azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
347b2d30a9a1a7b0f7882ccf5ce5920e277a3d62
claudetools/clients/cascades-tucson/reports/2026-04-20-tenant-phishing-sweep-and-purge.md
Howard Enos a92d2d3f2c report: Cascades Tucson phishing sweep - deleted 14 phish across 7 users 
Triggered by John Trozzi reporting a spoof email. Single-user check
confirmed him clean (reported, not compromised). Tenant-wide sweep
found a sustained ~1 month campaign from 4 external IPs (UA/US/DE/AT
- deltahost + ColoCrossing) plus a compromised-M365-tenant relay
vector. Deleted 14 messages (Groups A+B) per Mike's explicit
authorization. Preserved legitimate HR thread (HRPYDBRUN xlsx) and
user outbound forwards as evidence.

Recommendations in report: DMARC p=quarantine/reject for
cascadestucson.com (biggest leverage), TABL IP blocks, zoom.nl
URL block, Defender impersonation protection.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 09:39:22 -07:00

12 KiB
Raw Blame History

Cascades Tucson — Tenant-Wide Phishing Sweep and Purge

Date: 2026-04-20 Tenant: Cascades Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498) Subject: Tenant-wide (46 internal mailboxes) Tool: Claude-MSP-Access / ComputerGuru - AI Remediation (App ID fabb3421-8b34-484b-bc17-e46de9703418) Scope: Read-only sweep + explicit deletion action (authorized by Mike in chat, "a" = delete Groups A+B) Operator: Mike Swanson (mike@azcomputerguru.com)

Summary

  • Triggered by John Trozzi reporting a spoof email at 12:23 UTC. Initial check on John (see 2026-04-20-john-trozzi-spoof-email-check.md) found him clean and confirmed he was reporting, not compromised. Tenant-wide sweep expanded the investigation.
  • 14 phishing messages found across 7 mailboxes spanning 2026-03-21 through 2026-04-20 — a sustained ~1-month campaign from at least 4 distinct attacker IPs plus a compromised-M365-tenant relay.
  • 14 / 14 messages deleted (13 succeeded on first attempt; 1 retry for Lois Lane after she moved the message to Archive between scan and delete).
  • 3 false positives correctly excluded: the "HRPYDBRUNFOC…xlsx" thread is Ashley Jensen's legitimate internal HR export from 2026-03-09, with replies from JD Martin and Alyssa Brooks. Not phishing.
  • 4 Sent Items items preserved as evidence (user forwards to MSP).
  • Recommended blocks: Ukraine (UA) region, 139.28.37.117 / 104.168.101.10 / 207.189.10.75 / 91.244.70.212 specific IPs, and zoom.nl domain in URL filters. Publish DMARC p=reject for cascadestucson.com to kill the domain-spoofing vector.

Attacker origins (for regional blocking decisions)

Two distinct delivery patterns:

Pattern 1 — External bulletproof/cheap hosting (April 2026)

IP Country PTR / Hoster Language header Messages Target(s)
139.28.37.117 UA 139.28.37.117.deltahost-ptr (Deltahost, Ukraine — bulletproof hosting) vi (Vietnamese) / en 2 john.trozzi (4/20)
104.168.101.10 US 104-168-101-10-host.colocrossing.com (ColoCrossing NY) th (Thai) 3 lois.lane (4/17), megan.hiatt (4/17 + 4/18)
207.189.10.75 DE no reverse DNS (InfoDomainNonexistent) en 1 dax.howard (4/17)
91.244.70.212 AT (Austria, cheap hosting) en 1 megan.hiatt (4/17)

All 7 had SPF=fail, DMARC=fail, DKIM=none, envelope sender spoofed to recipient's own address. Microsoft let them through (SFV:NSPM, SCL:1, compauth=pass reason=703) because cascadestucson.com has DMARC p=none (observational, not enforcing). The reason=703 specifically means "composite auth passed in the absence of an explicit DMARC reject policy" — i.e. a DMARC policy change to p=quarantine or p=reject would have blocked every one of these.

Pattern 2 — Compromised M365 tenant relay (March 2026)

IP (IPv6) Source Messages Target(s)
2a01:111:f403:c104:: / :c103::3 / :c100::f / :c110::1 / :c10c::1 Microsoft 365 Exchange Online datacenter (compromised customer tenant being used as a relay) 6 meredith.kuhn, anna.pitzlin, ann.dery

SPF/DMARC pass because the compromised source tenant had valid SPF/DKIM. Only reliable signal was the content:

  • Envelope DocExchange_Noreply-m939k6d7.r.us_west_2.awstrack.me (AWS SES click-tracking host masking the real sender)
  • URL unwraps to us02web.zoom.nl/j/81163775943?pwd=…zoom.nl is NOT Zoom. .nl is the Netherlands TLD. The real Zoom is zoom.us. Classic lookalike-domain redirect.
  • Subject has REF#<40-char-hex> hash which is a fingerprint of this operator.

Regional / TABL block recommendations

Recommendation Rationale
Block UA at Microsoft Defender for Office 365 country filter (if available in E3+) Deltahost is persistent infrastructure, 2 confirmed phishes in one day
Add 139.28.37.117, 104.168.101.10, 207.189.10.75, 91.244.70.212 to Exchange TABL IP Block List Exact IPs; cheaper than broad regional block; will stop retransmission from the same hosts
Add zoom.nl and awstrack.me to Exchange URL/domain block list The compromised-tenant phishes use these for redirect; blocking kills that vector
Publish DMARC p=quarantine or p=reject for cascadestucson.com (highest-leverage change) Would have blocked ALL 8 external-hosting phishes because they all spoofed the domain and failed SPF/DMARC
Enable Microsoft Defender impersonation protection for cascadestucson.com domain Catches "cascadestucson" lookalike-domain attempts before they land

The Thai-language header (LANG:th) on ColoCrossing, Vietnamese on Deltahost, and English on the DE/AT hosts suggest a Southeast-Asia-based operator using geographically-distributed sending infrastructure. Blocking any single region is only a partial defense; DMARC enforcement is the real fix.

Scan methodology

  1. Pulled all 53 Cascades tenant users via Graph /v1.0/users; filtered to 46 internal mailboxes (excluding #EXT# guests).
  2. Three search passes with Graph $search + client-side filter:
    • Subject contains 32+ hex chars (attacker hash signature)
    • Subject contains "ATTN expire / Mailbox Expire / Service Termination / Password expire / Login Expire"
    • Subject contains "Pending Documents expires / Executed NDA Agreement / Approval Pending Review"
  3. Paginated follow-up scans for John and Lois (initial $top=500 truncated their result sets).
  4. For each hit: resolved folder name, fetched full internetMessageHeaders, extracted origin IP / country / language / SPF / DMARC / envelope-from, and pulled bodyPreview for content-based classification.

Deletion inventory — 14 targets

Group A — external-hosting phishing (8 messages, all DELETED)

# Mailbox Folder (at scan) Subject Origin IP Country Result
1 dax.howard Inbox NSA: Cascadestucson Executed NDA Agreement Ref: 3a52d24c… 207.189.10.75 DE DELETED 16:34:00Z
2 lois.lane Inbox → Archive ATTN : Mailbox Login Expire today, 4/17/2026 - 7578c86fe50e… 104.168.101.10 US DELETED 16:34:32Z (retry)
3 john.trozzi Inbox ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2… 139.28.37.117 UA DELETED 16:33:57Z
4 john.trozzi Inbox Action Required: Service Termination Alert 32d38cbb… 139.28.37.117 UA DELETED 16:33:59Z
5 megan.hiatt Deleted Items Re: HR Documents Approval Pending Review Ref/ID#: 0f70944d… 91.244.70.212 AT DELETED 16:33:52Z (purged)
6 megan.hiatt Deleted Items ATTN : Mailbox Login Expire today, 4/17/2026 - 123a5bc9ed53e… 104.168.101.10 US DELETED 16:33:53Z (purged)
7 megan.hiatt Deleted Items ATTN : Mailbox Login Expire today, 4/18/2026 - fecac7931c86… 104.168.101.10 US DELETED 16:33:51Z (purged)
8 megan.hiatt Deleted Items Undeliverable: FW: HR Documents (bounce of her fwd to info@azcomputeguru.com — typo) DELETED 16:33:49Z (purged)

Group B — compromised-M365-tenant phishing (6 messages, all DELETED)

# Mailbox Folder (at scan) Subject Envelope-From Result
9 meredith.kuhn Deleted Items Document Ready for Review REF#99dab116… DocExchange_Noreply…awstrack.me (→zoom.nl) DELETED 16:33:45Z
10 meredith.kuhn Deleted Items Request for Quotation: Urban Choice Charter Project REF:3234627582… lmccarthy@urbanchoicecharter.org DELETED 16:33:46Z
11 anna.pitzlin Inbox Document Ready for Review REF#e8003bb2… DocExchange_Noreply…awstrack.me DELETED 16:33:55Z
12 anna.pitzlin Inbox Request for Quotation: Urban Choice Charter Project REF:3239883791… lmccarthy@urbanchoicecharter.org DELETED 16:33:56Z
13 ann.dery Inbox Document Ready for Review REF#ec4be8f2… DocExchange_Noreply…awstrack.me DELETED 16:34:02Z
14 ann.dery Junk Email Request for Quotation: Urban Choice Charter Project REF:953054e0… lmccarthy@urbanchoicecharter.org DELETED 16:34:03Z

Group C — false positives (EXCLUDED from deletion — NOT phishing)

The "HRPYDBRUNFOCb5b92c8c81854eb7afd33163c34118b7kktvrgsygrzrxvisedqvpsvfh55878.xlsx" thread is Ashley Jensen's legitimate 2026-03-09 employee roster export from an HR system that generates long hashed filenames. JD Martin replied to Ashley on 2026-03-10 and Alyssa Brooks replied on 2026-03-21 with payroll corrections. Internal HR correspondence.

  • ashley.jensen / Inbox — JD Martin's "RE:" reply to her original
  • jd.martin / Inbox — JD's own copy of Ashley's original (via CC or reply-all)
  • alyssa.brooks / Sent Items — her "RE:" reply to ashley.jensen

Group D — user outbound forwards (EXCLUDED from deletion — kept as evidence)

Mailbox Folder Subject To Note
john.trozzi Sent Items Fw: ATTN!! — Pending 5 (Pages) Documents… howard@azcomputerguru.com John's forward to MSP, body: "Getting spoof emails this morning"
megan.hiatt Sent Items FW: HR Documents Approval Pending Review… (17:37) info@azcomputeguru.com (TYPO) Megan's 1st forward attempt, bounced
megan.hiatt Sent Items FW: HR Documents Approval Pending Review… (17:38) info@azcomputerguru.com Megan's 2nd forward, delivered

These are evidence of user reporting; preserved per MSP workflow. Mike can purge later if desired.

Deletion log

Full structured log at /tmp/cascades_phishsweep/delete_log/2026-04-20T163343_deletions.jsonl.

Summary: 14 success (13 on first try, 1 retry for Lois after user-move to Archive), 0 remaining failures.

Next actions (prioritized)

  1. [HIGH] Publish DMARC p=quarantine for cascadestucson.com. This is the single change that would block every external-spoofing phish. Start at p=quarantine pct=25 to ease in, move to p=reject once you've watched reports for a week. Single-biggest leverage item.
  2. [HIGH] Add to Exchange TABL IP Block List: 139.28.37.117, 104.168.101.10, 207.189.10.75, 91.244.70.212. Blocks re-use of the same infrastructure.
  3. [HIGH] Add URL/domain block: zoom.nl, *.awstrack.me. Kills the compromised-tenant redirect vector.
  4. [MEDIUM] Talk to the 5 targeted users (John, Lois, Dax, Megan, Meredith, Anna, Ann) — confirm none clicked or entered credentials. Pay extra attention to Megan (repeatedly targeted: 4 messages over 2 days) and John (targeted today with two variants one hour apart).
  5. [MEDIUM] Enable Defender anti-phish impersonation protection for cascadestucson.com as a protected domain (if tenant has M365 Business Premium / E5 — verify SKU).
  6. [MEDIUM] Baseline sweep of the remaining 39 mailboxes not hit this time. Only 7 of 46 users were targeted in this 30-day window; the operator may cycle through the rest next month.
  7. [LOW] Consider country-level mail filter for UA/AT inbound. These have near-zero legitimate traffic to a Tucson senior-living facility. Only if DMARC enforcement isn't fast enough.
  8. Run again in 7 days to verify no recurrence and to catch any variants that used subjects we didn't match.

Data artifacts

All raw scan + deletion artifacts under /tmp/cascades_phishsweep/:

  • users.tsv — list of 46 internal mailboxes scanned
  • junk_sweep.jsonl — all signature-matched hits from all mailboxes
  • campaign_enriched2.jsonl — final enriched list with folder + IP + country + auth for 20 matches (16 true phish + 4 false-positive HR thread)
  • campaign_final.json — deduplicated 20 unique messages
  • headers/ — per-message JSON including full internetMessageHeaders for each match
  • targets.jsonl — the 14 deletion targets
  • delete_log/2026-04-20T163343_deletions.jsonl — structured log of all 14 DELETE calls, with HTTP codes and timestamps
Reference in New Issue View Git Blame Copy Permalink