claudetools/clients/cascades-tucson/reports/2026-04-20-john-trozzi-spoof-email-check.md

John Trozzi — Spoof Email Report / Follow-up Breach Check

Date: 2026-04-20 Tenant: Cascades Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498) Subject: John Trozzi (john.trozzi@cascadestucson.com, a638f4b9-6936-4401-a9b7-015b9900e49e) Tool: Claude-MSP-Access / ComputerGuru - AI Remediation (App ID fabb3421-8b34-484b-bc17-e46de9703418) Scope: Read-only (no remediation actions executed) Trigger: John told Mike he received a spoof email. He forwarded it to howard@azcomputerguru.com at 12:23 UTC today.

Summary

• No breach indicators. John reported the phishing email himself — he is not a victim. He forwarded the message to Howard and then emailed Mike about it.
• The phishing lure: subject "ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d" — classic DocuSign/fake-document-expiry style.
• Mailbox posture is clean across all 10 checks: zero inbox rules (including hidden), no forwarding, no delegates, no SendAs grants, no new OAuth consents in the attack window, all MFA methods predate the event, sign-ins are 100% Phoenix AZ.
• Identity Protection riskyUser.riskState = remediated from the prior 2026-04-16 incident (userPerformedSecuredPasswordReset). Current risk level none. That risk event is closed and unrelated to today's report.
• Recommended next step: confirm with John he did not click or enter credentials; block the sender tenant-wide; add to phish training examples. No account action required.

Target details

Field	Value
UPN	john.trozzi@cascadestucson.com
Object ID	a638f4b9-6936-4401-a9b7-015b9900e49e
Account Enabled	true
Created	2022-02-18T18:31:39Z
Last Password Change	2026-04-16T16:05:11Z (4 days ago, self-change after admin-initiated IR reset)

Per-check findings

1. Inbox rules (Graph) — CLEAN

/users/{upn}/mailFolders/inbox/messageRules → value: []. No rules.

2. Mailbox forwarding / settings — CLEAN

• forwardingSmtpAddress: null
• Mailbox settings: no forwarding configured.

3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox) — CLEAN

• Get-InboxRule -IncludeHidden: 0 rules beyond system defaults.
• Get-MailboxPermission: only NT AUTHORITY\SELF. No delegates.
• Get-RecipientPermission (SendAs): only NT AUTHORITY\SELF. No SendAs grants.
• Get-Mailbox: ForwardingAddress=null, ForwardingSmtpAddress=null, DeliverToMailboxAndForward=null.

4. OAuth consents + app role assignments — CLEAN

Single longstanding consent:

• BlueMail (clientId 3508ac12-63ff-4cc5-8edb-f3bb9ca63e4e)
  • Graph scope: User.Read
  • Exchange Online scope: EAS.AccessAsUser.All Exchange.Manage
  • App role assignment created 2022-02-18 (account creation day — legitimate and pre-dates any attack window).
• No new consents in the attack window.

5. Authentication methods — CLEAN (strong posture)

• Password (last changed 2026-04-16T16:05:11Z)
• Phone
• 2x Microsoft Authenticator
• FIDO2 security key

All non-password methods predate the 2026-04-16 IR event. No new method added in the attack window.

6. Sign-ins (30d, interactive) — CLEAN

• 12 sign-ins, all successful, all from 184.191.143.62 (Phoenix, AZ, US — CenturyLink/Qwest residential).
• 0 non-US sign-ins.
• Apps: Microsoft Authentication Broker, My Signins, Microsoft Account Controls V2 (all legitimate portal/auth flows).
• Devices: Android (Chrome Mobile) and Windows 10 (Chrome). Consistent with John's normal devices.

7. Directory audits (30d, filtered to John) — CLEAN

41 events, all clustered on 2026-04-16 and attributable to:

• sysadmin@cascadestucson.com (MSP admin running the IR reset)
• John himself (self-service password change post-reset)
• Microsoft system actors (Substrate Management, MFA StrongAuthenticationService)

No audit events in the last 3 days. No unauthorized changes.

8. Risky users / risk detections

• riskyUser.riskLevel: none
• riskyUser.riskState: remediated
• riskyUser.riskDetail: userPerformedSecuredPasswordReset
• riskyUser.riskLastUpdatedDateTime: 2026-04-16T15:45:55Z
• riskDetections (30d): 0

The remediated flag is the closure marker for the prior 2026-04-16 incident. No new risk detections since.

9. Sent items (recent 25) — CLEAN + evidence of the report

Top of the list is John reporting the phishing to us:

Sent (UTC)	Subject	To
2026-04-20 12:26:51	Spoof emails	mike@azcomputerguru.com
2026-04-20 12:23:50	Fw: ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d	howard@azcomputerguru.com
2026-04-17 20:15:58	312 FLOORING 2OF 2	prods_0478@homedepot.com
2026-04-17 20:04:01	312 CABINETS 1 OF 2	prods_0478@homedepot.com
2026-04-17 19:58:12	FW: Caregivers & medtech	howard@azcomputerguru.com
2026-04-17 18:47:03	Re: Model 1 Commercial Vehicles Follow Up	AFreer@model1.com
2026-04-17 15:26:51	RE: Cascades of Tucson - UE Revised Door Access Control Design Estimate	wpeterson@unwiredengineering.com
2026-04-17 14:57:30	Fw: Cascades of Tucson - UE Revised Door Access Control Design Estimate	mike@azcomputerguru.com
2026-04-16 21:47:22	Re: license upgrade	meredith.kuhn@cascadestucson.com (+ mike, howard, crystal)
...	...	...

All other outbound is legitimate vendor/internal business correspondence (Home Depot, Model 1, Unwired Engineering, internal Cascades, DirecTV). No blast patterns, no external bulk sends, no credential-harvest style outbound.

10. Deleted items (recent 25) — CLEAN

Normal marketing (Wayfair, BestBuy, Spotify, Floor & Decor), 8x8 voicemail notifications, vendor promotional email, and a few legitimate business messages. No deleted security alerts, MFA prompts, or password-reset confirmations — the tells of an attacker cleaning their tracks are absent.

Suspicious items

None arising from this check. The only noteworthy item is the phishing email itself, which John handled correctly (reported rather than clicked).

Gaps — checks not completed

None. All 10 checks completed successfully. Exchange REST and Identity Protection permissions are both in place for this tenant after the 2026-04-16 remediation.

Relationship to prior investigation

On 2026-04-16, John was flagged as a risky user and an IR sequence was executed (see clients/cascades-tucson/reports/2026-04-16-john-breach-check.md). That incident was remediated via self-service secured password reset. Today's event is separate — John received a phishing email, recognized it, and reported it. No fresh compromise indicators.

Next actions

1. Talk to John — confirm he did not click the link or enter credentials. Ask if he sees additional copies of the message or variations still arriving. If he did click, run revoke-sessions + force password reset immediately.
2. Block the sender — pull the original message headers from Howard's inbox; add sender domain to Exchange Online Tenant Allow/Block List or the anti-phish policy.
3. Check other recipients — query mail trace for the same Message-ID/subject across the tenant; if other Cascades users received the same lure, flag them for the same conversation.
4. Add to phishing training catalog — this is a textbook DocuSign-style impersonation. Worth using as a training example for staff.
5. No account remediation required at this time.

Remediation actions

None executed. Read-only check.

Data artifacts

Raw JSON at /tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/user-breach/john_trozzi_cascadestucson_com/:

• 00_user.json
• 01_inbox_rules_graph.json
• 02_mailbox_settings.json
• 03a_InboxRule_hidden.json
• 03b_MailboxPermission.json
• 03c_RecipientPermission.json
• 03d_Mailbox.json
• 04a_oauth_grants.json
• 04b_app_role_assignments.json
• 05_auth_methods.json
• 06_signins.json
• 07_dir_audits.json
• 08a_risky_user.json
• 08b_risk_detections.json
• 09_sent.json
• 10_deleted.json