azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2fcdc5fb1361ba42ed867c09b54d7945ac477275
claudetools/clients/bardach/reports/2026-06-05-barbara-note-draft.md
Mike Swanson 08e194f592 bardach: M365 account investigation + Security Defaults MFA enforcement 
Investigated barbara@bardach.net login issues (account-locked message, INKY SSL
errors). Finding: active distributed password-spray against the tenant (also
hitting admin@), NOT a breach — no successful attacker sign-in, no mailbox/rule/
forwarding changes. Root exposure: MFA not enforced (no Entra P1 -> no CA).

Remediation (Mike confirmed): enabled Security Defaults tenant-wide. Both active
accounts MFA-ready (Authenticator) -> no lockout; legacy auth now blocked.

- 2026-06-05-account-investigation-mfa-enforcement.md (full report)
- 2026-06-05-barbara-note-draft.md (client note, for Mike to send)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 11:52:46 -07:00

2.0 KiB
Raw Blame History

Draft note to Barbara (2026-06-05) — plain, reassuring, non-technical

Channel: email or text to Barbara. Tone: calm, "we looked, you're fine, here's the one change."

Hi Barbara,

We took a look at your Microsoft account. The short version: your account is fine and nobody got into it. What you ran into was someone out on the internet repeatedly trying to guess the password to email accounts on your domain — Microsoft was blocking every one of those attempts, and that's what triggered the "account locked" message you saw on your phone. The brief INKY/SSL hiccup on your computer was just a side effect of that same lockout, not a separate problem.

To shut this down for good, we turned on an extra layer of protection: from now on, signing in will also ask you to approve it on your phone (the Microsoft Authenticator app you already have set up). So the next time you sign in — phone or computer — you'll get a quick approval prompt. Just tap approve, and you're in. After that it's business as usual.

This is a good thing: even if someone ever did guess a password, they still couldn't get in without your phone.

A couple of things to expect:

  • You may still see a "locked" message once or twice over the next day or so as the leftover attempts die down — that's them, not you. It'll clear up.
  • If you use any older email program or device that connects to your mail, it might ask you to sign in again or stop working — if anything like that comes up, just let us know and we'll sort it.

Nothing you need to do right now. If you have any trouble signing in or approving on your phone, call or email us and we'll walk you through it.

Best, Mike Arizona Computer Guru

Notes for Mike

  • Kept it non-technical: no error codes, no "password spray," no mention of the admin account.
  • Sets the expectation of the Authenticator prompt + the residual lockout messages so she isn't alarmed.
  • Flags the legacy-auth caveat softly ("older email program... let us know").
Reference in New Issue View Git Blame Copy Permalink