Files

Mike Swanson 7f7f844eba sync: auto-sync from GURU-BEAST-ROG at 2026-06-08 15:55:24

Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-08 15:55:24

2026-06-08 15:55:30 -07:00

8.4 KiB

Raw Blame History

Breach Incident Report — Kittle Design & Construction (kittlearizona.com)

Date: 2026-06-08 UTC
Requested by: Mike Swanson
Tenant ID: 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
Syncro Ticket: #32393
Status: ACTIVE INCIDENT — CONTAINED

Incident Summary

Active BEC (Business Email Compromise). Ken Schagel's Global Admin account was compromised. Attacker accessed the account for ~8 hours before launching a 1,000-recipient phishing campaign posing as an OneDrive file share. Attacker planted malicious inbox rules on 3 mailboxes and created a Global Admin backdoor on Lori Schagel's account. All remediated.

Attack Timeline

UTC	Event
09:03	Normal Outlook sync (Microsoft IPs) — pre-compromise
13:24	[BREACH START] First OWA login — 64.44.131.168 (Chicago, Nexeon Technologies VPN/hosting)
13:37	Ken's T-Mobile phone access (legitimate, unaware)
15:00	Attacker returns — 64.44.131.168
15:17	Ken sends legitimate email via Cox Communications (Phoenix AZ)
15:32	Attacker sends test email from OWA — concurrent with Ken's legitimate use
16:14	Attacker sends second test email from OWA
18:36	Contact harvest starts — python-httpx/0.28.1 from Azure 40.126.41.96 (250+ MailItemsAccessed events)
18:52	Attacker reviews Sent/Deleted/RSS Feeds folders from OWA
18:53	Contact harvest ends
21:14	Phishing batch 1: 17 recipients
21:16	Phishing batch 2: 300 recipients
21:20	Phishing batch 3: 300 recipients
21:23	Phishing batch 4: 300 recipients
21:26	Phishing batch 5: 83 recipients — 45.134.224.220 (Kansas City MO, PacketHub S.A.)
21:27	Ken's password reset (SSPR)
~21:30	Howard (ACG) receives phishing email, incident detected
21:41	Mike manually blocks Ken's sign-in in portal, sets temp password
~22:00	ACG investigation and remediation begins

Attacker Infrastructure

IP	Use	Geolocation	ASN
64.44.131.168	OWA browser access (initial + ongoing)	Chicago, IL	AS20278 Nexeon Technologies (VPN/hosting)
40.126.41.96	Contact scraping via python-httpx	Microsoft Azure	Microsoft Corp
45.134.224.220	Bulk phishing send	Kansas City, MO	AS147049 PacketHub S.A. (hosting)

Attacker tool: python-httpx/0.28.1 with OAuth token for Microsoft Desktop app (d3590ed6-52b3-4102-aeff-aad2292ab01c)
AAD Session: 0031c64a-94a8-7629-20ad-c42db69d76c7

Phishing Campaign Stats

Metric	Value
Total sent	1,000
Delivered	747
Failed/bounced	227
Pending	25
Subject	"Ken Schagel shared a file with you"
Lure	Fake OneDrive/SharePoint file-share notification
Victim notification sent	740 (automated addresses filtered)

Malicious Artifacts Found and Removed

Inbox Rules (planted by attacker across 3 mailboxes)

Mailbox	Rule Name	Action	Status
Ken@kittlearizona.com	"."	Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing	DELETED
Ken@kittlearizona.com	"Admin"	Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing	DELETED
alexis@kittlearizona.com	"..."	Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing	DELETED
Accounting@kittlearizona.com	".."	Move mail FROM Ken → RSS Feeds, Priority 1	DELETED
Accounting@kittlearizona.com	"..."	Move ALL mail → RSS Feeds, Priority 2	DELETED

Note: Accounting ".." + "..." rules were actively suppressing ALL incoming mail at time of discovery. Mail flow restored on deletion.

Note: Ken's mailbox has a "Christina Micek" rule (StopProcessingRules:true, no action) that predates the incident. Needs investigation — possibly legitimate, possibly attacker remnant.

Backdoor Admin Account

Lori@kittlearizona.com had 10 admin roles assigned — including Global Administrator. All 10 roles stripped, sessions revoked.

Roles removed: Global Administrator, Exchange Administrator, User Administrator, Teams Administrator, SharePoint Administrator, Helpdesk Administrator, AI Administrator, Global Reader, Service Support Administrator, User Experience Success Manager

Role assignment timing — RESOLVED: directoryAudits confirmed no "Add member to role" events for any user in the last 30 days except ACG's own remediation actions. Lori's roles were pre-existing (assigned >30 days before the incident). The attacker did NOT plant a backdoor — Lori was already a Global Admin before the compromise. This means the tenant had two GA accounts (Ken + Lori) going into the incident. Recommend reviewing whether Lori legitimately requires GA access, or if it was an oversight during initial tenant setup.

Remediation Actions Completed

Action	Status
Ken sessions revoked	[OK]
Ken admin roles stripped (10 roles)	[OK]
Ken sign-in blocked (by Mike in portal)	[OK]
Ken temp password set: B/947405806521av	[OK] — vaulted
Ken malicious inbox rules deleted: "." + "Admin"	[OK]
Wrex sessions revoked	[OK]
Wrex password reset: Kittle@1426Wrx!47E742	[OK]
Alexis PERFECTDATA OAuth grant revoked	[OK]
Alexis Alignable OAuth grant revoked (offline_access + Contacts.Read)	[OK]
Alexis malicious inbox rule "..." deleted	[OK]
Accounting malicious rules ".." + "..." deleted	[OK]
Lori backdoor admin roles stripped (10 roles, all pre-existing not attacker-planted)	[OK]
Lori sessions revoked	[OK]
Lori re-assigned User Administrator (legitimate scope)	[OK]
Victim notification sent (740 recipients)	[OK] — via admin@kittlearizona.com
Syncro ticket #32393 updated with temp passwords	[OK]

Open Items / Recommendations

Re-enable Ken's account — DONE (Mike re-enabled). Ken's MFA verified clean (single iPhone 12 Pro Max, no attacker devices). Ken's admin roles still need to be re-added after incident is declared closed.
Christina Micek inbox rule on Ken — rule has StopProcessingRules:true, no action, no filter. Unknown if legitimate or attacker-planted. Needs Ken to confirm before declaring his mailbox fully clean.
Lori's role assignment timing — RESOLVED: pre-existing. Roles were assigned >30 days before the incident (no Add member to role events found in directoryAudits for the last 30 days). Attacker did NOT plant a backdoor. Recommend reviewing whether Lori legitimately needs GA access or if it should be downscoped.
Phishing URL unknown — email body not recoverable (message purged when account disabled). Submit 45.134.224.220 (PacketHub send IP) to threat intel if needed.
Entra ID P1 licensing — sign-in logs blocked. Without P1, foreign sign-in detection is blind. Tenant appears to be on O365 E3 (not M365 E3). Recommend Entra P1 add-on or upgrade to M365 E3.
MFA review for all users — Alexis duplicate Authenticator ("iPhone 12 Pro Max" x2 — one may be a legacy registration), Lori two Authenticator devices (SM-G975U + SM-F766U, likely old device not removed). Both can self-serve at mysignins.microsoft.com or ACG can reset for them.
Alignable OAuth on Alexis — Contacts.Read scope, unverified publisher. Decision deferred to Alexis — revoke if she doesn't recognize it.
Ken admin roles — all 10 stripped during remediation. Re-add appropriate roles (Global Admin + Exchange Admin at minimum) once incident is closed and Ken's account is verified clean.
DKIM/DMARC — not configured on kittlearizona.com. A DMARC policy would have allowed Microsoft to classify the phishing emails as DMARC fail, reducing delivery. Recommend implementing.
Lori GA access review — with GA confirmed pre-existing (not attacker-planted), assess if Lori legitimately needs Global Administrator. If not, downscope to Exchange Administrator or appropriate role. Two GA accounts on a small tenant is unnecessary exposure.

Vault Entries Created

vault/clients/kittle/m365-ken-schagel-incident.sops.yaml — Ken's temp password and incident notes

Limitations

Check	Status	Reason
Sign-in logs (Graph API)	BLOCKED	Tenant lacks Entra P1 (O365 E3 vs M365 E3)
Risky users (Graph API)	BLOCKED	Same
Directory audit (role assignment timing)	BLOCKED	Requires AuditLog.Read.All + P1
Phishing email body/URL	UNAVAILABLE	Message purged when Ken's account was disabled

8.4 KiB Raw Blame History