535 lines
38 KiB
Markdown
535 lines
38 KiB
Markdown
---
|
||
type: client
|
||
name: kittle
|
||
display_name: Kittle Design & Construction LLC
|
||
last_compiled: 2026-06-09
|
||
compiled_by: GURU-5070/claude-main
|
||
sources:
|
||
- wiki/clients/kittle.md
|
||
- wiki/clients/kittle-design.md
|
||
- clients/kittle/session-logs/2026-06/2026-06-08-mike-bec-incident-remediation.md
|
||
- clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-ach-fraud-ic3.md
|
||
- clients/kittle/session-logs/2026-06/2026-06-09-mike-kittle-bec-marco-remediation.md
|
||
- clients/kittle/reports/2026-06-09-ic3-bec-fraud-report.md
|
||
- clients/kittle/reports/2026-06-08-breach-check.md
|
||
- clients/kittle-design/session-logs/2026-06/2026-06-08-mike-m365-full-sweep.md
|
||
- clients/kittle-design/session-logs/2026-04-24-session.md
|
||
- clients/kittle/docs/overview.md
|
||
- clients/kittle/docs/servers/server.md
|
||
- clients/kittle/docs/network/topology.md
|
||
- clients/kittle/docs/network/firewall.md
|
||
- clients/kittle/session-logs/2026-05-08-howard-joshua-onsite-and-gururmm-onboarding.md
|
||
backlinks:
|
||
- "[[clients/kittle-design]]"
|
||
- "[[projects/gururmm]]"
|
||
- "[[clients/internal-infrastructure]]"
|
||
---
|
||
|
||
# Kittle Design & Construction LLC
|
||
|
||
## Profile
|
||
|
||
- **Business type:** General contractor / design-build (construction)
|
||
- **Contract type:** Break-fix
|
||
- **Syncro customer ID:** 32460233
|
||
- **Managed devices (Syncro assets):** 2
|
||
- **Open tickets:** 0 (all June 2026 incident tickets Invoiced/Resolved as of 2026-06-09)
|
||
- **Billing rate:** (verify — Labor - Remote Business, product_id 1190473 observed)
|
||
- **Hours remaining:** N/A (Break-fix, no prepaid block)
|
||
- **Address:** 2539 N Balboa Ave #125, Tucson, AZ 85705
|
||
- **Phone:** 520.299.0404 | **Fax:** 520.299.0477
|
||
- **Website:** kittlearizona.com
|
||
- **Status:** Active — ongoing post-incident hardening
|
||
|
||
### Key Contacts
|
||
|
||
| Name | Title | Email | Notes |
|
||
|------|-------|-------|-------|
|
||
| Ken Schagel | Owner / Primary Contact | ken@kittlearizona.com | Was Global Admin; roles stripped during incident, need to re-add appropriate admin role once fully cleared |
|
||
| Kimberly Ross | Office Admin ("Kim") | admin@kittlearizona.com | Admin@ mailbox; MFA reset 2026-06-09 to phone-only |
|
||
| Darline Cabrera | Bookkeeper | accounting@kittlearizona.com | Role account (AD: accountant); impersonated by attacker during ACH fraud — (verify: internal employee or external contractor?) |
|
||
| Joshua Sutherland | Employee (new 2026-05-08) | joshua@kittlearizona.com | Replaced Wrex; FullAccess + SendAs to Wrex's former shared mailbox |
|
||
| Lori Schagel | (verify role) | Lori@kittlearizona.com | Had 10 pre-existing admin roles incl. GA — stripped and downscoped to User Administrator 2026-06-08 |
|
||
| Alexis Schagel | (verify role) | alexis@kittlearizona.com | Compromised in April 2026; remediated |
|
||
| Marco Fragoso | Employee | marco@kittlearizona.com | Compromised June 2026; password reset + sessions revoked 2026-06-09 |
|
||
| Hayden Schagel | Employee | hayden@kittlearizona.com | |
|
||
| Scott Zehner | Employee | scott@kittlearizona.com | Phone-only MFA (no Authenticator) |
|
||
| Howard Enos | MSP Tech (ACG) | — | AD account: sysadmin (Domain Admin) |
|
||
|
||
**Additional M365 users (licensed):**
|
||
- Office 365 E3 (No Teams): Alexis Schagel, Kalvin Hairston, Ken Schagel, Wrex Watson
|
||
- Business Standard: Accounting, Admin (Kimberly Ross), Brandon Blazer, Hayden Schagel, Jason Stubblefield, Johnny Calhoun, Joshua Sutherland, Lori Schagel, Marco Fragoso, Michael Sanchez, Neal Crusius, Scott Zehner
|
||
|
||
---
|
||
|
||
## Infrastructure
|
||
|
||
### Servers
|
||
|
||
| Hostname | IP | OS | Role | Hardware | Notes |
|
||
|----------|----|----|------|----------|-------|
|
||
| SERVER (asset: SERVER2021) | 10.0.0.5 | Windows Server 2025 Standard **EVALUATION** | Primary DC, DNS, File Server, Print Server | HPE ProLiant MicroServer Gen11, Intel Xeon E-2414 (4 cores), 80 GB RAM | [WARNING] EVALUATION license — expires 180 days from install. Shuts down hourly after expiry. Check: `slmgr /dlv` |
|
||
|
||
**[WARNING] NO BACKUP EXISTS.** No Windows Server Backup, no third-party agent, no cloud backup. SERVER is the only DC; failure = loss of AD, DNS, file shares, and QuickBooks data permanently.
|
||
|
||
**SERVER storage:**
|
||
|
||
| Drive | Label | Size | Notes |
|
||
|-------|-------|------|-------|
|
||
| C: | OS | ~11 TB | Primary volume (NTFS) |
|
||
| Secondary | Server2 2022_03_31 | ~2 TB | Purpose unknown — possibly old server backup/migration data |
|
||
|
||
### Workstations
|
||
|
||
| AD Name | OS | Notes |
|
||
|---------|----|-------|
|
||
| FRONTDESK | Windows 11 Pro | Syncro asset id 11122225 |
|
||
| ACCOUNTING | Windows 11 Pro for Workstations | `accountant` role account |
|
||
| CHRISTINE-WIN10 | Windows 11 Pro | Legacy name; actually Win11 |
|
||
| DESKTOP-2560Q7R | Windows 11 Pro | Was Wrex — now Joshua Sutherland; needs rename |
|
||
| WINDOWS-QV1B0EL | Windows 11 Pro | User unknown — needs onsite correlation + rename |
|
||
| DESKTOP-R0KA2UG | Windows 11 Pro | User unknown — needs onsite correlation + rename |
|
||
| DESKTOP-9B2SMD9 | Windows 11 Pro | User unknown — needs onsite correlation + rename |
|
||
|
||
### Active Directory
|
||
|
||
- **Domain:** kittle.lan (NetBIOS: KITTLE)
|
||
- **Domain Admins:** Administrator, sysadmin (ACG)
|
||
- **Total domain users:** 12 (including joshua.sutherland added 2026-05-08)
|
||
- **Total workstations:** 7
|
||
|
||
**[WARNING]** Role-based AD accounts (`accountant`, `frontdesk`) should be replaced with individual named accounts.
|
||
**[WARNING]** Three workstations (WINDOWS-QV1B0EL, DESKTOP-R0KA2UG, DESKTOP-9B2SMD9) user-to-machine mapping unconfirmed.
|
||
|
||
### Installed Software (SERVER)
|
||
|
||
| Software | Notes |
|
||
|----------|-------|
|
||
| QuickBooks Pro 2024 (v34) | [WARNING] Should NOT be on a DC — migrate to ACCOUNTING workstation; data at C:\Shares\Home\QBooks |
|
||
| ScreenConnect | Remote access agent |
|
||
|
||
**ScreenConnect note:** Command runner defaults to `cmd` context — PowerShell scripts MUST be prefixed with `#!ps` or they fail silently.
|
||
|
||
### Network
|
||
|
||
- **Subnet:** Single flat 10.0.0.0/24 — no VLANs, no segmentation
|
||
- **Gateway:** 10.0.0.1 (ISP router — consumer-grade, acts as gateway + DHCP + only "firewall")
|
||
- **Switch:** UniFi USW-Lite-16-PoE at 10.0.0.122 (MAC: 0C:EA:14:8A:8D:7F); managed by ACG's self-hosted UniFi controller
|
||
- **~31 devices** on network (most unidentified)
|
||
|
||
**[WARNING] NO dedicated firewall.** ISP router is the only perimeter device. No stateful inspection, IDS/IPS, content filtering, or granular rules. Recommendation: Deploy pfSense or commercial UTM (FortiGate, SonicWall).
|
||
|
||
**DHCP:** [WARNING] Runs on ISP router (10.0.0.1), NOT on SERVER. Windows DHCP role installed on SERVER but has zero scopes. Unknown what DNS server is handed out via DHCP — AD name resolution may be broken for domain clients.
|
||
|
||
**Internal DNS:** Windows DNS on SERVER (10.0.0.5), AD-integrated. Forwarder: 10.0.0.1 only. No reverse lookup zone. No secondary forwarder.
|
||
|
||
**External DNS (kittlearizona.com):** Hybrid NSOne + Squarespace nameservers.
|
||
|
||
### File Shares (SERVER)
|
||
|
||
| Share | Path | Notes |
|
||
|-------|------|-------|
|
||
| Home | C:\Shares\Home | User home folders; mapped via HomeFolder GPO |
|
||
| QBooks | C:\Shares\Home\QBooks | QuickBooks data files |
|
||
| NETLOGON / SYSVOL | (default) | AD logon scripts / Group Policy |
|
||
|
||
**GPO Note:** HomeFolder GPO drive map MUST stay as `Update` (not `Replace`). Replace tears down and recreates the drive connection every ~90 min GP refresh cycle, killing open Explorer windows.
|
||
|
||
---
|
||
|
||
## Cloud / M365
|
||
|
||
### Tenant
|
||
|
||
| Field | Value |
|
||
|-------|-------|
|
||
| Tenant domain | kittlearizona.com |
|
||
| Tenant ID | 3d073ebe-806a-4a5e-9035-3c7c4a264fc0 |
|
||
| Primary domain | kittlearizona.com |
|
||
| Entra licensing | **Entra ID P2** (P2 added 2026-06-09; was Business Premium / P1 only before) |
|
||
| Admin portal | https://admin.microsoft.com |
|
||
|
||
### Licensing (as of 2026-06-09)
|
||
|
||
| License | Qty |
|
||
|---------|-----|
|
||
| Microsoft 365 Business Standard (BUSINESS_PREMIUM) | 12 |
|
||
| Office 365 E3 No Teams | 4 |
|
||
| Entra ID P2 | (added 2026-06-09 by Mike — qty covers all users) |
|
||
|
||
ACG `sysadmin` account is unlicensed.
|
||
|
||
### Security Posture (post-hardening, 2026-06-09)
|
||
|
||
| Control | Status |
|
||
|---------|--------|
|
||
| Security Defaults | **DISABLED** (replaced by CA 2026-06-09) |
|
||
| Conditional Access | **ENFORCED** — three policies active (see below) |
|
||
| Legacy auth (IMAP/POP/EAS) | Still enabled tenant-wide — [WARNING] disable |
|
||
| DKIM | **MISSING** — HIGH PRIORITY |
|
||
| DMARC | **MISSING** — HIGH PRIORITY |
|
||
| Entra P2 / Identity Protection | Available as of 2026-06-09 |
|
||
|
||
**Conditional Access policies (active as of 2026-06-09):**
|
||
- `ACG - Require MFA for all users` — enforced; break-glass `sysadmin@` excluded
|
||
- `ACG - Block legacy authentication` — enforced; sysadmin@ excluded
|
||
- `ACG - Block non-US sign-ins` — enforced; named location "United States (ACG)"; sysadmin@ excluded
|
||
|
||
### Email DNS (kittlearizona.com)
|
||
|
||
| Record | Status | Value |
|
||
|--------|--------|-------|
|
||
| MX | [OK] | kittlearizona-com.mail.protection.outlook.com |
|
||
| SPF | [OK] | v=spf1 include:spf.protection.outlook.com -all |
|
||
| DKIM | [WARNING] MISSING | Not configured — HIGH PRIORITY |
|
||
| DMARC | [WARNING] MISSING | Not configured — HIGH PRIORITY |
|
||
|
||
External DNS registrar: Unknown — needs identification.
|
||
|
||
### MSP App Service Principals (in-tenant)
|
||
|
||
| App | SP Object ID (in Kittle tenant) | Role |
|
||
|-----|----------------------------------|------|
|
||
| Security Investigator | 26e16c7a-0ac8-4f85-bdd7-992611bbd271 | Exchange Administrator |
|
||
| Exchange Operator | 775ec856-f032-4dcf-a499-ccf7f9bce07b | Exchange Administrator |
|
||
| User Manager | ea0277ab-497c-45f7-b88a-e2d53f54a4c7 | User Administrator + Authentication Administrator |
|
||
| Tenant Admin | 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5 | (including JIT Privileged Authentication Administrator — MUST be removed; see Open Items) |
|
||
| ComputerGuru AI Remediation | 2fd24cfa-8533-460f-9cbb-53cc4a32d3f5 | — |
|
||
|
||
### SharePoint / OneDrive
|
||
|
||
Confirmed clean post-incident (2026-06-08): no attacker-created files, pages, or external sharing links.
|
||
|
||
---
|
||
|
||
## GuruRMM
|
||
|
||
| Field | Value |
|
||
|-------|-------|
|
||
| Client name | Kittle Design & Construction LLC |
|
||
| Client ID | d8b08837-78e0-441e-b824-e0abbf0254ed |
|
||
| Client code | KITTLE |
|
||
| Site name | Main Office |
|
||
| Site ID | 851376d1-33be-46ee-9e48-be44767e4a0a |
|
||
| Site code | SILVER-HAWK-7639 |
|
||
| API key (enrollment) | Vault: `clients/kittle/gururmm-site-main.sops.yaml` |
|
||
| Dashboard | https://rmm.azcomputerguru.com |
|
||
|
||
GuruRMM client + site created 2026-05-08 (Howard onsite). Agent deployment in progress:
|
||
- SERVER (SERVER2021) — agent install initiated 2026-05-08; confirm enrolled
|
||
- Workstations — rollout pending; deploy to FRONTDESK + others
|
||
|
||
---
|
||
|
||
## Access
|
||
|
||
- **RDP / Remote (SERVER):** ScreenConnect (installed) | `\\10.0.0.5` on-prem
|
||
- **M365 Admin Portal:** https://admin.microsoft.com (tenant: kittlearizona.com)
|
||
- **Entra Portal:** https://entra.microsoft.com
|
||
- **GuruRMM Dashboard:** https://rmm.azcomputerguru.com (site: SILVER-HAWK-7639)
|
||
- **Vault path (M365 incident credentials):** `clients/kittle/m365-ken-schagel-incident.sops.yaml`
|
||
- **Vault path (GuruRMM enrollment key):** `clients/kittle/gururmm-site-main.sops.yaml`
|
||
- **Vault path (SERVER admin):** `clients/kittle/server2021.sops.yaml` (migrate from Syncro plaintext — see Open Items)
|
||
- **Known Outlook accounts in Syncro notes (plaintext — migrate to vault):** kittletucson@outlook.com, kittletucson2@outlook.com
|
||
|
||
**[WARNING]** SERVER admin password and Outlook credentials are currently stored as plaintext in Syncro customer notes. Migrate to vault and strip from Syncro.
|
||
|
||
---
|
||
|
||
## BEC / ACH Fraud Incident — June 2026
|
||
|
||
This section documents the major Business Email Compromise and attempted ACH payment-redirection fraud of June 2026. It is the canonical incident record; detail sources are listed in the frontmatter.
|
||
|
||
### Incident Summary
|
||
|
||
A nation-state or organized-crime threat actor compromised Ken Schagel's Microsoft 365 account (entry point: credential theft in or before April 2026) and used it to attempt ACH payment-redirection fraud against two Arizona government agencies — the City of Tucson (invoices totaling $130,000+) and the Town of Marana. **The fraud was PREVENTED; no funds moved.** The FBI IC3 complaint was filed 2026-06-09 (Submission ID: `aa2ef50482ca4c05a54ae0f6cb56ffa0`).
|
||
|
||
### Root Cause and Entry Point
|
||
|
||
Ken Schagel's credentials were compromised on or before April 2026. The evidence: an IMAP legacy-auth OAuth consent (app 9b504397) was granted FROM Ken's account object ID (`5fc37e1a`) in April 2026. The **April 2026 remediation session revoked that OAuth consent but did not reset Ken's password or revoke his sessions.** As a result, the attacker retained valid credentials and persisted undetected for approximately two months until the June 2026 breach.
|
||
|
||
Access method: legacy IMAP/OAuth using Microsoft Desktop app `d3590ed6-52b3-4102-aeff-aad2292ab01c` with python-httpx/0.28.1, bypassing MFA (Security Defaults only; no Conditional Access; IMAP/POP/EAS enabled on all mailboxes). The original phishing lure that stole Ken's credentials is not forensically recoverable (mailbox dumpster retention does not go back to the infection date).
|
||
|
||
### Attack Timeline
|
||
|
||
| Date/Time (UTC) | Event |
|
||
|-----------------|-------|
|
||
| 2026-04 (approx) | Ken's credentials stolen (proven via IMAP consent granted from Ken's object ID). April remediation revokes consent but does NOT reset password — attacker persists. |
|
||
| 2026-04-23 | ACG April breach check: Alexis fully remediated. Ken's "Admin" inbox rule classified [INFO] (not [WARNING]). Incomplete remediation. |
|
||
| 2026-06-05 ~11:52 UTC | Attacker inserts `Accounting.kittlearizona@gmx.com` into live Kittle↔City of Tucson invoice thread (thread poisoning, 3 days before main breach). |
|
||
| 2026-06-08 09:03 | Normal Outlook sync (Microsoft IPs) — pre-compromise. |
|
||
| 2026-06-08 13:24 | **[BREACH START]** Attacker OWA login from 64.44.131.168 (Chicago IL, AS20278 Nexeon Technologies — VPN/hosting). |
|
||
| 2026-06-08 13:37 | Ken's T-Mobile phone accesses account legitimately (Ken is unaware of compromise). |
|
||
| 2026-06-08 14:51–21:09 | Attacker accesses Accounting@ mailbox as delegate (Ken had FullAccess to Accounting) — 21 MailItemsAccessed events across Inbox\Customers, Assured Partners, Employees, Sent, Deleted. |
|
||
| 2026-06-08 15:32 / 16:14 | Attacker sends two "test" emails from OWA. |
|
||
| 2026-06-08 15:52 / 16:45 / 18:52 / 20:29 | Attacker sends fraudulent "EFT UPDATE" / ACH banking-change emails from Accounting@ (SendOnBehalf) to Randi Arnett at City of Tucson BSD/AP. Hard-deletes the thread from both Ken@ and Accounting@ after each send to conceal. |
|
||
| 2026-06-08 18:36–18:53 | Contact harvest: python-httpx/0.28.1 from Azure IP 40.126.41.96, 250+ MailItemsAccessed events. |
|
||
| 2026-06-08 21:14–21:26 | Phishing blast: 1,000 "Ken Schagel shared a file with you" (fake OneDrive lure) sent in 5 batches from 45.134.224.220 (Kansas City MO, AS147049 PacketHub S.A.). 747 delivered, 227 bounced. Phishing link: `flowinnactuators.com/work.html` (credential harvesting). |
|
||
| 2026-06-08 ~21:30 | Howard (ACG) receives phishing email — incident detected. |
|
||
| 2026-06-08 21:41 | Mike manually blocks Ken's sign-in in Entra portal, sets temp password. |
|
||
| 2026-06-08 ~22:00 | ACG investigation and remediation begins. 5 malicious inbox rules deleted. Lori's 10 admin roles stripped. 740 victim-notification emails sent from admin@ via EWS SOAP. |
|
||
| 2026-06-09 (morning) | ACG discovers the ACH fraud angle via audit-log + message-trace analysis; recovers deleted fraud emails + the BSD ACH APPLICATION.pdf from Recoverable Items dumpster. |
|
||
| 2026-06-09 | Discovery of marco@ compromise: 2 additional hidden inbox rules filtering Marana AP emails and internal accounting/ken emails. Marco had sent fraudulent "Application for Payment" and "EFT Form Update" emails to the Town of Marana AP (delivered ~17:05 UTC 2026-06-09). |
|
||
| 2026-06-09 | Kittle (Darline Cabrera) contacts City of Tucson: **City stops the payment — no funds transferred.** Marana also confirms no ACH cleared after a human contact from Kittle. Attacker had also phoned Marana (vishing) to pressure the change. |
|
||
| 2026-06-09 12:46 PM EST | FBI IC3 complaint filed. Submission ID: `aa2ef50482ca4c05a54ae0f6cb56ffa0`. |
|
||
| 2026-06-09 | Conditional Access deployed (Security Defaults disabled, CA enforced). Entra P2 added. |
|
||
| 2026-06-09 | Ken's password reset in person on-site by Mike. |
|
||
|
||
### Targeted Payers and Financial Exposure
|
||
|
||
**City of Tucson (BSD/AP):**
|
||
- Contact in fraud thread: Randi Arnett (Finance Manager, Randi.Arnett@tucsonaz.gov); AP: HCDAccountsPayable-Finance@tucsonaz.gov
|
||
- Fraudulent ACH/EFT banking-change form (BSD ACH Application) submitted impersonating Darline Cabrera (bookkeeper)
|
||
- Exposed invoices: #31468 ($123,776.75 — MMC Generator Upgrade), #31400 (~$8,818 — COT Knights Inn Fire Suppression, EFT scheduled 2026-06-09), #31453 ($41,231 — due 2026-06-28)
|
||
- **Total identified exposure: $130,000+** (all future City-of-Tucson payments would have been redirected by an approved ACH change)
|
||
- **OUTCOME: City stopped payment before any transfer. $0 actual loss.**
|
||
|
||
**Town of Marana:**
|
||
- Contacts targeted: accountspayable@maranaaz.gov, mmurray@maranaaz.gov, sfields@maranaaz.gov
|
||
- Fraudulent "Application for Payment" + "EFT Form Update" emails sent FROM marco@ 2026-06-09
|
||
- Attacker also phoned Marana (vishing from phone 659-221-9243) to pressure the bank change
|
||
- **OUTCOME: Fraud prevented. No ACH cleared.**
|
||
|
||
**Mule (fraudulent receiving) accounts:**
|
||
| Bank | Routing | Account | Name |
|
||
|------|---------|---------|------|
|
||
| Truist Bank | 053201607 | 1410020505238 | "Kittle Design & Construction" (fraudulent) |
|
||
| First State Bank of East Detroit (MI) | 072410165 | 62100616 | FOAM FACTORY INCORPORATED |
|
||
| JPMorgan Chase Bank, N.A. | 021000021 (wire) / 072000326 (ACH) | 2906183268 | FOAM FACTORY INCORPORATED |
|
||
|
||
Kittle confirmed it has no relationship with Foam Factory Incorporated.
|
||
|
||
### Attacker Infrastructure
|
||
|
||
| IP / Domain | Type | Use | Notes |
|
||
|-------------|------|-----|-------|
|
||
| 64.44.131.168 | IP | OWA access, fraud email sends, evidence deletion | Chicago IL, AS20278 Nexeon Technologies (VPN/hosting) — CA blocked |
|
||
| 45.134.224.220 | IP | Phishing blast (1,000 emails) | Kansas City MO, AS147049 PacketHub S.A. — CA blocked |
|
||
| 40.126.41.96 | IP | Contact harvest via python-httpx | Microsoft Azure — CA blocked |
|
||
| 66.179.30.87 + IPv6 | IP | (threat-intel: nation-state indicator) | CA blocked |
|
||
| Accounting.kittlearizona@gmx.com | Email | Thread poisoning / reply-chain hijack | GMX free account; inserted into Kittle↔City invoice thread 2026-06-05 |
|
||
| kittlarizona.com | Lookalike domain | Attacker CC reply address (missing 'e') | Namecheap registrar / Zoho email hosting; registered 2026-06-09 15:34 UTC; blocked in-tenant + abuse reports to Zoho + Namecheap |
|
||
| tucsonoz.com | Lookalike domain | Impersonating tucsonaz.gov | PublicDomainRegistry / Titan email hosting; used in fraud email (randi.arnett@tucsonoz.com) — blocked in-tenant + abuse reports |
|
||
| (659) 221-9243 | Phone | Vishing — pressured Marana to process bank change | Listed on fraudulent ACH form |
|
||
| d3590ed6-52b3-4102-aeff-aad2292ab01c | OAuth App | Microsoft Desktop app used for IMAP/token access | First-party app ID, not malicious by itself; used with stolen credentials + python-httpx |
|
||
|
||
### Malicious Artifacts Removed
|
||
|
||
**Inbox rules (6/8 — 5 rules across 3 mailboxes):**
|
||
| Mailbox | Rule Name | Action | Discovered |
|
||
|---------|-----------|--------|------------|
|
||
| Ken@kittlearizona.com | "." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | 2026-06-08 |
|
||
| Ken@kittlearizona.com | "Admin" | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | 2026-06-08 |
|
||
| alexis@kittlearizona.com | "..." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | 2026-06-08 |
|
||
| Accounting@kittlearizona.com | ".." | Move mail FROM Ken → RSS Feeds (Priority 1) | 2026-06-08 — suppressing ALL inbound at discovery |
|
||
| Accounting@kittlearizona.com | "..." | Move ALL mail → RSS Feeds (Priority 2) | 2026-06-08 — suppressing ALL inbound at discovery |
|
||
|
||
**Inbox rules (6/9 — 2 more on marco@):**
|
||
| Mailbox | Action | Subject filter |
|
||
|---------|--------|----------------|
|
||
| marco@kittlearizona.com | Move to RSS Feeds, MarkAsRead, StopProcessing | "EFT Form Update" / "KDC - Application for Payment #1 Job No. 5654.25" / sender @maranaaz.gov |
|
||
| marco@kittlearizona.com | Move to RSS Feeds, MarkAsRead, StopProcessing | Internal: accounting@, ken@ |
|
||
|
||
**Pre-existing April rule (not attacker-planted — confirmed 2026-06-08):**
|
||
- Ken "Christina Micek" rule — StopProcessingRules:true, no action/filter. Confirmed benign by Mike (2026-06-08 full sweep).
|
||
|
||
**OAuth grants revoked on alexis@ (2026-06-08):**
|
||
- PERFECTDATA app — Mail.ReadWrite, Files.ReadWrite (immediately revoked — clearly malicious)
|
||
- Alignable app — offline_access, User.Read, Contacts.Read (revoked at Mike's direction)
|
||
|
||
**April OAuth revocations (pre-incident, 2026-04-23):**
|
||
- c5df10ae AllPrincipals app — 7 grants deleted including Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes
|
||
- IMAP legacy auth app 9b504397 — IMAP.AccessAsUser.All (consented by Ken's account object; password NOT reset at the time — root cause of persistence)
|
||
|
||
**Privilege excess corrected:**
|
||
- Lori Schagel: 10 pre-existing admin roles (including Global Administrator) stripped 2026-06-08; re-assigned User Administrator only. Confirmed pre-existing (not attacker-planted) via directoryAudits.
|
||
- Ken FullAccess to Accounting@ removed (2026-06-09 remediation) — this delegate access was the vector for attacker to operate the finance mailbox.
|
||
|
||
### Remediation Actions Completed
|
||
|
||
| Action | Date | Status |
|
||
|--------|------|--------|
|
||
| Ken sign-in blocked + temp password set | 2026-06-08 | [OK] — vault: clients/kittle/m365-ken-schagel-incident.sops.yaml |
|
||
| Ken sessions revoked + all 10 admin roles stripped | 2026-06-08 | [OK] |
|
||
| Ken re-enabled; MFA verified clean | 2026-06-08 | [OK] — single iPhone 12 Pro Max, no attacker devices |
|
||
| Ken password reset in person on-site | 2026-06-09 | [OK] — prior temp values superseded/stale |
|
||
| Ken outbound-spam send restriction removed | 2026-06-09 | [OK] |
|
||
| 5 malicious inbox rules deleted (Ken x2, Alexis x1, Accounting x2) | 2026-06-08 | [OK] — Accounting mail flow restored immediately |
|
||
| Alexis PERFECTDATA + Alignable OAuth grants revoked | 2026-06-08 | [OK] |
|
||
| Lori 10 admin roles stripped → re-assigned User Administrator | 2026-06-08 | [OK] |
|
||
| Lori sessions revoked | 2026-06-08 | [OK] |
|
||
| 740 victim-notification emails sent from admin@ | 2026-06-08 | [OK] — via EWS SOAP; 7 automated addresses filtered |
|
||
| Wrex sessions revoked + password reset | 2026-06-08 | [OK] |
|
||
| marco@ 2 hidden inbox rules deleted | 2026-06-09 | [OK] |
|
||
| marco@ password reset (force-change) + sessions revoked | 2026-06-09 | [OK] |
|
||
| admin@ (Kim) password reset (force-change) + sessions revoked | 2026-06-09 | [OK] |
|
||
| admin@ MFA reset: added phone as default, removed Authenticator | 2026-06-09 | [OK] |
|
||
| Ken FullAccess to Accounting@ removed | 2026-06-09 | [OK] |
|
||
| Wrex offboarded: disabled, sessions revoked, mailbox → shared | 2026-06-09 | [OK] |
|
||
| Joshua FullAccess + SendAs to Wrex's former mailbox | 2026-06-09 | [OK] |
|
||
| kittlarizona.com blocked in Kittle tenant Allow/Block List | 2026-06-09 | [OK] |
|
||
| tucsonoz.com blocked in-tenant | 2026-06-09 | [OK] |
|
||
| Abuse reports sent: Zoho + Namecheap re: kittlarizona.com | 2026-06-09 | [OK] — awaiting takedown response |
|
||
| Security Defaults DISABLED; CA policies ENFORCED | 2026-06-09 | [OK] |
|
||
| Entra P2 added (all users) | 2026-06-09 | [OK] — Identity Protection now available |
|
||
| FBI IC3 complaint filed (aa2ef50482ca4c05a54ae0f6cb56ffa0) | 2026-06-09 | [OK] |
|
||
| Syncro tickets updated; billing applied | 2026-06-08/09 | [OK] |
|
||
|
||
### Incident Evidence (preserved by ACG)
|
||
|
||
All evidence retained locally at `C:\Users\guru\Downloads\Kittle-IC3-Package\` on GURU-5070:
|
||
- FRAUD_BSD_ACH_APPLICATION.pdf — fraudulent ACH change form submitted to City of Tucson (Truist bank details)
|
||
- Ken_ACH-FoamFactory.pdf — second ACH form (Foam Factory Inc accounts)
|
||
- recovered-fraud-emails.txt — full EFT UPDATE / ACH thread recovered from Recoverable Items dumpster
|
||
- attacker-audit-events.csv — 171-event M365 Unified Audit Log export
|
||
- IC3-fill-sheet.txt + IC3 complaint report PDF + BANK-FRAUD-NOTIFICATIONS PDF
|
||
- resolution-confirmation.txt — City of Tucson payment stop confirmation
|
||
|
||
---
|
||
|
||
## Patterns & Known Issues
|
||
|
||
### [CRITICAL PATTERN] Incomplete remediation = attacker persistence
|
||
|
||
**What happened:** April 2026 remediation revoked an IMAP OAuth consent that was provably granted by Ken's account. The correct response was: revoke consent + reset Ken's password + revoke Ken's sessions. Instead, only the consent was revoked. The attacker still had Ken's valid password, so they retained full OWA access for ~2 months until June 2026.
|
||
|
||
**Rule:** Whenever an OAuth consent or suspicious sign-in is attributed to a specific user account object ID, that account's password MUST be reset and all sessions revoked — not just the consent or the artifact. Revoking an OAuth consent while the underlying credential is still valid accomplishes nothing if the attacker can simply log in directly.
|
||
|
||
### [CRITICAL PATTERN] Signal misclassification: financial-platform inbox rule + legacy-auth consent = auto-[WARNING]
|
||
|
||
**What happened:** The April breach check classified Ken's "Admin" inbox rule (filtering Capital One + Bill.com + @flystucson.com) as [INFO] with "confirm with user" guidance. Combined with the IMAP consent from the same user object, these two signals together should have triggered a mandatory [WARNING] and forced password reset — not a "ask Ken to confirm" deferral. "Confirm with the user" is unreliable when the account may already be compromised and the attacker can read incoming verification emails.
|
||
|
||
**Rule:** Financial-platform filtering inbox rule + legacy-auth IMAP consent from the same user object = treat as [WARNING] regardless of "could be legitimate" explanations. Escalate to password reset + session revocation. Do not defer to user confirmation without first containing the account.
|
||
|
||
### [PATTERN] Lookalike domain + reply-chain hijack + in-mailbox ACH fraud
|
||
|
||
This incident used a layered attack pattern:
|
||
1. Register a lookalike domain (kittlarizona.com vs kittlearizona.com) for reply-chain insertion.
|
||
2. Insert the lookalike address into a legitimate invoice email thread days before accessing the real mailbox (thread poisoning as of 2026-06-05, 3 days early).
|
||
3. Once inside the real mailbox, send from the REAL company email address (not the lookalike) for maximum legitimacy.
|
||
4. Hard-delete the evidence immediately after each send.
|
||
5. Supplement with vishing — phoning the target AP to verbally pressure approval.
|
||
|
||
**Rule:** ACH/bank-change requests received via email (even from a known email address) should ALWAYS require a callback to a pre-known phone number to verify. Email alone is insufficient authorization for banking changes, even from a trusted sender. The attacker was operating the real mailbox, not just spoofing it.
|
||
|
||
### [PATTERN] Dual-target simultaneous fraud
|
||
|
||
The attacker targeted TWO government AP departments simultaneously (City of Tucson from Ken/Accounting; Town of Marana from marco@), indicating prior reconnaissance of Kittle's active government billing relationships. Investigate scope of attacker's knowledge when post-mortems are conducted.
|
||
|
||
### [PATTERN] No Conditional Access + legacy protocols enabled = MFA bypass
|
||
|
||
Security Defaults-only protection does not block legacy auth clients (IMAP, POP, EAS, MAPI over HTTP). The attacker used IMAP/OAuth to authenticate without triggering MFA. Without a `Block legacy authentication` CA policy, Security Defaults' MFA enforcement is trivially bypassed by any attacker who can consent or steal a legacy-auth token.
|
||
|
||
**Rule:** Every tenant in the ACG fleet should have at minimum: `Block legacy authentication` CA policy. The `Require MFA for all users` + `Block non-US` combination adds additional depth. Security Defaults alone is not sufficient for clients with financial operations.
|
||
|
||
### [PATTERN] Privilege excess amplifies BEC impact
|
||
|
||
Ken was Global Admin AND had standing FullAccess (delegate) to the Accounting/finance mailbox. With a single credential compromise, the attacker could operate as the owner AND the bookkeeper simultaneously. Attacker leveraged Ken's delegate access to send fraudulent bank-change forms from the bookkeeper's real identity (not the lookalike).
|
||
|
||
**Rule:** Owners and executives should not hold standing FullAccess to financial mailboxes. If access is genuinely needed, use JIT (just-in-time) access grants, not permanent delegate permissions. Separate the owner identity from the finance identity.
|
||
|
||
### [PATTERN] Evidence deletion + dumpster recovery
|
||
|
||
Attacker hard-deleted the entire fraud email thread from both mailboxes immediately after each send. The deleted emails + PDF attachment were recovered from the M365 Recoverable Items dumpster (30-day default retention) via Graph API. **The dumpster saved this investigation.** Without it, the ACH fraud angle would not have been discovered.
|
||
|
||
**Rule:** Always check the Recoverable Items dumpster (`/mailFolders/recoverableitemsdeletions/messages`) during any BEC investigation. Attacker cleanup is incomplete — they can hard-delete from the mailbox but not from the dumpster without the purge permission they don't hold.
|
||
|
||
### [PATTERN] Lori GA exposure — pre-existing oversight
|
||
|
||
Lori Schagel had 10 admin roles including Global Administrator as a pre-existing condition, predating the incident by more than 30 days. Not attacker-planted. Two GA accounts on a 14-user small-business tenant represents unnecessary attack surface. If either is compromised, the other becomes the recovery path — but also becomes an extra target.
|
||
|
||
**Rule:** Small-business tenants should have exactly one active GA account (or two, with the second being a break-glass with a very strong password and no MFA registration, NOT a named-user account). Review GA assignments at every breach check. Strip and downscope unnecessary GA on sight.
|
||
|
||
### [WARNING] IMAP/POP/EAS still enabled tenant-wide
|
||
|
||
Legacy protocols remain enabled as of 2026-06-09. The CA `Block legacy authentication` policy now blocks sign-in via legacy auth, but the protocols themselves are still enabled and could represent residual risk (e.g., if the CA policy is ever accidentally disabled). Disable IMAP/POP/EAS at the mailbox level tenant-wide as defense in depth.
|
||
|
||
### [WARNING] ScreenConnect command runner defaults to `cmd` context
|
||
|
||
PowerShell scripts run via ScreenConnect MUST be prefixed with `#!ps`. `Invoke-WebRequest`, `ConvertTo-SecureString`, etc. silently fail without it.
|
||
|
||
### [WARNING] Do NOT run `Add-LocalGroupMember` on the DC
|
||
|
||
DCs have no local SAM; the command will fail with "Group Administrators was not found." Run on the target workstation instead.
|
||
|
||
### [WARNING] SERVER is the sole domain controller with no backup
|
||
|
||
Any outage = complete loss of AD, DNS, file shares, and QuickBooks data. No failover. No backup. Address before any other infrastructure work.
|
||
|
||
### [WARNING] QuickBooks Pro 2024 is on the DC
|
||
|
||
Do not migrate or decommission SERVER without a proper QuickBooks migration plan. Data is at `C:\Shares\Home\QBooks`.
|
||
|
||
---
|
||
|
||
## Active Work
|
||
|
||
### CRITICAL — Residual Incident Items
|
||
|
||
- [ ] **Remove Privileged Authentication Administrator from Tenant Admin SP in Kittle Entra portal.** (JIT role granted during reset-password.sh for Ken reset on 6/9; script cannot self-remove; MUST be done manually at https://entra.microsoft.com.) See coord todo or track in Syncro.
|
||
- [ ] **Disable IMAP/POP/EAS tenant-wide** — CA now blocks legacy auth, but protocols remain enabled. Defense-in-depth: disable at mailbox level.
|
||
- [ ] **Confirm bank freeze calls completed** (Truist 844-487-8478 / Enterprise Fraud Mgmt 866-802-4955; First State Bank fraud 866-372-1275; Chase Global Bank Recoveries 866-954-3718 opt 4 / gb.fraud.recovery@jpmorgan.com).
|
||
- [ ] **Re-add appropriate admin role to Ken** — all 10 stripped during containment; Ken is owner/GA by function. Re-add Global Administrator + Exchange Administrator once incident is formally closed.
|
||
- [ ] **alexis@ duplicate Authenticator cleanup** — entry `c927402a-75c6-4a55-840a-86d1eea43a9b` ("iPhone 12 Pro Max", app ver 6.8.40). Confirm with Alexis how many Kittle accounts are on her phone; remove if only one. Also review OATH token `7d1425ca-27d0-444d-9c36-6b3780c77059` if unused.
|
||
- [ ] **Wrex license removal** — mailbox converted to shared, user disabled; free the Business Standard license.
|
||
- [ ] **Christina Micek inbox rule on Ken** — confirmed benign during 6/8 sweep (copy rule, no suppression). Still worth Ken confirming explicitly for documentation closure.
|
||
- [ ] **Warn Ken's phished external contacts** — 740+ recipients received the "Ken Schagel shared a file with you" phishing email; link was `flowinnactuators.com/work.html` (credential harvesting). Formal notification recommended.
|
||
- [ ] **Run Entra P2 Identity Protection risky-users scan** — P2 now licensed; first risky-users sweep not yet run.
|
||
- [ ] **Confirm kittlarizona.com Zoho + Namecheap takedown** — abuse reports sent 2026-06-09; confirm suspension/removal.
|
||
- [ ] **Enable SSPR (Self-Service Password Reset) — portal-only mode** — reduces future recovery friction; limit to portal not mobile/email to avoid account-takeover via SSPR.
|
||
- [ ] **Confirm City of Tucson follow-up** — exact invoice amounts (especially #31400 ~$8,818), written documentation of payment stop, any City-side IC3 filing.
|
||
|
||
### HIGH Priority — Infrastructure
|
||
|
||
- [ ] **Activate Windows Server 2025 full license on SERVER** — evaluation expires 180 days from install; hourly shutdown after expiry. Check: `slmgr /dlv`.
|
||
- [ ] **Implement backup for SERVER** — no backup of any kind. Options: Windows Server Backup to USB/NAS, Veeam Free, cloud backup (Backblaze B2/Wasabi).
|
||
- [ ] **Configure DKIM for kittlearizona.com** — guide at `clients/kittle/docs/email/dkim-dmarc-setup.md`.
|
||
- [ ] **Add DMARC for kittlearizona.com** — start `p=none`, escalate to `p=quarantine` after 1 week clean.
|
||
- [ ] **Migrate credentials from Syncro plaintext to SOPS vault** — SERVER admin, Outlook accounts.
|
||
- [ ] **Migrate QuickBooks off the DC** — QB should run on ACCOUNTING workstation.
|
||
- [ ] **Deploy dedicated firewall** — ISP router only; no stateful inspection.
|
||
|
||
### MEDIUM Priority
|
||
|
||
- [ ] GuruRMM agent enrollment confirmation — confirm agents running on SERVER and workstations.
|
||
- [ ] Lori GA review — discuss with Ken whether she needs any admin role; User Administrator is current scope.
|
||
- [ ] Migrate DHCP from ISP router to Windows Server; verify DNS option hands out 10.0.0.5.
|
||
- [ ] Replace role-based AD accounts (accountant, frontdesk) with individual named accounts.
|
||
- [ ] Rename workstations with generic DESKTOP-xxx / WINDOWS-xxx names.
|
||
- [ ] Identify and map 3 unknown workstations.
|
||
- [ ] Investigate port 8019 on SERVER (likely QuickBooks or ScreenConnect).
|
||
- [ ] Lori old Samsung S10+ Authenticator entry da5454c7 — remove if she's confirmed on current phone.
|
||
- [ ] Enroll Scott in Microsoft Authenticator (phone-only MFA currently).
|
||
|
||
---
|
||
|
||
## History Highlights
|
||
|
||
| Date | Event |
|
||
|------|-------|
|
||
| 2026-04-16 | Client directory structure applied; onboarding started. |
|
||
| 2026-04-23 | ACG April M365 breach check (ticket #32207): Alexis hidden inbox rule + duplicate Authenticator remediated; malicious OAuth (c5df10ae AllPrincipals) + IMAP consent (9b504397, GRANTED BY KEN'S ACCOUNT) revoked. Ken "Admin" rule classified [INFO]; password NOT reset — **critical incomplete remediation that enabled 2-month attacker persistence.** |
|
||
| 2026-05-08 | Howard onsite: AD user joshua.sutherland created; GuruRMM client + Main Office site created; agent deployment begun. |
|
||
| 2026-06-08 | **BEC BREACH DAY.** Ken@ compromised via OWA (13:24 UTC) from Nexeon VPN IP. Attacker used Ken's FullAccess delegate to Accounting@ to send fraudulent ACH banking-change forms to City of Tucson. 1,000-recipient phishing blast sent; 747 delivered. ACG detects at ~21:30 UTC (Howard receives phishing email). Mike blocks Ken at 21:41. Full remediation overnight: 5 malicious inbox rules deleted, Lori's 10 admin roles stripped + re-scoped, 740 victim notifications sent. Syncro ticket #32393 opened. |
|
||
| 2026-06-08 (same day, pre-breach) | ACG full M365 security sweep (ticket #32394) confirms April remediation complete, SMTP forwarding clean on all 13 mailboxes. Sweep ran hours before the main breach was detected. |
|
||
| 2026-06-09 | ACH fraud discovered: attacker had sent fraudulent BSD ACH bank-change forms to City of Tucson; evidence hard-deleted but recovered from Recoverable Items dumpster. marco@ additional compromise found: 2 hidden inbox rules + fraudulent Marana AP emails. marco@ remediated. Kim (admin@) remediated. Wrex offboarded. CA hardening deployed (Security Defaults disabled, 3 CA policies enforced). Entra P2 added. FBI IC3 filed (#aa2ef50482ca4c05a54ae0f6cb56ffa0). Ken's password changed in person on-site. Tickets #32393/#32394 invoiced. |
|
||
| 2026-06-09 | **FRAUD PREVENTED.** City of Tucson stopped payment before any funds transferred (~$130,000+ exposure). Town of Marana confirms no ACH cleared. Attacker used phone (659-221-9243) for vishing against Marana. Total actual financial loss: $0. |
|
||
|
||
---
|
||
|
||
## Tickets (Incident-Related)
|
||
|
||
| Ticket | Description | Date | Status |
|
||
|--------|-------------|------|--------|
|
||
| #32207 | April M365 breach check + Alexis remediation | 2026-04-23 | Invoiced — 1.0 hr |
|
||
| #32393 | BEC incident — Ken phishing blast, initial remediation (rules, Lori, notifications) | 2026-06-08 | Invoiced |
|
||
| #32394 (ID: 112389608) | Full sweep (pre-incident) + CA hardening + marco remediation + ACH fraud investigation + IC3; 1.5h emergency remote | 2026-06-09 | Invoiced — 1.5h @ $225 = $337.50 (invoice 1650625794) |
|
||
|
||
---
|
||
|
||
## Backlinks
|
||
|
||
- [[clients/kittle-design]] — pre-merge article (April breach history); superseded by this article
|
||
- [[projects/gururmm]] — GuruRMM agents deployed to Kittle; active RMM client as of 2026-05-08
|
||
- [[clients/internal-infrastructure]] — ACG UniFi controller manages Kittle's UniFi switch
|