138 lines
6.1 KiB
Markdown
138 lines
6.1 KiB
Markdown
# Session Log — Kittle Design & Construction
|
|
**Date:** 2026-04-23 / 2026-04-24 (overnight)
|
|
**Analyst:** Mike Swanson
|
|
**Machine:** DESKTOP-0O8A1RL
|
|
**Tenant:** kittlearizona.com (`3d073ebe-806a-4a5e-9035-3c7c4a264fc0`)
|
|
|
|
## User
|
|
- **User:** Mike Swanson (mike)
|
|
- **Machine:** DESKTOP-0O8A1RL
|
|
- **Role:** admin
|
|
|
|
---
|
|
|
|
## Session Summary
|
|
|
|
Performed a full tenant-wide M365 breach check on kittlearizona.com, identified two high-priority compromise indicators, and executed remediation. Also onboarded the Exchange Operator and Tenant Admin apps into the tenant (consent + role assignment). Created Syncro ticket #32207 for billing.
|
|
|
|
---
|
|
|
|
## Breach Check Findings
|
|
|
|
Full report: `clients/kittle-design/reports/2026-04-23-breach-check.md`
|
|
|
|
| Severity | Finding | User |
|
|
|---|---|---|
|
|
| [WARNING] | Hidden inbox rule "." routing Howmet emails to Conversation History | alexis@kittlearizona.com |
|
|
| [WARNING] | Duplicate Authenticator — same device name, two different app versions | alexis@kittlearizona.com |
|
|
| [INFO] | Inbox rule "Admin" filtering Capital One / Bill.com to folder | Ken@kittlearizona.com |
|
|
| [INFO] | Two Authenticator devices (different Samsung models — likely phone upgrade) | Lori@kittlearizona.com |
|
|
| [INFO] | Phone-only MFA, no Authenticator | scott@kittlearizona.com |
|
|
| [INFO] | IMAP legacy auth consent — single user | unknown |
|
|
| [INFO] | Large-scope AllPrincipals OAuth consent (c5df10ae) | tenant-wide |
|
|
|
|
---
|
|
|
|
## Remediation Actions Taken
|
|
|
|
### Onboarding
|
|
|
|
Exchange Operator and Tenant Admin apps consented by Kittle admin. Role assignments:
|
|
- Security Investigator SP (`26e16c7a`): Exchange Administrator — assigned
|
|
- Exchange Operator SP (`775ec856`): Exchange Administrator — assigned manually (onboard script missed it)
|
|
- User Manager SP (`ea0277ab`): User Administrator + Authentication Administrator — assigned
|
|
|
|
### alexis@kittlearizona.com
|
|
|
|
| Action | Result | Detail |
|
|
|---|---|---|
|
|
| Hidden "." inbox rule deleted | [OK] | Exchange identity: `alexis\\2866869517449953281` |
|
|
| 3 hidden Howmet emails restored to inbox | [OK] | All HTTP 201; emails dated Feb 28 and Mar 4, 2025 |
|
|
| All sign-in sessions revoked | [OK] | `revokeSignInSessions` returned true |
|
|
| Password reset (temp, force-change) | [OK] | See credentials section below |
|
|
|
|
**Emails recovered:**
|
|
1. "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04)
|
|
2. "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04)
|
|
3. "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28)
|
|
|
|
**Still pending:**
|
|
- Ask Alexis to count Authenticator entries on her phone. If only one, remove suspicious entry:
|
|
- Entry to remove: ID `c927402a-75c6-4a55-840a-86d1eea43a9b` (app version 6.8.40, "iPhone 12 Pro Max")
|
|
|
|
### OAuth Consents Revoked
|
|
|
|
**c5df10ae-2aa7-4283-86ef-1884c267a9ac** (AllPrincipals — 7 grants deleted, all HTTP 204):
|
|
- `rhDfxacqg0KG7xiEwmeprLz8wKqAnj1KmLeBzb1HLJo` — Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes
|
|
- `rhDfxacqg0KG7xiEwmeprFhKBKSuvdJJu5jQBa-uOnc` — LicenseManager.AccessAsUser
|
|
- `rhDfxacqg0KG7xiEwmeprLhRraINEIxGmlMZtBZahO8` — M365AdminPortal.IntegratedApps.ReadWrite, user_impersonation
|
|
- `rhDfxacqg0KG7xiEwmeprFm5M4Bw4bFKniz6sx5jbAI` — user_impersonation
|
|
- `rhDfxacqg0KG7xiEwmeprKm4oqODLdhAnY4nYViP4rs` — AllProfiles.Manage, AllSites.FullControl
|
|
- `rhDfxacqg0KG7xiEwmeprICwF0FoazRErqVlL2xiBFk` — Calendars.ReadWrite.All, Exchange.Manage, MailboxSettings.ReadWrite
|
|
- `rhDfxacqg0KG7xiEwmeprPl4LqXf8mRPjoQUGmKJt3k` — Vulnerability.Read
|
|
|
|
**9b504397-914d-4af2-b6d9-9081e80da54e** (IMAP legacy auth, 1 grant deleted, HTTP 204):
|
|
- `l0NQm02R8kq22ZCB6A2lTrz8wKqAnj1KmLeBzb1HLJoafsNfsqzMSLDHPoGZ_dNa` — IMAP.AccessAsUser.All, openid, offline_access, email, profile
|
|
- Consented by user `5fc37e1a-acb2-48cc-b0c7-3e8199fdd35a` (user object ID — UPN not resolved)
|
|
|
|
### Ken@kittlearizona.com
|
|
|
|
No action taken. Inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) still present. Awaiting confirmation from Ken whether he created it. If he can't explain it — treat as active compromise and escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions).
|
|
|
|
---
|
|
|
|
## Credentials
|
|
|
|
```
|
|
Tenant: kittlearizona.com
|
|
Tenant ID: 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
|
|
|
|
alexis@kittlearizona.com
|
|
Temp password: KittleGwiNUK#2026
|
|
(force change on next login — issued 2026-04-23)
|
|
User object ID: 74a1eae1-c0dd-4544-a98f-3a18f809785a
|
|
|
|
Exchange Operator SP: 775ec856-f032-4dcf-a499-ccf7f9bce07b
|
|
Tenant Admin SP: 0caa0dde-3f8d-4d46-ab26-aa0d38add0b5
|
|
Security Investigator SP: 26e16c7a-0ac8-4f85-bdd7-992611bbd271
|
|
User Manager SP: ea0277ab-497c-45f7-b88a-e2d53f54a4c7
|
|
```
|
|
|
|
---
|
|
|
|
## Syncro
|
|
|
|
- **Ticket #32207** — "M365 Security Sweep — Breach Check & Remediation"
|
|
- Status: Resolved
|
|
- Line item: 1.0 hr Labor - Remote Business (product_id: 1190473)
|
|
- Ready to invoice — run `/syncro bill 32207` or manually in GUI
|
|
|
|
---
|
|
|
|
## Infrastructure Notes
|
|
|
|
- Kittle has no Entra P1/P2 — sign-in logs and Identity Protection unavailable
|
|
- SMTP forwarding check not completed — Exchange Admin role was not assigned to Security Investigator at time of breach check (fixed during remediation session)
|
|
- Token cache location: `/tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/`
|
|
|
|
---
|
|
|
|
## Files Changed This Session
|
|
|
|
- `clients/kittle-design/reports/2026-04-23-breach-check.md` — breach check report (written 2026-04-23)
|
|
- `.claude/skills/remediation-tool/scripts/tenant-sweep.sh` — fixed tier name `graph` → `investigator` on line 12
|
|
- `.claude/skills/remediation-tool/references/tenants.md` — Kittle row updated from NO to PARTIAL
|
|
|
|
---
|
|
|
|
## Pending Items
|
|
|
|
| Priority | Action | Owner |
|
|
|---|---|---|
|
|
| P1 | Ask Alexis: how many Kittle Authenticator entries on her phone? Remove `c927402a` if only one. | Mike |
|
|
| P1 | Ask Ken: does he recognize the "Admin" Capital One/Bill.com rule? If no → escalate | Mike |
|
|
| P2 | Verify Alexis received temp password and changed it | Mike |
|
|
| P3 | Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone | Mike |
|
|
| P3 | Enroll Scott in Microsoft Authenticator | Mike |
|
|
| P3 | Invoice ticket #32207 | Mike |
|