Investigated barbara@bardach.net login issues (account-locked message, INKY SSL errors). Finding: active distributed password-spray against the tenant (also hitting admin@), NOT a breach — no successful attacker sign-in, no mailbox/rule/ forwarding changes. Root exposure: MFA not enforced (no Entra P1 -> no CA). Remediation (Mike confirmed): enabled Security Defaults tenant-wide. Both active accounts MFA-ready (Authenticator) -> no lockout; legacy auth now blocked. - 2026-06-05-account-investigation-mfa-enforcement.md (full report) - 2026-06-05-barbara-note-draft.md (client note, for Mike to send) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
4.6 KiB
Bardach — M365 account investigation + MFA enforcement
Date: 2026-06-05
Tenant: bardach.net (dd4a82e8-85a3-44ac-8800-07945ab4d95f)
Trigger: Barbara reported odd Outlook/MS login behavior — an "account locked" message when
signing in on her phone, and brief SSL errors on her computer when authenticating with INKY to
mark an item safe.
Posture: read-only investigation (ComputerGuru Security Investigator), then one remediation
write (enable Security Defaults) on Mike's explicit confirmation.
Verdict
Active password-spray / brute-force attack against the tenant — NOT a breach. No attacker sign-in succeeded; no malicious changes to mailbox, rules, forwarding, or delegates. The "account locked" messages were Entra Smart Lockout tripping from the spray (her own attempts get the same lockout message while lockout is active). The INKY SSL errors were collateral of the lockout state.
The real exposure was that MFA was not being enforced — both active accounts had MFA methods registered, but nothing required a second factor. Fixed by enabling Security Defaults.
Evidence (barbara@bardach.net, 30-day sign-in window)
- 111 interactive sign-ins, 14 non-US. Result-code breakdown:
- 61x
50053— "account is locked, too many incorrect attempts" (Smart Lockout) - 37x
50053— "blocked, came from an IP with malicious activity" - 1x
50126— invalid username or password - 12x
0— successful, all legitimately hers
- 61x
- Foreign source IPs: BE, LU, DE, SE, GB, NO, NL — distributed spray. Every foreign attempt failed.
- All 12 successful sign-ins are hers: US only (Phoenix/Tucson), normal apps (Windows Sign In, One Outlook Web, Inky Dashboard SSO), consistent ISP ranges (192.145.119.x, 45.86.210.x, 76.159.202.44).
- No persistence/compromise indicators: no mail forwarding (Graph + Get-Mailbox both clean), no SendAs/RecipientPermission, no hidden inbox rules; the single inbox rule is INKY's disabled "Move Graymail to folder" (benign). Password last changed 2026-01-18 (not altered by attacker). Directory audits in window are only Microsoft-backend "Update user" (Substrate Management) events. Identity Protection risky-user read returned Forbidden (no Entra P2 in tenant).
conditionalAccessStatus = notApplied,authenticationRequirement = nullon every sign-in — confirming no MFA enforcement was in place.
admin@bardach.net is also under attack
admin@bardach.net showed the same spray pattern (Germany, 50053/50126); recent interactive
sign-ins in the sample were all failures/lockouts. Account has Authenticator + phone registered
(MFA-ready). This is a whole-tenant target, not just Barbara.
Tenant facts
- Users:
admin@bardach.net(enabled),barbara@bardach.net(enabled),stuart@bardach.net(disabled). - Licensing: O365_BUSINESS (Office 365 Business), EXCHANGEENTERPRISE (Exchange Online Plan 2), EXCHANGEARCHIVE. No Entra ID P1 -> Conditional Access not available; Identity Protection not available.
- MFA methods registered: barbara@ = password, phone, Authenticator, Windows Hello (x3 devices). admin@ = password, email, phone, Authenticator. Both MFA-ready.
- Security Defaults: was
isEnabled=false. No Conditional Access policies (no P1).
Action taken
- Enabled Security Defaults (
PATCH /policies/identitySecurityDefaultsEnforcementPolicy{isEnabled:true}via ComputerGuru Tenant Admin SP). First read-back lagged (false); confirmedisEnabled=trueon re-read and via re-PATCH returning the full policy object. Effective immediately. - Effect: MFA enforced for all users tenant-wide; legacy/basic auth blocked (also closes a common spray entry point). Both active accounts have Authenticator -> no lockout. Security Defaults is all-or-nothing (no per-user/break-glass exclusions — that is a CA-only capability).
- Password: NOT rotated (Mike's call — MFA now gates the account).
Follow-ups (optional)
- Consider rotating
admin@bardach.net's password — high-value target, recently all-failed sign-ins. MFA now mitigates, so no urgency. - For finer control (named-location blocking, break-glass exclusions, risk-based MFA), Bardach would need Microsoft 365 Business Premium / Entra ID P1 — an upsell conversation, not a current need.
- Smart Lockout messages for Barbara should taper as the spray ages out. If lockouts persist, it is the ongoing spray, not her credentials.
Raw artifacts
/tmp/remediation-tool/dd4a82e8-85a3-44ac-8800-07945ab4d95f/user-breach/barbara_bardach_net/
(00_user .. 10_deleted JSON — sign-ins, rules, mailbox, auth methods).