azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9403dccffe65262e83a75241a0041243d5968755
claudetools/temp/vwp_bec_incident_notes.md
Mike Swanson fa15b03180 sync: Auto-sync from ACG-M-L5090 at 2026-03-10 19:11:00 
Synced files:
- Quote wizard frontend (all components, hooks, types, config)
- API updates (config, models, routers, schemas, services)
- Client work (bg-builders, gurushow)
- Scripts (BGB Lesley termination, CIPP, Datto, migration)
- Temp files (Bardach contacts, VWP investigation, misc)
- Credentials and session logs
- Email service, PHP API, session logs

Machine: ACG-M-L5090
Timestamp: 2026-03-10 19:11:00

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 19:59:08 -07:00

5.2 KiB
Raw Blame History

Valley Wide Plastering - BEC Incident Notes

Date: 2026-03-05 Tenant: valleywideplastering.com (5c53ae9f-7071-4248-b834-8685b646450f) Reported by: JR Guerrero - reports contacts receiving malicious emails from his account

Timeline

  • ~2026-03-04 or earlier: Attacker gains access to j-r@valleywideplastering.com
  • 2026-03-04 18:56 UTC: Attacker MFA device (iPhone 12 Pro Max) token refreshed
  • 2026-03-04 20:21 UTC: 27 rapid failed sign-ins from 23.234.100.200 (Chicago) using app "ppuxdevcenter" - blocked by Conditional Access after policy was applied
  • 2026-03-05 ~15:00 UTC: Sysadmin notified, investigation begins
  • 2026-03-05 15:08 UTC: Password reset by sysadmin, sessions revoked
  • 2026-03-05 15:39 UTC: Attacker iPhone 12 Pro Max authenticator removed, JR re-enrolled iPhone 16 Pro Max
  • 2026-03-05: Investigation, remediation, CA policy creation, victim notification

Compromise Details

Compromised account: j-r@valleywideplastering.com (JR Guerrero) User ID: 0af923d0-48c5-4cc1-8553-c60625802815

Attack method: Box.com phishing campaign

  • Attacker shared malicious file "Valley Wide Plastering, INC......pdf" via Box.com using JR's identity
  • File ID on Box: 2155046839008
  • Invitations sent to JR's business contacts through Box sharing feature

Attacker persistence mechanisms found:

  1. Inbox rule ".." (two dots) - Condition: body/subject contains "box.com" - Action: move to Archive, mark read, stop processing
  2. Inbox rule "." (single dot) - No visible conditions (catch-all) - Action: move to Archive, mark read, stop processing
  3. MFA device registered: iPhone 12 Pro Max (not JR's - he has iPhone 16 Pro Max)

Attacker IPs:

  • 23.234.100.200 - Chicago, IL (30 sign-ins, 27 failed after CA policy)
  • 23.234.100.73 - Chicago, IL (9 sign-ins)
  • 23.234.101.73 - Brooklyn, NY (5 sign-ins, some successful)

Remediation Actions Taken

  • Password reset + force change on next sign-in
  • All sign-in sessions revoked
  • Malicious inbox rule ".." deleted (HTTP 204)
  • Malicious inbox rule "." deleted (HTTP 204)
  • Attacker MFA device (iPhone 12 Pro Max) removed
  • 447 messages moved from Archive back to Inbox (hidden by attacker rules)
  • Conditional Access policy created: "Block Sign-ins Outside US" (enforced)
    • Policy ID: db34605c-c778-4b37-bf25-9a3a7cdbee0c
    • Named location: "Allowed Countries - US Only" (14ea32d1-dd6f-4fb1-83f7-d6f840df82fa)
    • Excludes: sysadmin@ (break-glass)
  • Notification email sent to 133 victims (BCC) from JR's account

billing@ Investigation

Account: billing@valleywideplastering.com (4f708b80-e537-4f63-92d3-5feedfa28244)

  • Attacker IPs (23.234.100.200, 23.234.101.73) appeared in billing sign-in logs
  • Inbox rules reviewed: all legitimate (Tim Wolf, Pulte, hibu)
  • Sent mail reviewed: no malicious activity detected
  • Auth methods: Samsung S24, phone - appear legitimate
  • Assessment: Targeted but NOT compromised at mailbox level
  • Password reset attempted via API (403 - insufficient privileges), user reset manually
  • Sessions revoked

Phishing Impact

Total identified victims: 133 notified (125 external + 8 internal VWP) ~175 total who clicked (from Box acceptance notifications, not all emails resolved)

VWP internal users targeted:

  • billing@, customerservice@, estimating@, ferminm@, franciscoa@, jesse@, ron@, teresa@

Top affected external organizations:

  • Brewer Companies: 12 recipients
  • Austin Companies: 11
  • Pulte/PulteGroup/Del Webb: 12
  • Diversified Roofing: 6
  • 3-G Construction: 6
  • MCR Trust: 6
  • Paul Johnson Drywall: 5
  • VW Connect LLC: 3
  • Fairbanks AZ: 3
  • SRP: 3

Outstanding / Follow-up

  • Box.com file takedown - "Valley Wide Plastering, INC......pdf" (file ID 2155046839008) still live on Box. Contact Box support or access Box admin to revoke sharing.
  • Confirm JR's MFA phone (+1 480-797-6102) is his
  • Confirm billing's MFA phone (+1 619-244-8933) and Samsung S24 are hers
  • ~42 victim names could not be resolved to email addresses (no email found in Exchange)
  • Monitor sign-in logs for attacker IP recurrence over next 30 days
  • Consider enabling MFA for all VWP accounts if not already universal
  • Review other VWP accounts for foreign sign-ins (investigation flagged 11 of 33 accounts with foreign country sign-ins - may warrant broader remediation)
  • Check if attacker exfiltrated any data via Box or email forwarding

Files / Artifacts

File Description
vwp_bec_jr.py JR investigation script
vwp_bec_billing.py Billing investigation + remediation script
vwp_bec_investigation.py Full tenant investigation (sign-ins, lateral movement)
vwp_bec_results.json Raw investigation results
vwp_extract_victim_emails.py Box notification email parsing
vwp_exchange_trace.py Exchange sent items search for recipient emails
vwp_exchange_recipients.json All identified victim email addresses
vwp_resolve_victims.py Name-to-email resolution via contacts/mail search
vwp_resolved_victims.json Resolution results
vwp_send_notification.py Notification email send script
vwp_signins_raw.json Raw sign-in log data
vwp_investigation_output.txt Full investigation console output
Reference in New Issue View Git Blame Copy Permalink