claudetools/temp/vwp_bec_incident_notes.md

# Valley Wide Plastering - BEC Incident Notes
**Date:** 2026-03-05
**Tenant:** valleywideplastering.com (5c53ae9f-7071-4248-b834-8685b646450f)
**Reported by:** JR Guerrero - reports contacts receiving malicious emails from his account

---

## Timeline

- **~2026-03-04 or earlier:** Attacker gains access to j-r@valleywideplastering.com
- **2026-03-04 18:56 UTC:** Attacker MFA device (iPhone 12 Pro Max) token refreshed
- **2026-03-04 20:21 UTC:** 27 rapid failed sign-ins from 23.234.100.200 (Chicago) using app "ppuxdevcenter" - blocked by Conditional Access after policy was applied
- **2026-03-05 ~15:00 UTC:** Sysadmin notified, investigation begins
- **2026-03-05 15:08 UTC:** Password reset by sysadmin, sessions revoked
- **2026-03-05 15:39 UTC:** Attacker iPhone 12 Pro Max authenticator removed, JR re-enrolled iPhone 16 Pro Max
- **2026-03-05:** Investigation, remediation, CA policy creation, victim notification

---

## Compromise Details

**Compromised account:** j-r@valleywideplastering.com (JR Guerrero)
**User ID:** 0af923d0-48c5-4cc1-8553-c60625802815

**Attack method:** Box.com phishing campaign
- Attacker shared malicious file "Valley Wide Plastering, INC......pdf" via Box.com using JR's identity
- File ID on Box: 2155046839008
- Invitations sent to JR's business contacts through Box sharing feature

**Attacker persistence mechanisms found:**
1. Inbox rule ".." (two dots) - Condition: body/subject contains "box.com" - Action: move to Archive, mark read, stop processing
2. Inbox rule "." (single dot) - No visible conditions (catch-all) - Action: move to Archive, mark read, stop processing
3. MFA device registered: iPhone 12 Pro Max (not JR's - he has iPhone 16 Pro Max)

**Attacker IPs:**
- 23.234.100.200 - Chicago, IL (30 sign-ins, 27 failed after CA policy)
- 23.234.100.73 - Chicago, IL (9 sign-ins)
- 23.234.101.73 - Brooklyn, NY (5 sign-ins, some successful)

---

## Remediation Actions Taken

- [x] Password reset + force change on next sign-in
- [x] All sign-in sessions revoked
- [x] Malicious inbox rule ".." deleted (HTTP 204)
- [x] Malicious inbox rule "." deleted (HTTP 204)
- [x] Attacker MFA device (iPhone 12 Pro Max) removed
- [x] 447 messages moved from Archive back to Inbox (hidden by attacker rules)
- [x] Conditional Access policy created: "Block Sign-ins Outside US" (enforced)
  - Policy ID: db34605c-c778-4b37-bf25-9a3a7cdbee0c
  - Named location: "Allowed Countries - US Only" (14ea32d1-dd6f-4fb1-83f7-d6f840df82fa)
  - Excludes: sysadmin@ (break-glass)
- [x] Notification email sent to 133 victims (BCC) from JR's account

---

## billing@ Investigation

**Account:** billing@valleywideplastering.com (4f708b80-e537-4f63-92d3-5feedfa28244)

- Attacker IPs (23.234.100.200, 23.234.101.73) appeared in billing sign-in logs
- Inbox rules reviewed: all legitimate (Tim Wolf, Pulte, hibu)
- Sent mail reviewed: no malicious activity detected
- Auth methods: Samsung S24, phone - appear legitimate
- **Assessment:** Targeted but NOT compromised at mailbox level
- Password reset attempted via API (403 - insufficient privileges), user reset manually
- Sessions revoked

---

## Phishing Impact

**Total identified victims:** 133 notified (125 external + 8 internal VWP)
**~175 total who clicked** (from Box acceptance notifications, not all emails resolved)

**VWP internal users targeted:**
- billing@, customerservice@, estimating@, ferminm@, franciscoa@, jesse@, ron@, teresa@

**Top affected external organizations:**
- Brewer Companies: 12 recipients
- Austin Companies: 11
- Pulte/PulteGroup/Del Webb: 12
- Diversified Roofing: 6
- 3-G Construction: 6
- MCR Trust: 6
- Paul Johnson Drywall: 5
- VW Connect LLC: 3
- Fairbanks AZ: 3
- SRP: 3

---

## Outstanding / Follow-up

- [ ] Box.com file takedown - "Valley Wide Plastering, INC......pdf" (file ID 2155046839008) still live on Box. Contact Box support or access Box admin to revoke sharing.
- [ ] Confirm JR's MFA phone (+1 480-797-6102) is his
- [ ] Confirm billing's MFA phone (+1 619-244-8933) and Samsung S24 are hers
- [ ] ~42 victim names could not be resolved to email addresses (no email found in Exchange)
- [ ] Monitor sign-in logs for attacker IP recurrence over next 30 days
- [ ] Consider enabling MFA for all VWP accounts if not already universal
- [ ] Review other VWP accounts for foreign sign-ins (investigation flagged 11 of 33 accounts with foreign country sign-ins - may warrant broader remediation)
- [ ] Check if attacker exfiltrated any data via Box or email forwarding

---

## Files / Artifacts

| File | Description |
|------|-------------|
| vwp_bec_jr.py | JR investigation script |
| vwp_bec_billing.py | Billing investigation + remediation script |
| vwp_bec_investigation.py | Full tenant investigation (sign-ins, lateral movement) |
| vwp_bec_results.json | Raw investigation results |
| vwp_extract_victim_emails.py | Box notification email parsing |
| vwp_exchange_trace.py | Exchange sent items search for recipient emails |
| vwp_exchange_recipients.json | All identified victim email addresses |
| vwp_resolve_victims.py | Name-to-email resolution via contacts/mail search |
| vwp_resolved_victims.json | Resolution results |
| vwp_send_notification.py | Notification email send script |
| vwp_signins_raw.json | Raw sign-in log data |
| vwp_investigation_output.txt | Full investigation console output |