6.1 KiB
6.1 KiB
Session Log — Kittle Design & Construction
Date: 2026-04-23 / 2026-04-24 (overnight)
Analyst: Mike Swanson
Machine: DESKTOP-0O8A1RL
Tenant: kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
User
- User: Mike Swanson (mike)
- Machine: DESKTOP-0O8A1RL
- Role: admin
Session Summary
Performed a full tenant-wide M365 breach check on kittlearizona.com, identified two high-priority compromise indicators, and executed remediation. Also onboarded the Exchange Operator and Tenant Admin apps into the tenant (consent + role assignment). Created Syncro ticket #32207 for billing.
Breach Check Findings
Full report: clients/kittle-design/reports/2026-04-23-breach-check.md
| Severity | Finding | User |
|---|---|---|
| [WARNING] | Hidden inbox rule "." routing Howmet emails to Conversation History | alexis@kittlearizona.com |
| [WARNING] | Duplicate Authenticator — same device name, two different app versions | alexis@kittlearizona.com |
| [INFO] | Inbox rule "Admin" filtering Capital One / Bill.com to folder | Ken@kittlearizona.com |
| [INFO] | Two Authenticator devices (different Samsung models — likely phone upgrade) | Lori@kittlearizona.com |
| [INFO] | Phone-only MFA, no Authenticator | scott@kittlearizona.com |
| [INFO] | IMAP legacy auth consent — single user | unknown |
| [INFO] | Large-scope AllPrincipals OAuth consent (c5df10ae) | tenant-wide |
Remediation Actions Taken
Onboarding
Exchange Operator and Tenant Admin apps consented by Kittle admin. Role assignments:
- Security Investigator SP (
26e16c7a): Exchange Administrator — assigned - Exchange Operator SP (
775ec856): Exchange Administrator — assigned manually (onboard script missed it) - User Manager SP (
ea0277ab): User Administrator + Authentication Administrator — assigned
alexis@kittlearizona.com
| Action | Result | Detail |
|---|---|---|
| Hidden "." inbox rule deleted | [OK] | Exchange identity: alexis\\2866869517449953281 |
| 3 hidden Howmet emails restored to inbox | [OK] | All HTTP 201; emails dated Feb 28 and Mar 4, 2025 |
| All sign-in sessions revoked | [OK] | revokeSignInSessions returned true |
| Password reset (temp, force-change) | [OK] | See credentials section below |
Emails recovered:
- "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04)
- "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04)
- "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28)
Still pending:
- Ask Alexis to count Authenticator entries on her phone. If only one, remove suspicious entry:
- Entry to remove: ID
c927402a-75c6-4a55-840a-86d1eea43a9b(app version 6.8.40, "iPhone 12 Pro Max")
- Entry to remove: ID
OAuth Consents Revoked
c5df10ae-2aa7-4283-86ef-1884c267a9ac (AllPrincipals — 7 grants deleted, all HTTP 204):
rhDfxacqg0KG7xiEwmeprLz8wKqAnj1KmLeBzb1HLJo— Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopesrhDfxacqg0KG7xiEwmeprFhKBKSuvdJJu5jQBa-uOnc— LicenseManager.AccessAsUserrhDfxacqg0KG7xiEwmeprLhRraINEIxGmlMZtBZahO8— M365AdminPortal.IntegratedApps.ReadWrite, user_impersonationrhDfxacqg0KG7xiEwmeprFm5M4Bw4bFKniz6sx5jbAI— user_impersonationrhDfxacqg0KG7xiEwmeprKm4oqODLdhAnY4nYViP4rs— AllProfiles.Manage, AllSites.FullControlrhDfxacqg0KG7xiEwmeprICwF0FoazRErqVlL2xiBFk— Calendars.ReadWrite.All, Exchange.Manage, MailboxSettings.ReadWriterhDfxacqg0KG7xiEwmeprPl4LqXf8mRPjoQUGmKJt3k— Vulnerability.Read
9b504397-914d-4af2-b6d9-9081e80da54e (IMAP legacy auth, 1 grant deleted, HTTP 204):
l0NQm02R8kq22ZCB6A2lTrz8wKqAnj1KmLeBzb1HLJoafsNfsqzMSLDHPoGZ_dNa— IMAP.AccessAsUser.All, openid, offline_access, email, profile- Consented by user
5fc37e1a-acb2-48cc-b0c7-3e8199fdd35a(user object ID — UPN not resolved)
Ken@kittlearizona.com
No action taken. Inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) still present. Awaiting confirmation from Ken whether he created it. If he can't explain it — treat as active compromise and escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions).
Credentials
Tenant: kittlearizona.com
Tenant ID: 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
alexis@kittlearizona.com
Temp password: KittleGwiNUK#2026
(force change on next login — issued 2026-04-23)
User object ID: 74a1eae1-c0dd-4544-a98f-3a18f809785a
Exchange Operator SP: 775ec856-f032-4dcf-a499-ccf7f9bce07b
Tenant Admin SP: 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5
Security Investigator SP: 26e16c7a-0ac8-4f85-bdd7-992611bbd271
User Manager SP: ea0277ab-497c-45f7-b88a-e2d53f54a4c7
Syncro
- Ticket #32207 — "M365 Security Sweep — Breach Check & Remediation"
- Status: Resolved
- Line item: 1.0 hr Labor - Remote Business (product_id: 1190473)
- Ready to invoice — run
/syncro bill 32207or manually in GUI
Infrastructure Notes
- Kittle has no Entra P1/P2 — sign-in logs and Identity Protection unavailable
- SMTP forwarding check not completed — Exchange Admin role was not assigned to Security Investigator at time of breach check (fixed during remediation session)
- Token cache location:
/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/
Files Changed This Session
clients/kittle-design/reports/2026-04-23-breach-check.md— breach check report (written 2026-04-23).claude/skills/remediation-tool/scripts/tenant-sweep.sh— fixed tier namegraph→investigatoron line 12.claude/skills/remediation-tool/references/tenants.md— Kittle row updated from NO to PARTIAL
Pending Items
| Priority | Action | Owner |
|---|---|---|
| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? Remove c927402a if only one. |
Mike |
| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? If no → escalate | Mike |
| P2 | Verify Alexis received temp password and changed it | Mike |
| P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike |
| P3 | Enroll Scott in Microsoft Authenticator | Mike |
| P3 | Invoice ticket #32207 | Mike |