azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
347b2d30a9a1a7b0f7882ccf5ce5920e277a3d62
claudetools/clients/cascades-tucson/reports/2026-04-20-user-breach-john-trozzi.md
Mike Swanson 9694b4d521 sync: auto-sync from DESKTOP-0O8A1RL at 2026-04-20 08:05:31 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-04-20 08:05:31
2026-04-20 08:05:34 -07:00

5.6 KiB
Raw Blame History

User Breach Check: John Trozzi

Date: 2026-04-20 Tenant: Cascades of Tucson (cascadestucson.com, 207fa277-e9d8-4eb7-ada1-1064d2221498) Subject: john.trozzi@cascadestucson.com Tool: Claude-MSP-Access / ComputerGuru - AI Remediation (App ID fabb3421-8b34-484b-bc17-e46de9703418) Scope: read-only Trigger: John reported spoofed email arriving in his inbox

Summary

  • Account shows NO indicators of compromise
  • Spoofed/phishing email is INBOUND — not originating from John's account
  • John forwarded one sample to howard@azcomputerguru.com this morning: classic credential phishing template ("ATTN!! Pending Documents expires in 2 days")
  • April 16 password reset (self-service by John, confirmed by audit log) was legitimate
  • OAuth grant with EAS + Exchange.Manage scope is consistent with Outlook mobile / native mail client
  • Next action: get original headers from John to identify spoofing vector; review Defender anti-phishing policy for tenant

Target Details

Field Value
UPN john.trozzi@cascadestucson.com
Object ID a638f4b9-6936-4401-a9b7-015b9900e49e
Account Enabled true
Created 2022-02-18
Last Password Change 2026-04-16T16:05:11Z (self-service reset by John)

Per-Check Findings

1. Inbox rules (Graph)

0 rules. Clean.

2. Mailbox forwarding / settings

No forwarding configured. ForwardingAddress and ForwardingSmtpAddress both null.

3. Exchange REST (hidden rules, delegates, SendAs, Get-Mailbox)

  • Hidden rules: 1 — the default "Junk E-mail Rule" (system rule, benign, present on all mailboxes)
  • Mailbox permissions: 0 non-SELF
  • SendAs: 0 non-SELF
  • Forwarding (Get-Mailbox): fwdAddr=null, fwdSmtp=null — clean

4. OAuth consents + app role assignments

  • App 3508ac12-63ff-4cc5-8edb-f3bb9ca63e4e (not found as SP in tenant — likely MS first-party):
    • User.Read (Principal consent)
    • EAS.AccessAsUser.All Exchange.Manage (Principal consent) — consistent with Outlook mobile or native iOS/Android mail client
  • 1 app role assignment (no detail flagged as unusual)

No unknown third-party apps with mail access.

5. Authentication methods

5 methods registered. Created dates:

  • 2026-04-16T16:05:11Z (same day as SSPR — MFA re-registration during reset, expected)
  • 2026-02-12T01:25:40Z
  • 2026-02-12T01:23:45Z
  • 2 additional (dates not returned by API)

Nothing registered outside of the April 16 reset window that would indicate an attacker adding a backdoor auth method.

6. Sign-ins (30d)

12 interactive sign-ins. 0 non-US. No failures noted. Clean.

7. Directory audits (30d)

41 events — all clustered on 2026-04-16 and all attributed to:

  • john.trozzi@cascadestucson.com
  • Microsoft password reset service
  • Azure MFA StrongAuthenticationService

This is the normal audit burst from a self-service password reset. No suspicious changes to auth methods, roles, or policies outside this window.

8. Risky users / risk detections

No risky user flag. 0 risk detections. Identity Protection shows clean.

9. Sent items (recent 25)

Notable items:

  • 2026-04-20T12:26:51Z"Spoof emails" to mike@azcomputerguru.com (John's report to us)
  • 2026-04-20T12:23:50Z"Fw: ATTN!! — Pending 5 (Pages) Documents expires in 2 days REF, ID:f1bb60a2a1d6ae023a3c3e0c0f959a8d" to howard@azcomputerguru.com (forwarded phishing sample)
  • Remaining items are normal business correspondence (Home Depot orders, vendor emails, Model 1 Commercial Vehicles follow-up, internal UE estimate reply)

No blast patterns or unusual external recipients.

10. Deleted items (recent 25)

25 items in Deleted Items — not reviewed individually. No elevated concern given account is clean otherwise.

Suspicious Items

None found. Account is clean.

  • [INFO] Inbound phishing confirmed — John forwarded a sample to Howard. Subject line is a credential-harvest template.
  • [INFO] April 16 password reset was user-initiated self-service, confirmed by Microsoft password reset service attribution in audit log.

Gaps — Checks Not Completed

None — all 10 checks completed. Exchange REST ran successfully via EWS.AccessAsUser.All scope.

Next Actions

  1. Get headers from John — ask him to forward the original spoofed email as an attachment (not just forwarded inline) so we can examine From:, Return-Path:, Received:, and X-Originating-IP headers to identify the spoofing vector (display name spoof vs. lookalike domain vs. internal relay abuse).
  2. Check tenant anti-phishing policy — review Defender for Office 365 anti-phishing settings in the Security portal (security.microsoft.com) for cascadestucson.com. Verify impersonation protection is on and spoof intelligence is enabled.
  3. Check DMARC/SPF/DKIM — verify cascadestucson.com has a DMARC policy (ideally p=quarantine or p=reject). If a lookalike domain is spoofing them, DMARC won't stop it from being delivered TO them, but it signals whether their own domain is protected.
  4. No account remediation needed — account is clean, no action required on John's mailbox.

Remediation Actions

None — this was a read-only check. No account compromise found.

Data Artifacts

Raw JSON: /tmp/remediation-tool/207fa277-e9d8-4eb7-ada1-1064d2221498/user-breach/john_trozzi_cascadestucson_com/

  • 00_user.json, 01_inbox_rules_graph.json, 02_mailbox_settings.json
  • 03a_InboxRule_hidden.json, 03b_MailboxPermission.json, 03c_RecipientPermission.json, 03d_Mailbox.json
  • 04a_oauth_grants.json, 04b_app_role_assignments.json, 05_auth_methods.json
  • 06_signins.json, 07_dir_audits.json, 08a_risky_user.json, 08b_risk_detections.json
  • 09_sent.json, 10_deleted.json
Reference in New Issue View Git Blame Copy Permalink