azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295126ee6c4abe2588f94de0e022eabdbb1c925d
claudetools/clients/quantumwms/reports/2026-06-01-m365-review.md
Howard Enos 847d63426a sync: auto-sync from HOWARD-HOME at 2026-06-01 09:11:26 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-01 09:11:26
2026-06-01 09:11:39 -07:00

66 lines
4.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# QuantumWMS — M365 Read-Only Review
- **Date (UTC):** 2026-06-01
- **Reviewer:** Howard Enos (Howard-Home)
- **Tenant:** `2fd0092b-e9b7-474c-ad73-301f34dd6b64` — "Quantum Wealth Management" (`quantumwms.com` primary, `quantumwms.onmicrosoft.com` initial)
- **Method:** Read-only Microsoft Graph via ComputerGuru Security Investigator app (`bfbc12a4-...`). **No changes made to the tenant.**
- **Raw artifacts:** `/tmp/remediation-tool/2fd0092b-.../signins/all.json`
> NOTE: This is the **current production tenant** (Pax8-provisioned 2026-05-27). The old GoDaddy/johnvelez tenant (`8f7eaff4-...` / `NETORGFT2570783`) and the dormant GoDaddy `ddf3d2c9-...` tenant are bypassed and not in use.
---
## Headline: active password-spray attack on john@quantumwms.com
`john@quantumwms.com` shows **102 sign-in events 2026-05-27 → 2026-06-01: 98 failures from 98 unique IPs**, only 4 successes (all his own enrollment from the Tucson office on 5/27).
| Attribute | Detail |
|---|---|
| Failure codes | 94× **50053** (Microsoft blocked — "IP address with malicious activity"), 4× **50126** (invalid password) |
| Unique source IPs | 98 — datacenter/proxy IPv6 ranges (`2600:3c02`, `2605:6400`, `2a01:7e04`) + **Amsterdam NL** (`192.42.116.61`, flagged malicious) + **Praha CZ** (`130.193.15.79`, password guess) |
| Successful logins | 4, all from Tucson office `69.254.197.173` on 2026-05-27 (Microsoft Office + Authentication Broker) |
| Verdict | Distributed credential-stuffing/spray. **Every attempt failing. Account NOT breached.** |
**Risk despite no breach:**
- John is **NOT MFA-registered** (`isMfaRegistered: false`).
- His initial password is weak/OSINT-guessable (recorded plaintext in the 2026-05-27 session log).
- CA policies that would block this (require-MFA, block-non-US) are **report-only — not enforcing.**
- Only protections currently active: Entra malicious-IP reputation + attacker not yet having the password.
- Operational risk: spray-induced smart-lockout (50053) could lock John out during the licensing window.
## Identity & licensing
| User | Role | License | MFA registered | Notes |
|---|---|---|---|---|
| `john@quantumwms.com` | Member | Business Premium (SPB) | **No** | Under spray attack; Office activated 5/27 |
| `sheila@quantumwms.com` | Member | Business Premium (SPB) | **No** | 8 sign-ins all clean; Office activated 5/27 |
| `sysadmin@quantumwms.com` (Mike) | Global Admin | none | Yes (Authenticator + TOTP) | Daily admin |
| `breakglass@…onmicrosoft.com` | Global Admin | none | No (by design) | Emergency, CA-excluded, vaulted |
- **SubscribedSkus:** 2× SPB (Business Premium), both consumed. Matches plan. [OK]
- **App suite:** all 5 ComputerGuru apps consented w/ correct directory roles. [OK]
- **Mailboxes:** John & Sheila — no forwarding, no inbox rules (mailboxes still near-empty; mail not yet cut from Intermedia). [OK]
## Security controls — the gap
- **Security Defaults: ON** — but only protects users who have **registered** MFA. Neither real user has → MFA is effectively **not protecting John or Sheila** yet.
- **3 Conditional Access policies, all `enabledForReportingButNotEnforced`** (enforcing nothing):
- CA001 Require MFA (all users) — excludes break-glass
- CA002 Block legacy auth — excludes break-glass
- CA003 Block sign-in outside United States — excludes break-glass
## Minor / benign
- `admin@quantumwms.onmicrosoft.com`: 2 successful Admin-portal logins 5/27 from Leesburg VA, but user **no longer exists** (`Request_ResourceNotFound`) — Pax8 provisioning admin, since removed. Benign.
## 6/03 deadline status (M365 Personal lapse)
**Deadline-critical objective MET** — both users Business-Premium licensed AND Office activated (signed into Microsoft Office from the office 5/27). They will not lose Office apps on 2026-06-03.
## Recommendations (no action taken)
1. **Force-reset John's password** (strong/random, `forceChangePasswordNextSignIn = true`) — weak, sprayed, and in a plaintext log.
2. **Drive John + Sheila through MFA registration** — until then Security Defaults shields neither.
3. **Enforce CA001 (require MFA) + CA003 (block non-US) now** — would hard-block 100% of observed attacks; break-glass already excluded. (Hold CA002 block-legacy until after mail cutover per original plan.)
4. Watch for John hitting smart-lockout before the licensing/migration work.
Reference in New Issue View Git Blame Copy Permalink