azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/kittle-design/reports/2026-04-23-breach-check.md

172 lines
7.3 KiB
Markdown
Raw Blame History

# Breach Check — Kittle Design & Construction
**Date:** 2026-04-23
**Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`)
**Analyst:** Mike Swanson
**Scope:** Tenant-wide compromised account sweep
**Tool:** ComputerGuru Security Investigator (read-only Graph + Exchange)
---
## Limitations
- **No Entra ID P1/P2 license** — sign-in logs, risky user detection, and Identity Protection not available
- **Exchange Admin role not yet assigned** to Security Investigator SP — SMTP forwarding and transport rules not checked
- Both limitations can be addressed: assign Security Investigator SP the "View-Only Recipients" Exchange role for forwarding checks; upgrade to Entra P1 for sign-in visibility
---
## Summary
| Severity | Finding | User |
|---|---|---|
| [WARNING] | Hidden inbox rule (name: ".") routing external emails to folder | alexis@kittlearizona.com |
| [WARNING] | Duplicate Authenticator registrations (same device name, different app versions) | alexis@kittlearizona.com |
| [INFO] | Inbox rule filtering Capital One / Bill.com emails to custom folder | Ken@kittlearizona.com |
| [INFO] | Two Authenticator devices registered (different Samsung models) | Lori@kittlearizona.com |
| [INFO] | Weak MFA — phone only, no Authenticator | scott@kittlearizona.com |
| [INFO] | IMAP legacy auth consent granted (one user) | unknown — see OAuth section |
| [INFO] | Large-scope AllPrincipals OAuth consent — verify is intentional | tenant-wide |
---
## Findings Detail
### [WARNING] alexis@kittlearizona.com — Hidden inbox rule
**Rule name:** `.` (single dot)
**Status:** Enabled
**Action:** Move to folder (ID: AQMkAGJiAWNh...)
**Condition:** Sender contains `HOWMET.COM`
A rule named `.` is a known attacker hiding technique — the single dot renders as blank or near-invisible in many email clients. The rule silently moves incoming emails from Howmet (aerospace/metals company) to a folder.
**Questions to resolve:**
1. Does Kittle have a business relationship with Howmet Aerospace?
2. Does Alexis recognize this rule?
3. What folder is this routing to? (Confirm it's accessible and not an RSS/hidden folder)
If Alexis did not create this rule, treat as confirmed compromise indicator and escalate to full breach check with password reset, session revocation, and MFA re-enrollment.
---
### [WARNING] alexis@kittlearizona.com — Duplicate Authenticator registrations
Two Microsoft Authenticator entries on the same device name:
| Entry | Display Name | App Version | Created |
|---|---|---|---|
| 1 | iPhone 12 Pro Max | 6.8.41 | not available |
| 2 | iPhone 12 Pro Max | 6.8.40 | not available |
Both tagged `SoftwareTokenActivated`. Identical device name with different app versions indicates either:
- Legitimate: same phone, app was updated and re-registered (unusual — updates don't re-register)
- Suspicious: attacker registered their own Authenticator under the same device name
**Action:** Ask Alexis to open Microsoft Authenticator on her phone and count how many Kittle accounts appear. If she only sees one, the second registration is an attacker device — remove entry ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (version 6.8.40) immediately and force MFA re-enrollment.
---
### [INFO] Ken@kittlearizona.com — Inbox rule filtering financial emails
**Rule name:** `Admin`
**Status:** Enabled
**Action:** Move to folder (ID: AQMkAGNiZTJj...)
**Condition:** Body or subject contains any of:
- `@flystucson.com`
- `capitalone`
- `capitaloneshopping.com`
- `@capitalone.com`
- `capital one `
- `@inform.bill.com`
- `cwelsh@hq.bill.com`
- `bill.com`
Filtering Capital One and Bill.com notifications to a folder is a known attacker tactic to hide fraudulent payment activity from the account owner. This could also be legitimate email organization.
**Action:** Confirm with Ken:
1. Did he create this rule?
2. What folder does it route to, and has he seen the emails landing there?
3. Does Kittle use Bill.com and Capital One for business payments?
If Ken did not create this rule, it is a confirmed compromise indicator.
---
### [INFO] Lori@kittlearizona.com — Two Authenticator devices
| Entry | Display Name | App Version |
|---|---|---|
| 1 | SM-F766U (Samsung Galaxy Z Fold series) | 6.2512.8111 |
| 2 | SM-G975U (Samsung Galaxy S10+) | 6.2511.7533 |
Different device models — consistent with a phone upgrade where the old device wasn't removed. Lower concern than Alexis's case, but should be cleaned up.
**Action:** Confirm which device is current with Lori. Remove the old registration.
---
### [INFO] scott@kittlearizona.com — Phone-only MFA
Scott has password + phone number registered but no Microsoft Authenticator. SMS/voice MFA is weaker than Authenticator (susceptible to SIM swap, social engineering).
**Action:** Enroll Scott in Microsoft Authenticator.
---
### [INFO] IMAP legacy auth consent
App ID `9b504397-914d-4af2-b6d9-9081e80da54e` has a user-level delegated consent for:
```
openid offline_access email profile IMAP.AccessAsUser.All
```
IMAP is legacy authentication and bypasses Conditional Access policies. This is a user-level (Principal) consent, meaning one specific user authorized it.
**Action:** Identify which user consented to this app and verify it's a legitimate mail client (e.g., Thunderbird, Apple Mail in legacy mode). If no one recognizes it, revoke the consent grant.
---
### [INFO] Large-scope AllPrincipals OAuth consent
App ID `c5df10ae-2aa7-4283-86ef-1884c267a9ac` has admin-consented (AllPrincipals) access including:
`Directory.ReadWrite.All`, `User.ReadWrite.All`, `RoleManagement.ReadWrite.Directory`, `Mail.Send`, `Policy.ReadWrite.*`, `SecurityEvents.ReadWrite.All`, and many others.
This is consistent with a multi-tenant MSP management platform (CIPP, Lighthouse, etc.). Verify this was intentionally granted by Kittle's admin.
---
## Clean checks
- No mailbox auto-replies active (Alexis and Ken have old OOO content saved but disabled)
- No B2B guest invites in 30 days
- No suspicious directory audits beyond today's Security Investigator consent (expected)
- 13 of 16 users have Authenticator MFA enrolled
- No mailbox forwarding (SMTP forwarding check pending Exchange role assignment)
---
## Recommended Actions
| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: does she recognize the "." rule and the Howmet sender? | Mike |
| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? | Mike |
| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? | Mike |
| P2 | Assign Exchange "View-Only Recipients" role to Security Investigator SP to enable SMTP forwarding check | Mike |
| P2 | Identify the IMAP app consent — which user, what client? | Mike |
| P3 | Remove Lori's old Authenticator device after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator | Mike |
| P3 | Verify `c5df10ae` AllPrincipals consent is intentional MSP tooling | Mike |
---
## Escalation criteria
If Alexis or Ken cannot explain their respective rules → treat as active compromise:
1. Force password reset
2. Revoke all sessions (`revokeSignInSessions`)
3. Remove suspicious Authenticator entry from Alexis
4. Delete the unrecognized inbox rule
5. Run full per-user breach check (sent items, deleted items, OAuth consents for that user)
6. Check if any Bill.com or Capital One transactions were made without authorization (Ken's case)
Reference in New Issue View Git Blame Copy Permalink