Files
claudetools/clients/kittle/reports/2026-06-08-breach-check.md
Mike Swanson 7f7f844eba sync: auto-sync from GURU-BEAST-ROG at 2026-06-08 15:55:24
Author: Mike Swanson
Machine: GURU-BEAST-ROG
Timestamp: 2026-06-08 15:55:24
2026-06-08 15:55:30 -07:00

157 lines
8.4 KiB
Markdown

# Breach Incident Report — Kittle Design & Construction (kittlearizona.com)
**Date:** 2026-06-08 UTC
**Requested by:** Mike Swanson
**Tenant ID:** 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
**Syncro Ticket:** #32393
**Status:** ACTIVE INCIDENT — CONTAINED
---
## Incident Summary
Active BEC (Business Email Compromise). Ken Schagel's Global Admin account was compromised. Attacker accessed the account for ~8 hours before launching a 1,000-recipient phishing campaign posing as an OneDrive file share. Attacker planted malicious inbox rules on 3 mailboxes and created a Global Admin backdoor on Lori Schagel's account. All remediated.
---
## Attack Timeline
| UTC | Event |
|-----|-------|
| 09:03 | Normal Outlook sync (Microsoft IPs) — pre-compromise |
| 13:24 | **[BREACH START]** First OWA login — 64.44.131.168 (Chicago, Nexeon Technologies VPN/hosting) |
| 13:37 | Ken's T-Mobile phone access (legitimate, unaware) |
| 15:00 | Attacker returns — 64.44.131.168 |
| 15:17 | Ken sends legitimate email via Cox Communications (Phoenix AZ) |
| 15:32 | Attacker sends test email from OWA — **concurrent with Ken's legitimate use** |
| 16:14 | Attacker sends second test email from OWA |
| 18:36 | Contact harvest starts — python-httpx/0.28.1 from Azure 40.126.41.96 (250+ MailItemsAccessed events) |
| 18:52 | Attacker reviews Sent/Deleted/RSS Feeds folders from OWA |
| 18:53 | Contact harvest ends |
| 21:14 | Phishing batch 1: 17 recipients |
| 21:16 | Phishing batch 2: 300 recipients |
| 21:20 | Phishing batch 3: 300 recipients |
| 21:23 | Phishing batch 4: 300 recipients |
| 21:26 | Phishing batch 5: 83 recipients — 45.134.224.220 (Kansas City MO, PacketHub S.A.) |
| 21:27 | Ken's password reset (SSPR) |
| ~21:30 | Howard (ACG) receives phishing email, incident detected |
| 21:41 | Mike manually blocks Ken's sign-in in portal, sets temp password |
| ~22:00 | ACG investigation and remediation begins |
---
## Attacker Infrastructure
| IP | Use | Geolocation | ASN |
|----|-----|-------------|-----|
| 64.44.131.168 | OWA browser access (initial + ongoing) | Chicago, IL | AS20278 Nexeon Technologies (VPN/hosting) |
| 40.126.41.96 | Contact scraping via python-httpx | Microsoft Azure | Microsoft Corp |
| 45.134.224.220 | Bulk phishing send | Kansas City, MO | AS147049 PacketHub S.A. (hosting) |
**Attacker tool:** python-httpx/0.28.1 with OAuth token for Microsoft Desktop app (`d3590ed6-52b3-4102-aeff-aad2292ab01c`)
**AAD Session:** `0031c64a-94a8-7629-20ad-c42db69d76c7`
---
## Phishing Campaign Stats
| Metric | Value |
|--------|-------|
| Total sent | 1,000 |
| Delivered | 747 |
| Failed/bounced | 227 |
| Pending | 25 |
| Subject | "Ken Schagel shared a file with you" |
| Lure | Fake OneDrive/SharePoint file-share notification |
| Victim notification sent | 740 (automated addresses filtered) |
---
## Malicious Artifacts Found and Removed
### Inbox Rules (planted by attacker across 3 mailboxes)
| Mailbox | Rule Name | Action | Status |
|---------|-----------|--------|--------|
| Ken@kittlearizona.com | "." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | DELETED |
| Ken@kittlearizona.com | "Admin" | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | DELETED |
| alexis@kittlearizona.com | "..." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | DELETED |
| Accounting@kittlearizona.com | ".." | Move mail FROM Ken → RSS Feeds, Priority 1 | DELETED |
| Accounting@kittlearizona.com | "..." | Move ALL mail → RSS Feeds, Priority 2 | DELETED |
**Note:** Accounting ".." + "..." rules were actively suppressing ALL incoming mail at time of discovery. Mail flow restored on deletion.
**Note:** Ken's mailbox has a "Christina Micek" rule (StopProcessingRules:true, no action) that predates the incident. Needs investigation — possibly legitimate, possibly attacker remnant.
### Backdoor Admin Account
Lori@kittlearizona.com had 10 admin roles assigned — **including Global Administrator**. All 10 roles stripped, sessions revoked.
Roles removed: Global Administrator, Exchange Administrator, User Administrator, Teams Administrator, SharePoint Administrator, Helpdesk Administrator, AI Administrator, Global Reader, Service Support Administrator, User Experience Success Manager
**Role assignment timing — RESOLVED:** directoryAudits confirmed no "Add member to role" events for any user in the last 30 days except ACG's own remediation actions. Lori's roles were **pre-existing** (assigned >30 days before the incident). The attacker did NOT plant a backdoor — Lori was already a Global Admin before the compromise. This means the tenant had two GA accounts (Ken + Lori) going into the incident. Recommend reviewing whether Lori legitimately requires GA access, or if it was an oversight during initial tenant setup.
---
## Remediation Actions Completed
| Action | Status |
|--------|--------|
| Ken sessions revoked | [OK] |
| Ken admin roles stripped (10 roles) | [OK] |
| Ken sign-in blocked (by Mike in portal) | [OK] |
| Ken temp password set: B/947405806521av | [OK] — vaulted |
| Ken malicious inbox rules deleted: "." + "Admin" | [OK] |
| Wrex sessions revoked | [OK] |
| Wrex password reset: Kittle@1426Wrx!47E742 | [OK] |
| Alexis PERFECTDATA OAuth grant revoked | [OK] |
| Alexis Alignable OAuth grant revoked (offline_access + Contacts.Read) | [OK] |
| Alexis malicious inbox rule "..." deleted | [OK] |
| Accounting malicious rules ".." + "..." deleted | [OK] |
| Lori backdoor admin roles stripped (10 roles, all pre-existing not attacker-planted) | [OK] |
| Lori sessions revoked | [OK] |
| Lori re-assigned User Administrator (legitimate scope) | [OK] |
| Victim notification sent (740 recipients) | [OK] — via admin@kittlearizona.com |
| Syncro ticket #32393 updated with temp passwords | [OK] |
---
## Open Items / Recommendations
1. **Re-enable Ken's account** — DONE (Mike re-enabled). Ken's MFA verified clean (single iPhone 12 Pro Max, no attacker devices). Ken's admin roles still need to be re-added after incident is declared closed.
2. **Christina Micek inbox rule on Ken** — rule has StopProcessingRules:true, no action, no filter. Unknown if legitimate or attacker-planted. Needs Ken to confirm before declaring his mailbox fully clean.
3. **Lori's role assignment timing** — RESOLVED: pre-existing. Roles were assigned >30 days before the incident (no Add member to role events found in directoryAudits for the last 30 days). Attacker did NOT plant a backdoor. Recommend reviewing whether Lori legitimately needs GA access or if it should be downscoped.
4. **Phishing URL unknown** — email body not recoverable (message purged when account disabled). Submit `45.134.224.220` (PacketHub send IP) to threat intel if needed.
5. **Entra ID P1 licensing** — sign-in logs blocked. Without P1, foreign sign-in detection is blind. Tenant appears to be on O365 E3 (not M365 E3). Recommend Entra P1 add-on or upgrade to M365 E3.
6. **MFA review for all users** — Alexis duplicate Authenticator ("iPhone 12 Pro Max" x2 — one may be a legacy registration), Lori two Authenticator devices (SM-G975U + SM-F766U, likely old device not removed). Both can self-serve at mysignins.microsoft.com or ACG can reset for them.
7. **Alignable OAuth on Alexis** — Contacts.Read scope, unverified publisher. Decision deferred to Alexis — revoke if she doesn't recognize it.
8. **Ken admin roles** — all 10 stripped during remediation. Re-add appropriate roles (Global Admin + Exchange Admin at minimum) once incident is closed and Ken's account is verified clean.
9. **DKIM/DMARC** — not configured on kittlearizona.com. A DMARC policy would have allowed Microsoft to classify the phishing emails as DMARC fail, reducing delivery. Recommend implementing.
10. **Lori GA access review** — with GA confirmed pre-existing (not attacker-planted), assess if Lori legitimately needs Global Administrator. If not, downscope to Exchange Administrator or appropriate role. Two GA accounts on a small tenant is unnecessary exposure.
---
## Vault Entries Created
- `vault/clients/kittle/m365-ken-schagel-incident.sops.yaml` — Ken's temp password and incident notes
---
## Limitations
| Check | Status | Reason |
|-------|--------|--------|
| Sign-in logs (Graph API) | BLOCKED | Tenant lacks Entra P1 (O365 E3 vs M365 E3) |
| Risky users (Graph API) | BLOCKED | Same |
| Directory audit (role assignment timing) | BLOCKED | Requires AuditLog.Read.All + P1 |
| Phishing email body/URL | UNAVAILABLE | Message purged when Ken's account was disabled |