azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/quantumwms/reports/2026-06-01-m365-review.md
Howard Enos 847d63426a sync: auto-sync from HOWARD-HOME at 2026-06-01 09:11:26 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-01 09:11:26
2026-06-01 09:11:39 -07:00

4.3 KiB
Raw Blame History

QuantumWMS — M365 Read-Only Review

  • Date (UTC): 2026-06-01
  • Reviewer: Howard Enos (Howard-Home)
  • Tenant: 2fd0092b-e9b7-474c-ad73-301f34dd6b64 — "Quantum Wealth Management" (quantumwms.com primary, quantumwms.onmicrosoft.com initial)
  • Method: Read-only Microsoft Graph via ComputerGuru Security Investigator app (bfbc12a4-...). No changes made to the tenant.
  • Raw artifacts: /tmp/remediation-tool/2fd0092b-.../signins/all.json

NOTE: This is the current production tenant (Pax8-provisioned 2026-05-27). The old GoDaddy/johnvelez tenant (8f7eaff4-... / NETORGFT2570783) and the dormant GoDaddy ddf3d2c9-... tenant are bypassed and not in use.

Headline: active password-spray attack on john@quantumwms.com

john@quantumwms.com shows 102 sign-in events 2026-05-27 → 2026-06-01: 98 failures from 98 unique IPs, only 4 successes (all his own enrollment from the Tucson office on 5/27).

Attribute Detail
Failure codes 94× 50053 (Microsoft blocked — "IP address with malicious activity"), 4× 50126 (invalid password)
Unique source IPs 98 — datacenter/proxy IPv6 ranges (2600:3c02, 2605:6400, 2a01:7e04) + Amsterdam NL (192.42.116.61, flagged malicious) + Praha CZ (130.193.15.79, password guess)
Successful logins 4, all from Tucson office 69.254.197.173 on 2026-05-27 (Microsoft Office + Authentication Broker)
Verdict Distributed credential-stuffing/spray. Every attempt failing. Account NOT breached.

Risk despite no breach:

  • John is NOT MFA-registered (isMfaRegistered: false).
  • His initial password is weak/OSINT-guessable (recorded plaintext in the 2026-05-27 session log).
  • CA policies that would block this (require-MFA, block-non-US) are report-only — not enforcing.
  • Only protections currently active: Entra malicious-IP reputation + attacker not yet having the password.
  • Operational risk: spray-induced smart-lockout (50053) could lock John out during the licensing window.

Identity & licensing

User Role License MFA registered Notes
john@quantumwms.com Member Business Premium (SPB) No Under spray attack; Office activated 5/27
sheila@quantumwms.com Member Business Premium (SPB) No 8 sign-ins all clean; Office activated 5/27
sysadmin@quantumwms.com (Mike) Global Admin none Yes (Authenticator + TOTP) Daily admin
breakglass@…onmicrosoft.com Global Admin none No (by design) Emergency, CA-excluded, vaulted
  • SubscribedSkus: 2× SPB (Business Premium), both consumed. Matches plan. [OK]
  • App suite: all 5 ComputerGuru apps consented w/ correct directory roles. [OK]
  • Mailboxes: John & Sheila — no forwarding, no inbox rules (mailboxes still near-empty; mail not yet cut from Intermedia). [OK]

Security controls — the gap

  • Security Defaults: ON — but only protects users who have registered MFA. Neither real user has → MFA is effectively not protecting John or Sheila yet.
  • 3 Conditional Access policies, all enabledForReportingButNotEnforced (enforcing nothing):
    • CA001 Require MFA (all users) — excludes break-glass
    • CA002 Block legacy auth — excludes break-glass
    • CA003 Block sign-in outside United States — excludes break-glass

Minor / benign

  • admin@quantumwms.onmicrosoft.com: 2 successful Admin-portal logins 5/27 from Leesburg VA, but user no longer exists (Request_ResourceNotFound) — Pax8 provisioning admin, since removed. Benign.

6/03 deadline status (M365 Personal lapse)

Deadline-critical objective MET — both users Business-Premium licensed AND Office activated (signed into Microsoft Office from the office 5/27). They will not lose Office apps on 2026-06-03.

Recommendations (no action taken)

  1. Force-reset John's password (strong/random, forceChangePasswordNextSignIn = true) — weak, sprayed, and in a plaintext log.
  2. Drive John + Sheila through MFA registration — until then Security Defaults shields neither.
  3. Enforce CA001 (require MFA) + CA003 (block non-US) now — would hard-block 100% of observed attacks; break-glass already excluded. (Hold CA002 block-legacy until after mail cutover per original plan.)
  4. Watch for John hitting smart-lockout before the licensing/migration work.
Reference in New Issue View Git Blame Copy Permalink