azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b7bc3f4d2503cd86ef2d9dc7dc24f18e7b861edd
claudetools/clients/kittle/reports/2026-06-08-full-sweep.md
Mike Swanson 65ad20ae0f sync: auto-sync from GURU-5070 at 2026-06-11 08:22:42 
Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-11 08:22:42
2026-06-11 08:22:55 -07:00

6.3 KiB
Raw Blame History

Kittle Design & Construction — Full M365 Sweep

Date: 2026-06-08
Tenant: kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
Performed by: ComputerGuru Security Investigator (read-only)
Scope: All 13 licensed mailboxes — inbox rules, SMTP forwarding, OAuth consents, MFA methods

Summary

All critical findings from the 2026-04-23 breach check are confirmed resolved. No new active compromises found. Three legacy MFA cleanup items remain open (carried over from April).

SMTP Forwarding — All Clean [OK]

This check was skipped in April (Exchange Admin role was missing on Security Investigator SP at that time). Now confirmed:

Mailbox ForwardingAddress ForwardingSmtpAddress Status
Accounting none none [OK]
Admin none none [OK]
Alexis none none [OK]
Brandon none none [OK]
Hayden none none [OK]
Jason none none [OK]
Joshua none none [OK]
Ken none none [OK]
Lori none none [OK]
Marco none none [OK]
Neal none none [OK]
Scott none none [OK]
Wrex none none [OK]

Inbox Rules

Mailbox Rules Found Status
Accounting None [OK]
Admin None [OK]
Alexis None [OK] — hidden rule "." confirmed deleted
Brandon None [OK]
Hayden None [OK]
Jason None [OK]
Joshua None [OK]
Ken "Christina Micek" (copy-to-folder on emails sent TO Christina) [OK] — benign org rule
Lori None [OK]
Marco None [OK]
Neal None [OK]
Scott None [OK]
Wrex None [OK]

Ken's prior "Admin" rule (Capital One/Bill.com/@flystucson.com filter) — CONFIRMED GONE [RESOLVED]

OAuth App Consents — No Suspicious Grants

App Publisher Grant Type Scope Verdict
iOS Accounts Apple Inc. (verified) AllPrincipals EAS.AccessAsUser.All, EWS.AccessAsUser.All [OK] — standard iOS native mail
SharePoint Online Web Client Extensibility Microsoft AllPrincipals Files.ReadWrite.All, Sites.FullControl.All, etc. [OK] — Microsoft SP
Microsoft Teams Microsoft AllPrincipals standard Teams scopes [OK]
ComputerGuru AI Remediation Arizona Computer Guru LLC (verified) AllPrincipals User.Read [OK] — our app
QuickBooks Desktop Intuit (verified) Accounting only Mail.Send [OK] — QB uses it to send email
Gmail Google LLC (verified) Scott only EAS.AccessAsUser.All, offline_access [OK] — Scott using Gmail as email client
MyFiles (Samsung) Samsung (unverified) Jason only Files.ReadWrite, User.Read [OK] — Samsung My Files app (SM-X218U tablet)
One Calendar Code Spark (verified) Wrex only Calendars.ReadWrite, Contacts.Read [OK] — calendar sync app
Read AI Unverified Marco only User.Read, email, offline_access [OK] — meeting notes AI, low scope
Virtru Unverified AllPrincipals User.Read only [INFO] — email encryption, no mail access
BMO Secure Email (Echoworx) Echoworx (verified) AllPrincipals User.Read only [OK] — secure email portal

Old malicious app c5df10ae (Directory.ReadWrite.All, Mail.Send, 50+ scopes) — CONFIRMED GONE [RESOLVED]

MFA Authentication Methods

User Authenticator Phone Software OATH Status
Accounting SM-F731U1 [OK]
Admin (Kimberly) moto g power 5G [OK]
Alexis iPhone 12 Pro Max (x2) +1 5206280921 Yes (7d1425ca) [WARNING] see below
Brandon SM-F741U [OK]
Hayden iPhone 12 Pro Max [OK]
Jason SM-X218U [OK]
Joshua iPad Pro 11" (2nd gen) [OK]
Ken iPhone 12 Pro Max [OK]
Lori SM-G975U + SM-F766U [WARNING] see below
Marco iPhone 14 [OK]
Neal iPhone 16 Pro [OK]
Scott +1 5202884444 [WARNING] no Authenticator app
Wrex iPhone 14 +1 5209122806 [OK]

MFA Open Items

[WARNING] Alexis — suspicious Authenticator still present:

  • Entry c927402a-75c6-4a55-840a-86d1eea43a9b — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
  • Entry 7365a870-4809-4fdc-9e9b-dcd76eddb8ef — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
  • Both entries identical display names, both SoftwareTokenActivated. One is legitimate; one should be removed.
  • Action: Ask Alexis how many Authenticator entries she sees in her Microsoft Authenticator app. If she sees only one kittlearizona.com account, remove c927402a.
  • Alexis also has a software OATH token (7d1425ca) — if she doesn't use a hardware TOTP key, remove this too.

[WARNING] Lori — old Samsung device still registered:

  • SM-G975U (Samsung S10+) — old phone
  • SM-F766U (Samsung Z Flip) — current phone (presumably)
  • Action: Confirm with Lori which is her current phone, then remove the old entry.

[WARNING] Scott — phone-only MFA:

  • Only MFA method is SMS/call to +1 5202884444
  • No Microsoft Authenticator enrolled
  • SMS MFA is significantly weaker than app-based MFA
  • Action: Enroll Scott in Microsoft Authenticator

Resolved Findings (from 2026-04-23)

Finding Status
Alexis hidden inbox rule "." (routing Howmet emails) [RESOLVED] — confirmed gone
Ken "Admin" inbox rule (Capital One/Bill.com/@flystucson.com) [RESOLVED] — confirmed gone
Malicious OAuth app c5df10ae (Directory.ReadWrite.All + 50 scopes) [RESOLVED] — confirmed gone
IMAP legacy auth grant 9b504397 [RESOLVED] — confirmed gone
SMTP forwarding check (was incomplete in April) [RESOLVED] — all clean, confirmed 2026-06-08

Outstanding Items

Priority Item Owner
P1 Ask Alexis: count Authenticator entries on phone. If only one, remove c927402a. Also remove software OATH token if unused. Mike
P2 Ask Lori: confirm current phone is the Z Flip (SM-F766U), then remove SM-G975U entry Mike
P3 Enroll Scott in Microsoft Authenticator (replace phone-only MFA) Mike
P3 Invoice ticket #32207 (1.0 hr Labor - Remote Business) Mike

Vault Paths Accessed

  • msp-tools/computerguru-security-investigator.sops.yaml (investigator + investigator-exo tiers)
Reference in New Issue View Git Blame Copy Permalink