5.2 KiB
Breach Check — John Trozzi
Client: Cascades Tucson
Date: 2026-04-20 (UTC)
Analyst: ComputerGuru MSP / Claude
Target: john.trozzi@cascadestucson.com (User ID: a638f4b9-6936-4401-a9b7-015b9900e49e)
Trigger: User reported receiving spoofed/phishing email in inbox
Verdict: MAILBOX CLEAN — PHISHING EMAIL RECEIVED, NOT COMPROMISED
John's mailbox shows no signs of account compromise. The "spoofed email" is an inbound phishing email that John correctly identified and reported to ACG. He did not appear to click any links.
10-Point Check Results
| # | Check | Result | Notes |
|---|---|---|---|
| 1 | Graph inbox rules (visible) | [OK] CLEAN | No custom rules |
| 2 | Exchange REST rules (incl. hidden) | [OK] CLEAN | Only default Junk E-mail Rule |
| 3 | Mailbox forwarding (Get-Mailbox) | [OK] CLEAN | ForwardingAddress: null, ForwardingSmtpAddress: null, DeliverToMailboxAndForward: false |
| 4 | Delegates / FullAccess | [OK] CLEAN | No non-SELF delegates |
| 5 | SendAs grants | [OK] CLEAN | No non-SELF grants |
| 6 | OAuth consents | [OK] CLEAN | BlueMail (2022) + EAS — both legitimate, pre-date incident |
| 7 | Auth methods | [NOTE] | Phone + Authenticator (Samsung SM-F731U) + FIDO2. Duplicate Authenticator entry (SM-F731U, null creation date) — likely same device, low risk |
| 8 | Sign-ins 30d | [OK] CLEAN | All US/Phoenix, consistent IP 184.191.143.62. No foreign access. No legacy auth. |
| 9 | Risky user | [OK] CLEAN | riskLevel: none. riskDetail: userPerformedSecuredPasswordReset (from 2026-04-16 remediation — expected) |
| 10 | Directory audits | [OK] EXPECTED | April 16 shows sysadmin reset + disable/re-enable cycle (our prior remediation). John self-service password change on April 16 after reinstatement. No unexpected admin changes. |
Primary Incident: Phishing Email
What happened
- John received a phishing email with subject: "ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d"
- This is a standard credential-harvesting lure (fake "pending documents" with urgency + reference ID)
- John correctly identified it as suspicious and:
- Forwarded it to howard@azcomputerguru.com at 12:23 UTC for review
- Sent a separate report to mike@azcomputerguru.com with subject "Spoof emails" at 12:26 UTC
- No evidence John clicked any link or entered credentials
Original sender
Not recoverable from sent-items forward (internet headers stripped on forward). The original email is no longer in inbox or deleted items — John likely deleted it after forwarding. The reference ID format (f1bb60a2...) is a common bulk phishing campaign marker.
Secondary Finding: Google Account Alert
John received a security alert at 16:01 UTC from no-reply@accounts.google.com for account 201cascades@gmail.com. This may be a shared facility Gmail account. Recommend confirming whether this alert was expected and that 201cascades@gmail.com has 2FA enabled and is not using a shared/weak password.
Domain Posture: DMARC Gap
| Record | Value | Assessment |
|---|---|---|
| SPF | v=spf1 ip4:72.194.62.5 include:spf.protection.outlook.com -all |
[OK] Strict — good |
| DMARC | v=DMARC1;p=none;pct=100;rua=mailto:info@cascadestucson.com |
[WARNING] p=none — no enforcement |
SPF is tight (-all) which means emails spoofing @cascadestucson.com from unauthorized IPs will fail SPF at recipient mail servers. However, with DMARC at p=none, there is no instruction to quarantine or reject them — they still land in inboxes.
Recommendation: Upgrade DMARC to p=quarantine once DKIM is confirmed working.
Recommendations
Immediate
- No account remediation needed — mailbox is clean, account not compromised.
- Inform John: the email he forwarded is a phishing/credential-harvesting lure. Confirm he did not click any link or enter credentials anywhere after receiving it. If he did, escalate to full remediation (revoke sessions, password reset).
- Howard should delete the forwarded phishing email from his inbox — do not click the link in it.
Short-term
- Upgrade DMARC to p=quarantine: change _dmarc.cascadestucson.com TXT record from
p=nonetop=quarantine. This will direct receiving servers to junk spoofed emails. Coordinate with Meredith. - Confirm DKIM is set up for cascadestucson.com (Exchange Online DKIM). If not, configure it before setting p=quarantine.
- Google account 201cascades@gmail.com: Verify the security alert was benign and the account has 2FA.
Deferred
- Duplicate Authenticator entry (SM-F731U with null date): Low risk. Can clean up by removing the null-date entry in My Sign-ins or via Entra admin center.
- Migrate Cascades to new app suite: Consent ComputerGuru Security Investigator (bfbc12a4) in Cascades Tucson and assign Exchange Administrator role to new SP. Retire old app consent.
Raw Artifacts
/tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/user-breach/john-trozzi/
- 01-profile.json
- 02-graph-rules.json
- 03-exo-rules.json
- 04-mailbox.json
- 05-mailbox-perms.json
- 06-sendas.json
- 07-oauth.json
- 08-approles.json
- 09-authmethods.json
- 10-signins.json
- 11-audits.json
- 12-authenticator-detail.json
- 13-risky.json
- 14-sent.json
- 15-deleted.json