pdf — second ACH form (Foam Factory Inc accounts)
  • recovered-fraud-emails.txt — full EFT UPDATE / ACH thread recovered from Recoverable Items dumpster
  • attacker-audit-events.csv — 171-event M365 Unified Audit Log export
  • IC3-fill-sheet.txt + IC3 complaint report PDF + BANK-FRAUD-NOTIFICATIONS PDF
  • resolution-confirmation.txt — City of Tucson payment stop confirmation

Patterns & Known Issues

[CRITICAL PATTERN] Incomplete remediation = attacker persistence

What happened: April 2026 remediation revoked an IMAP OAuth consent that was provably granted by Ken's account. The correct response was: revoke consent + reset Ken's password + revoke Ken's sessions. Instead, only the consent was revoked. The attacker still had Ken's valid password, so they retained full OWA access for ~2 months until June 2026.

Rule: Whenever an OAuth consent or suspicious sign-in is attributed to a specific user account object ID, that account's password MUST be reset and all sessions revoked — not just the consent or the artifact. Revoking an OAuth consent while the underlying credential is still valid accomplishes nothing if the attacker can simply log in directly.

[CRITICAL PATTERN] Signal misclassification: financial-platform inbox rule + legacy-auth consent = auto-[WARNING]

What happened: The April breach check classified Ken's "Admin" inbox rule (filtering Capital One + Bill.com + @flystucson.com) as [INFO] with "confirm with user" guidance. Combined with the IMAP consent from the same user object, these two signals together should have triggered a mandatory [WARNING] and forced password reset — not a "ask Ken to confirm" deferral. "Confirm with the user" is unreliable when the account may already be compromised and the attacker can read incoming verification emails.

Rule: Financial-platform filtering inbox rule + legacy-auth IMAP consent from the same user object = treat as [WARNING] regardless of "could be legitimate" explanations. Escalate to password reset + session revocation. Do not defer to user confirmation without first containing the account.

[PATTERN] Lookalike domain + reply-chain hijack + in-mailbox ACH fraud

This incident used a layered attack pattern:

  1. Register a lookalike domain (kittlarizona.com vs kittlearizona.com) for reply-chain insertion.
  2. Insert the lookalike address into a legitimate invoice email thread days before accessing the real mailbox (thread poisoning as of 2026-06-05, 3 days early).
  3. Once inside the real mailbox, send from the REAL company email address (not the lookalike) for maximum legitimacy.
  4. Hard-delete the evidence immediately after each send.
  5. Supplement with vishing — phoning the target AP to verbally pressure approval.

Rule: ACH/bank-change requests received via email (even from a known email address) should ALWAYS require a callback to a pre-known phone number to verify. Email alone is insufficient authorization for banking changes, even from a trusted sender. The attacker was operating the real mailbox, not just spoofing it.

[PATTERN] Dual-target simultaneous fraud

The attacker targeted TWO government AP departments simultaneously (City of Tucson from Ken/Accounting; Town of Marana from marco@), indicating prior reconnaissance of Kittle's active government billing relationships. Investigate scope of attacker's knowledge when post-mortems are conducted.

[PATTERN] No Conditional Access + legacy protocols enabled = MFA bypass

Security Defaults-only protection does not block legacy auth clients (IMAP, POP, EAS, MAPI over HTTP). The attacker used IMAP/OAuth to authenticate without triggering MFA. Without a Block legacy authentication CA policy, Security Defaults' MFA enforcement is trivially bypassed by any attacker who can consent or steal a legacy-auth token.

Rule: Every tenant in the ACG fleet should have at minimum: Block legacy authentication CA policy. The Require MFA for all users + Block non-US combination adds additional depth. Security Defaults alone is not sufficient for clients with financial operations.

[PATTERN] Privilege excess amplifies BEC impact

Ken was Global Admin AND had standing FullAccess (delegate) to the Accounting/finance mailbox. With a single credential compromise, the attacker could operate as the owner AND the bookkeeper simultaneously. Attacker leveraged Ken's delegate access to send fraudulent bank-change forms from the bookkeeper's real identity (not the lookalike).

Rule: Owners and executives should not hold standing FullAccess to financial mailboxes. If access is genuinely needed, use JIT (just-in-time) access grants, not permanent delegate permissions. Separate the owner identity from the finance identity.

[PATTERN] Evidence deletion + dumpster recovery

Attacker hard-deleted the entire fraud email thread from both mailboxes immediately after each send. The deleted emails + PDF attachment were recovered from the M365 Recoverable Items dumpster (30-day default retention) via Graph API. The dumpster saved this investigation. Without it, the ACH fraud angle would not have been discovered.

Rule: Always check the Recoverable Items dumpster (/mailFolders/recoverableitemsdeletions/messages) during any BEC investigation. Attacker cleanup is incomplete — they can hard-delete from the mailbox but not from the dumpster without the purge permission they don't hold.

[PATTERN] Lori GA exposure — pre-existing oversight

Lori Schagel had 10 admin roles including Global Administrator as a pre-existing condition, predating the incident by more than 30 days. Not attacker-planted. Two GA accounts on a 14-user small-business tenant represents unnecessary attack surface. If either is compromised, the other becomes the recovery path — but also becomes an extra target.

Rule: Small-business tenants should have exactly one active GA account (or two, with the second being a break-glass with a very strong password and no MFA registration, NOT a named-user account). Review GA assignments at every breach check. Strip and downscope unnecessary GA on sight.

[WARNING] IMAP/POP/EAS still enabled tenant-wide

Legacy protocols remain enabled as of 2026-06-09. The CA Block legacy authentication policy now blocks sign-in via legacy auth, but the protocols themselves are still enabled and could represent residual risk (e.g., if the CA policy is ever accidentally disabled). Disable IMAP/POP/EAS at the mailbox level tenant-wide as defense in depth.

[WARNING] ScreenConnect command runner defaults to cmd context

PowerShell scripts run via ScreenConnect MUST be prefixed with #!ps. Invoke-WebRequest, ConvertTo-SecureString, etc. silently fail without it.

[WARNING] Do NOT run Add-LocalGroupMember on the DC

DCs have no local SAM; the command will fail with "Group Administrators was not found." Run on the target workstation instead.

[WARNING] SERVER is the sole domain controller with no backup

Any outage = complete loss of AD, DNS, file shares, and QuickBooks data. No failover. No backup. Address before any other infrastructure work.

[WARNING] QuickBooks Pro 2024 is on the DC

Do not migrate or decommission SERVER without a proper QuickBooks migration plan. Data is at C:\Shares\Home\QBooks.

Active Work

CRITICAL — Residual Incident Items

  • Remove Privileged Authentication Administrator from Tenant Admin SP in Kittle Entra portal. (JIT role granted during reset-password.sh for Ken reset on 6/9; script cannot self-remove; MUST be done manually at https://entra.microsoft.com.) See coord todo or track in Syncro.
  • Disable IMAP/POP/EAS tenant-wide — CA now blocks legacy auth, but protocols remain enabled. Defense-in-depth: disable at mailbox level.
  • Confirm bank freeze calls completed (Truist 844-487-8478 / Enterprise Fraud Mgmt 866-802-4955; First State Bank fraud 866-372-1275; Chase Global Bank Recoveries 866-954-3718 opt 4 / gb.fraud.recovery@jpmorgan.com).
  • Re-add appropriate admin role to Ken — all 10 stripped during containment; Ken is owner/GA by function. Re-add Global Administrator + Exchange Administrator once incident is formally closed.
  • alexis@ duplicate Authenticator cleanup — entry c927402a-75c6-4a55-840a-86d1eea43a9b ("iPhone 12 Pro Max", app ver 6.8.40). Confirm with Alexis how many Kittle accounts are on her phone; remove if only one. Also review OATH token 7d1425ca-27d0-444d-9c36-6b3780c77059 if unused.
  • Wrex license removal — mailbox converted to shared, user disabled; free the Business Standard license.
  • Christina Micek inbox rule on Ken — confirmed benign during 6/8 sweep (copy rule, no suppression). Still worth Ken confirming explicitly for documentation closure.
  • Warn Ken's phished external contacts — 740+ recipients received the "Ken Schagel shared a file with you" phishing email; link was flowinnactuators.com/work.html (credential harvesting). Formal notification recommended.
  • Run Entra P2 Identity Protection risky-users scan — P2 now licensed; first risky-users sweep not yet run.
  • Confirm kittlarizona.com Zoho + Namecheap takedown — abuse reports sent 2026-06-09; confirm suspension/removal.
  • Enable SSPR (Self-Service Password Reset) — portal-only mode — reduces future recovery friction; limit to portal not mobile/email to avoid account-takeover via SSPR.
  • Confirm City of Tucson follow-up — exact invoice amounts (especially #31400 ~$8,818), written documentation of payment stop, any City-side IC3 filing.

HIGH Priority — Infrastructure

  • Activate Windows Server 2025 full license on SERVER — evaluation expires 180 days from install; hourly shutdown after expiry. Check: slmgr /dlv.
  • Implement backup for SERVER — no backup of any kind. Options: Windows Server Backup to USB/NAS, Veeam Free, cloud backup (Backblaze B2/Wasabi).
  • Configure DKIM for kittlearizona.com — guide at clients/kittle/docs/email/dkim-dmarc-setup.md.
  • Add DMARC for kittlearizona.com — start p=none, escalate to p=quarantine after 1 week clean.
  • Migrate credentials from Syncro plaintext to SOPS vault — SERVER admin, Outlook accounts.
  • Migrate QuickBooks off the DC — QB should run on ACCOUNTING workstation.
  • Deploy dedicated firewall — ISP router only; no stateful inspection.

MEDIUM Priority

  • GuruRMM agent enrollment confirmation — confirm agents running on SERVER and workstations.
  • Lori GA review — discuss with Ken whether she needs any admin role; User Administrator is current scope.
  • Migrate DHCP from ISP router to Windows Server; verify DNS option hands out 10.0.0.5.
  • Replace role-based AD accounts (accountant, frontdesk) with individual named accounts.
  • Rename workstations with generic DESKTOP-xxx / WINDOWS-xxx names.
  • Identify and map 3 unknown workstations.
  • Investigate port 8019 on SERVER (likely QuickBooks or ScreenConnect).
  • Lori old Samsung S10+ Authenticator entry da5454c7 — remove if she's confirmed on current phone.
  • Enroll Scott in Microsoft Authenticator (phone-only MFA currently).

History Highlights

Date Event
2026-04-16 Client directory structure applied; onboarding started.
2026-04-23 ACG April M365 breach check (ticket #32207): Alexis hidden inbox rule + duplicate Authenticator remediated; malicious OAuth (c5df10ae AllPrincipals) + IMAP consent (9b504397, GRANTED BY KEN'S ACCOUNT) revoked. Ken "Admin" rule classified [INFO]; password NOT reset — critical incomplete remediation that enabled 2-month attacker persistence.
2026-05-08 Howard onsite: AD user joshua.sutherland created; GuruRMM client + Main Office site created; agent deployment begun.
2026-06-08 BEC BREACH DAY. Ken@ compromised via OWA (13:24 UTC) from Nexeon VPN IP. Attacker used Ken's FullAccess delegate to Accounting@ to send fraudulent ACH banking-change forms to City of Tucson. 1,000-recipient phishing blast sent; 747 delivered. ACG detects at ~21:30 UTC (Howard receives phishing email). Mike blocks Ken at 21:41. Full remediation overnight: 5 malicious inbox rules deleted, Lori's 10 admin roles stripped + re-scoped, 740 victim notifications sent. Syncro ticket #32393 opened.
2026-06-08 (same day, pre-breach) ACG full M365 security sweep (ticket #32394) confirms April remediation complete, SMTP forwarding clean on all 13 mailboxes. Sweep ran hours before the main breach was detected.
2026-06-09 ACH fraud discovered: attacker had sent fraudulent BSD ACH bank-change forms to City of Tucson; evidence hard-deleted but recovered from Recoverable Items dumpster. marco@ additional compromise found: 2 hidden inbox rules + fraudulent Marana AP emails. marco@ remediated. Kim (admin@) remediated. Wrex offboarded. CA hardening deployed (Security Defaults disabled, 3 CA policies enforced). Entra P2 added. FBI IC3 filed (#aa2ef50482ca4c05a54ae0f6cb56ffa0). Ken's password changed in person on-site. Tickets #32393/#32394 invoiced.
2026-06-09 FRAUD PREVENTED. City of Tucson stopped payment before any funds transferred (~$130,000+ exposure). Town of Marana confirms no ACH cleared. Attacker used phone (659-221-9243) for vishing against Marana. Total actual financial loss: $0.

Tickets (Incident-Related)

Ticket Description Date Status
#32207 April M365 breach check + Alexis remediation 2026-04-23 Invoiced — 1.0 hr
#32393 BEC incident — Ken phishing blast, initial remediation (rules, Lori, notifications) 2026-06-08 Invoiced
#32394 (ID: 112389608) Full sweep (pre-incident) + CA hardening + marco remediation + ACH fraud investigation + IC3; 1.5h emergency remote 2026-06-09 Invoiced — 1.5h @ $225 = $337.50 (invoice 1650625794)

Backlinks

Reference in New Issue View Git Blame Copy Permalink