7.3 KiB
Breach Check — Kittle Design & Construction
Date: 2026-04-23
Tenant: kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
Analyst: Mike Swanson
Scope: Tenant-wide compromised account sweep
Tool: ComputerGuru Security Investigator (read-only Graph + Exchange)
Limitations
- No Entra ID P1/P2 license — sign-in logs, risky user detection, and Identity Protection not available
- Exchange Admin role not yet assigned to Security Investigator SP — SMTP forwarding and transport rules not checked
- Both limitations can be addressed: assign Security Investigator SP the "View-Only Recipients" Exchange role for forwarding checks; upgrade to Entra P1 for sign-in visibility
Summary
| Severity | Finding | User |
|---|---|---|
| [WARNING] | Hidden inbox rule (name: ".") routing external emails to folder | alexis@kittlearizona.com |
| [WARNING] | Duplicate Authenticator registrations (same device name, different app versions) | alexis@kittlearizona.com |
| [INFO] | Inbox rule filtering Capital One / Bill.com emails to custom folder | Ken@kittlearizona.com |
| [INFO] | Two Authenticator devices registered (different Samsung models) | Lori@kittlearizona.com |
| [INFO] | Weak MFA — phone only, no Authenticator | scott@kittlearizona.com |
| [INFO] | IMAP legacy auth consent granted (one user) | unknown — see OAuth section |
| [INFO] | Large-scope AllPrincipals OAuth consent — verify is intentional | tenant-wide |
Findings Detail
[WARNING] alexis@kittlearizona.com — Hidden inbox rule
Rule name: . (single dot)
Status: Enabled
Action: Move to folder (ID: AQMkAGJiAWNh...)
Condition: Sender contains HOWMET.COM
A rule named . is a known attacker hiding technique — the single dot renders as blank or near-invisible in many email clients. The rule silently moves incoming emails from Howmet (aerospace/metals company) to a folder.
Questions to resolve:
- Does Kittle have a business relationship with Howmet Aerospace?
- Does Alexis recognize this rule?
- What folder is this routing to? (Confirm it's accessible and not an RSS/hidden folder)
If Alexis did not create this rule, treat as confirmed compromise indicator and escalate to full breach check with password reset, session revocation, and MFA re-enrollment.
[WARNING] alexis@kittlearizona.com — Duplicate Authenticator registrations
Two Microsoft Authenticator entries on the same device name:
| Entry | Display Name | App Version | Created |
|---|---|---|---|
| 1 | iPhone 12 Pro Max | 6.8.41 | not available |
| 2 | iPhone 12 Pro Max | 6.8.40 | not available |
Both tagged SoftwareTokenActivated. Identical device name with different app versions indicates either:
- Legitimate: same phone, app was updated and re-registered (unusual — updates don't re-register)
- Suspicious: attacker registered their own Authenticator under the same device name
Action: Ask Alexis to open Microsoft Authenticator on her phone and count how many Kittle accounts appear. If she only sees one, the second registration is an attacker device — remove entry ID c927402a-75c6-4a55-840a-86d1eea43a9b (version 6.8.40) immediately and force MFA re-enrollment.
[INFO] Ken@kittlearizona.com — Inbox rule filtering financial emails
Rule name: Admin
Status: Enabled
Action: Move to folder (ID: AQMkAGNiZTJj...)
Condition: Body or subject contains any of:
@flystucson.comcapitalonecapitaloneshopping.com@capitalone.comcapital one@inform.bill.comcwelsh@hq.bill.combill.com
Filtering Capital One and Bill.com notifications to a folder is a known attacker tactic to hide fraudulent payment activity from the account owner. This could also be legitimate email organization.
Action: Confirm with Ken:
- Did he create this rule?
- What folder does it route to, and has he seen the emails landing there?
- Does Kittle use Bill.com and Capital One for business payments?
If Ken did not create this rule, it is a confirmed compromise indicator.
[INFO] Lori@kittlearizona.com — Two Authenticator devices
| Entry | Display Name | App Version |
|---|---|---|
| 1 | SM-F766U (Samsung Galaxy Z Fold series) | 6.2512.8111 |
| 2 | SM-G975U (Samsung Galaxy S10+) | 6.2511.7533 |
Different device models — consistent with a phone upgrade where the old device wasn't removed. Lower concern than Alexis's case, but should be cleaned up.
Action: Confirm which device is current with Lori. Remove the old registration.
[INFO] scott@kittlearizona.com — Phone-only MFA
Scott has password + phone number registered but no Microsoft Authenticator. SMS/voice MFA is weaker than Authenticator (susceptible to SIM swap, social engineering).
Action: Enroll Scott in Microsoft Authenticator.
[INFO] IMAP legacy auth consent
App ID 9b504397-914d-4af2-b6d9-9081e80da54e has a user-level delegated consent for:
openid offline_access email profile IMAP.AccessAsUser.All
IMAP is legacy authentication and bypasses Conditional Access policies. This is a user-level (Principal) consent, meaning one specific user authorized it.
Action: Identify which user consented to this app and verify it's a legitimate mail client (e.g., Thunderbird, Apple Mail in legacy mode). If no one recognizes it, revoke the consent grant.
[INFO] Large-scope AllPrincipals OAuth consent
App ID c5df10ae-2aa7-4283-86ef-1884c267a9ac has admin-consented (AllPrincipals) access including:
Directory.ReadWrite.All, User.ReadWrite.All, RoleManagement.ReadWrite.Directory, Mail.Send, Policy.ReadWrite.*, SecurityEvents.ReadWrite.All, and many others.
This is consistent with a multi-tenant MSP management platform (CIPP, Lighthouse, etc.). Verify this was intentionally granted by Kittle's admin.
Clean checks
- No mailbox auto-replies active (Alexis and Ken have old OOO content saved but disabled)
- No B2B guest invites in 30 days
- No suspicious directory audits beyond today's Security Investigator consent (expected)
- 13 of 16 users have Authenticator MFA enrolled
- No mailbox forwarding (SMTP forwarding check pending Exchange role assignment)
Recommended Actions
| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: does she recognize the "." rule and the Howmet sender? | Mike |
| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? | Mike |
| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? | Mike |
| P2 | Assign Exchange "View-Only Recipients" role to Security Investigator SP to enable SMTP forwarding check | Mike |
| P2 | Identify the IMAP app consent — which user, what client? | Mike |
| P3 | Remove Lori's old Authenticator device after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator | Mike |
| P3 | Verify c5df10ae AllPrincipals consent is intentional MSP tooling |
Mike |
Escalation criteria
If Alexis or Ken cannot explain their respective rules → treat as active compromise:
- Force password reset
- Revoke all sessions (
revokeSignInSessions) - Remove suspicious Authenticator entry from Alexis
- Delete the unrecognized inbox rule
- Run full per-user breach check (sent items, deleted items, OAuth consents for that user)
- Check if any Bill.com or Capital One transactions were made without authorization (Ken's case)