claudetools/clients/dataforth/reports/2026-05-03-user-breach-check-jantar.md

User Breach Check: jantar@dataforth.com

Date: 2026-05-03 (UTC) Analyst: Mike Swanson (GURU-BEAST-ROG) Tenant: dataforth.com | 7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584 User: Jacque Antar | jantar@dataforth.com Object ID: daa60027-be31-47a5-87af-d728499a9cc4 Tool Tiers Used: investigator (Graph read) + investigator-exo (Exchange read) + user-manager (Graph write — remediation)

---

Verdict: [OK] NO INDICATORS OF COMPROMISE

All 10 breach check points are clean. No malicious forwarding, no unauthorized access, no suspicious sign-in geography, and no hidden inbox rules.

---

Account Profile

Field	Value
Display Name	Jacque Antar
UPN	jantar@dataforth.com
Account Enabled	true
Created	2023-12-07
Last Password Change	2026-03-09 (~7 weeks ago)

---

Check Results

01 - Inbox Rules (Graph): [OK]

One rule found, disabled:

• Name: Move Graymail to folder
• Condition: Header X-Inky-Graymail: True
• Action: Move to folder, stop processing rules
• Status: Disabled

Assessment: Routine graymail filter. Not suspicious. Disabled so not active.

---

02 / 03d - Forwarding: [OK]

No forwarding configured:

• ForwardingAddress: null
• ForwardingSmtpAddress: null
• DeliverToMailboxAndForward: null
• automaticForwardingEnabled: null (no mailbox-level block override)

---

03a - Hidden Inbox Rules (Exchange): [OK]

No hidden rules found.

---

03b - Mailbox Permissions: [OK]

No non-SELF delegates. User has no third-party mailbox access grants.

---

03c - SendAs Permissions: [OK]

No non-SELF SendAs trustees.

---

04 - OAuth Grants / App Role Assignments: [OK - Known Email Clients]

Two OAuth grants (user-specific, Principal consent — not tenant-wide):

Client ID	Scopes	Assessment
85e650f8-5eec-4523...	openid offline_access EAS.AccessAsUser.All	Exchange ActiveSync — Apple Internet Accounts
25db1c08-f5a0-4f6c...	IMAP.AccessAsUser.All EWS.AccessAsUser.All offline_access email openid	IMAP/EWS — eM Client

App Role Assignments:

App	Created	Assessment
Apple Internet Accounts	2024-04-02	iOS/macOS Mail — expected
eM Client	2024-08-26	Desktop email client — expected

Apple Internet Accounts is a legitimate active email client (iOS/macOS Mail). eM Client is no longer in use at Dataforth.

Remediation performed 2026-05-03:

• eM Client OAuth grant and app role assignment revoked for jantar@dataforth.com via user-manager tier (HTTP 204 each). Verified — only Apple Internet Accounts remains on this user.
• Tenant sweep confirmed jantar was the only user with eM Client connected.
• eM Client service principal disabled tenant-wide (accountEnabled: false) via tenant-admin tier (HTTP 204). Verified — no user in this tenant can authorize eM Client going forward.

Remaining grant post-remediation:

App	Scopes	Status
Apple Internet Accounts	openid offline_access EAS.AccessAsUser.All	Active — expected

---

05 - Authentication Methods: [NOTE]

Method	Detail
Password	Configured
Phone (mobile)	+1 520-245-6929, SMS sign-in ready

MFA is configured via SMS/phone. No authenticator app (TOTP/push) registered.

[NOTE] SMS-based MFA is less phishing-resistant than Microsoft Authenticator or FIDO2. Not an indicator of compromise, but a policy hardening recommendation.

---

06 - Sign-ins (30 days): [OK]

8 successful interactive sign-ins. All from the same IP and location:

IP	City	Country	Count	Apps
67.206.163.122	Salt Lake City	US	8	Dime Client (7), One Outlook Web (1)

• All Windows 10, all status 0 (success)
• No foreign logins
• No impossible travel
• Consistent single IP

[NOTE] "Dime Client" is the primary app (7/8 sign-ins). This appears to be a Dataforth internal or custom application — not a standard Microsoft app. Flagged for awareness; not suspicious given consistent IP and location.

---

07 - Directory Audits (30 days): [OK]

Date	Activity	Initiated By
2026-04-23	Update user	System (automated)
2026-04-10	Update user	System (automated)
2026-04-06	Update user	System (automated)
2026-04-06	Add member to group	dcenter@dataforth.com
2026-04-06	Add member to group	dcenter@dataforth.com

Routine admin activity. Group additions initiated by dcenter@dataforth.com (appears to be a service/admin account). No suspicious changes.

---

08 - Identity Protection / Risk: [N/A - 403]

• Risky user check: 403 Forbidden — tenant has not consented to IdentityRiskyUser.Read.All scope for the Security Investigator app.
• Risk detections endpoint: 0 detections returned from available endpoint.

To enable full risk checks, a Global Admin must consent the app in this tenant:

https://login.microsoftonline.com/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/adminconsent?client_id=bfbc12a4-f0dd-4e12-b06d-997e7271e10c&redirect_uri=https://azcomputerguru.com&prompt=consent

---

09 / 10 - Sent / Deleted Items: [OK]

• Sent (recent 25): 25 items found — normal mail activity
• Deleted (recent 25): 3 items — minimal deletions, nothing suspicious

---

Recommendations

Priority	Item
[INFO]	Upgrade MFA from SMS to Microsoft Authenticator (push/TOTP) for improved phishing resistance
[INFO]	Identify "Dime Client" app — confirm it is an authorized internal application
[INFO]	Consider consenting IdentityRiskyUser scope for full risk signal visibility

---

Raw Artifacts

/tmp/remediation-tool/7dfa3ce8-c496-4b51-ab8d-bd3dcd78b584/user-breach/jantar_dataforth_com/

Files: 00_user.json, 01_inbox_rules_graph.json, 02_mailbox_settings.json, 03a_InboxRule_hidden.json, 03b_MailboxPermission.json, 03c_RecipientPermission.json, 03d_Mailbox.json, 04a_oauth_grants.json, 04b_app_role_assignments.json, 05_auth_methods.json, 06_signins.json, 07_dir_audits.json, 08a_risky_user.json, 08b_risk_detections.json, 09_sent.json, 10_deleted.json