Investigated barbara@bardach.net login issues (account-locked message, INKY SSL
errors). Finding: active distributed password-spray against the tenant (also
hitting admin@), NOT a breach — no successful attacker sign-in, no mailbox/rule/
forwarding changes. Root exposure: MFA not enforced (no Entra P1 -> no CA).
Remediation (Mike confirmed): enabled Security Defaults tenant-wide. Both active
accounts MFA-ready (Authenticator) -> no lockout; legacy auth now blocked.
- 2026-06-05-account-investigation-mfa-enforcement.md (full report)
- 2026-06-05-barbara-note-draft.md (client note, for Mike to send)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Mike Swanson
08e194f592