157 lines
8.4 KiB
Markdown
157 lines
8.4 KiB
Markdown
# Breach Incident Report — Kittle Design & Construction (kittlearizona.com)
|
|
|
|
**Date:** 2026-06-08 UTC
|
|
**Requested by:** Mike Swanson
|
|
**Tenant ID:** 3d073ebe-806a-4a5e-9035-3c7c4a264fc0
|
|
**Syncro Ticket:** #32393
|
|
**Status:** ACTIVE INCIDENT — CONTAINED
|
|
|
|
---
|
|
|
|
## Incident Summary
|
|
|
|
Active BEC (Business Email Compromise). Ken Schagel's Global Admin account was compromised. Attacker accessed the account for ~8 hours before launching a 1,000-recipient phishing campaign posing as an OneDrive file share. Attacker planted malicious inbox rules on 3 mailboxes and created a Global Admin backdoor on Lori Schagel's account. All remediated.
|
|
|
|
---
|
|
|
|
## Attack Timeline
|
|
|
|
| UTC | Event |
|
|
|-----|-------|
|
|
| 09:03 | Normal Outlook sync (Microsoft IPs) — pre-compromise |
|
|
| 13:24 | **[BREACH START]** First OWA login — 64.44.131.168 (Chicago, Nexeon Technologies VPN/hosting) |
|
|
| 13:37 | Ken's T-Mobile phone access (legitimate, unaware) |
|
|
| 15:00 | Attacker returns — 64.44.131.168 |
|
|
| 15:17 | Ken sends legitimate email via Cox Communications (Phoenix AZ) |
|
|
| 15:32 | Attacker sends test email from OWA — **concurrent with Ken's legitimate use** |
|
|
| 16:14 | Attacker sends second test email from OWA |
|
|
| 18:36 | Contact harvest starts — python-httpx/0.28.1 from Azure 40.126.41.96 (250+ MailItemsAccessed events) |
|
|
| 18:52 | Attacker reviews Sent/Deleted/RSS Feeds folders from OWA |
|
|
| 18:53 | Contact harvest ends |
|
|
| 21:14 | Phishing batch 1: 17 recipients |
|
|
| 21:16 | Phishing batch 2: 300 recipients |
|
|
| 21:20 | Phishing batch 3: 300 recipients |
|
|
| 21:23 | Phishing batch 4: 300 recipients |
|
|
| 21:26 | Phishing batch 5: 83 recipients — 45.134.224.220 (Kansas City MO, PacketHub S.A.) |
|
|
| 21:27 | Ken's password reset (SSPR) |
|
|
| ~21:30 | Howard (ACG) receives phishing email, incident detected |
|
|
| 21:41 | Mike manually blocks Ken's sign-in in portal, sets temp password |
|
|
| ~22:00 | ACG investigation and remediation begins |
|
|
|
|
---
|
|
|
|
## Attacker Infrastructure
|
|
|
|
| IP | Use | Geolocation | ASN |
|
|
|----|-----|-------------|-----|
|
|
| 64.44.131.168 | OWA browser access (initial + ongoing) | Chicago, IL | AS20278 Nexeon Technologies (VPN/hosting) |
|
|
| 40.126.41.96 | Contact scraping via python-httpx | Microsoft Azure | Microsoft Corp |
|
|
| 45.134.224.220 | Bulk phishing send | Kansas City, MO | AS147049 PacketHub S.A. (hosting) |
|
|
|
|
**Attacker tool:** python-httpx/0.28.1 with OAuth token for Microsoft Desktop app (`d3590ed6-52b3-4102-aeff-aad2292ab01c`)
|
|
**AAD Session:** `0031c64a-94a8-7629-20ad-c42db69d76c7`
|
|
|
|
---
|
|
|
|
## Phishing Campaign Stats
|
|
|
|
| Metric | Value |
|
|
|--------|-------|
|
|
| Total sent | 1,000 |
|
|
| Delivered | 747 |
|
|
| Failed/bounced | 227 |
|
|
| Pending | 25 |
|
|
| Subject | "Ken Schagel shared a file with you" |
|
|
| Lure | Fake OneDrive/SharePoint file-share notification |
|
|
| Victim notification sent | 740 (automated addresses filtered) |
|
|
|
|
---
|
|
|
|
## Malicious Artifacts Found and Removed
|
|
|
|
### Inbox Rules (planted by attacker across 3 mailboxes)
|
|
|
|
| Mailbox | Rule Name | Action | Status |
|
|
|---------|-----------|--------|--------|
|
|
| Ken@kittlearizona.com | "." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | DELETED |
|
|
| Ken@kittlearizona.com | "Admin" | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | DELETED |
|
|
| alexis@kittlearizona.com | "..." | Move ALL mail → RSS Feeds, MarkAsRead, StopProcessing | DELETED |
|
|
| Accounting@kittlearizona.com | ".." | Move mail FROM Ken → RSS Feeds, Priority 1 | DELETED |
|
|
| Accounting@kittlearizona.com | "..." | Move ALL mail → RSS Feeds, Priority 2 | DELETED |
|
|
|
|
**Note:** Accounting ".." + "..." rules were actively suppressing ALL incoming mail at time of discovery. Mail flow restored on deletion.
|
|
|
|
**Note:** Ken's mailbox has a "Christina Micek" rule (StopProcessingRules:true, no action) that predates the incident. Needs investigation — possibly legitimate, possibly attacker remnant.
|
|
|
|
### Backdoor Admin Account
|
|
|
|
Lori@kittlearizona.com had 10 admin roles assigned — **including Global Administrator**. All 10 roles stripped, sessions revoked.
|
|
|
|
Roles removed: Global Administrator, Exchange Administrator, User Administrator, Teams Administrator, SharePoint Administrator, Helpdesk Administrator, AI Administrator, Global Reader, Service Support Administrator, User Experience Success Manager
|
|
|
|
**Role assignment timing — RESOLVED:** directoryAudits confirmed no "Add member to role" events for any user in the last 30 days except ACG's own remediation actions. Lori's roles were **pre-existing** (assigned >30 days before the incident). The attacker did NOT plant a backdoor — Lori was already a Global Admin before the compromise. This means the tenant had two GA accounts (Ken + Lori) going into the incident. Recommend reviewing whether Lori legitimately requires GA access, or if it was an oversight during initial tenant setup.
|
|
|
|
---
|
|
|
|
## Remediation Actions Completed
|
|
|
|
| Action | Status |
|
|
|--------|--------|
|
|
| Ken sessions revoked | [OK] |
|
|
| Ken admin roles stripped (10 roles) | [OK] |
|
|
| Ken sign-in blocked (by Mike in portal) | [OK] |
|
|
| Ken temp password set: B/947405806521av | [OK] — vaulted |
|
|
| Ken malicious inbox rules deleted: "." + "Admin" | [OK] |
|
|
| Wrex sessions revoked | [OK] |
|
|
| Wrex password reset: Kittle@1426Wrx!47E742 | [OK] |
|
|
| Alexis PERFECTDATA OAuth grant revoked | [OK] |
|
|
| Alexis Alignable OAuth grant revoked (offline_access + Contacts.Read) | [OK] |
|
|
| Alexis malicious inbox rule "..." deleted | [OK] |
|
|
| Accounting malicious rules ".." + "..." deleted | [OK] |
|
|
| Lori backdoor admin roles stripped (10 roles, all pre-existing not attacker-planted) | [OK] |
|
|
| Lori sessions revoked | [OK] |
|
|
| Lori re-assigned User Administrator (legitimate scope) | [OK] |
|
|
| Victim notification sent (740 recipients) | [OK] — via admin@kittlearizona.com |
|
|
| Syncro ticket #32393 updated with temp passwords | [OK] |
|
|
|
|
---
|
|
|
|
## Open Items / Recommendations
|
|
|
|
1. **Re-enable Ken's account** — DONE (Mike re-enabled). Ken's MFA verified clean (single iPhone 12 Pro Max, no attacker devices). Ken's admin roles still need to be re-added after incident is declared closed.
|
|
|
|
2. **Christina Micek inbox rule on Ken** — rule has StopProcessingRules:true, no action, no filter. Unknown if legitimate or attacker-planted. Needs Ken to confirm before declaring his mailbox fully clean.
|
|
|
|
3. **Lori's role assignment timing** — RESOLVED: pre-existing. Roles were assigned >30 days before the incident (no Add member to role events found in directoryAudits for the last 30 days). Attacker did NOT plant a backdoor. Recommend reviewing whether Lori legitimately needs GA access or if it should be downscoped.
|
|
|
|
4. **Phishing URL unknown** — email body not recoverable (message purged when account disabled). Submit `45.134.224.220` (PacketHub send IP) to threat intel if needed.
|
|
|
|
5. **Entra ID P1 licensing** — sign-in logs blocked. Without P1, foreign sign-in detection is blind. Tenant appears to be on O365 E3 (not M365 E3). Recommend Entra P1 add-on or upgrade to M365 E3.
|
|
|
|
6. **MFA review for all users** — Alexis duplicate Authenticator ("iPhone 12 Pro Max" x2 — one may be a legacy registration), Lori two Authenticator devices (SM-G975U + SM-F766U, likely old device not removed). Both can self-serve at mysignins.microsoft.com or ACG can reset for them.
|
|
|
|
7. **Alignable OAuth on Alexis** — Contacts.Read scope, unverified publisher. Decision deferred to Alexis — revoke if she doesn't recognize it.
|
|
|
|
8. **Ken admin roles** — all 10 stripped during remediation. Re-add appropriate roles (Global Admin + Exchange Admin at minimum) once incident is closed and Ken's account is verified clean.
|
|
|
|
9. **DKIM/DMARC** — not configured on kittlearizona.com. A DMARC policy would have allowed Microsoft to classify the phishing emails as DMARC fail, reducing delivery. Recommend implementing.
|
|
|
|
10. **Lori GA access review** — with GA confirmed pre-existing (not attacker-planted), assess if Lori legitimately needs Global Administrator. If not, downscope to Exchange Administrator or appropriate role. Two GA accounts on a small tenant is unnecessary exposure.
|
|
|
|
---
|
|
|
|
## Vault Entries Created
|
|
|
|
- `vault/clients/kittle/m365-ken-schagel-incident.sops.yaml` — Ken's temp password and incident notes
|
|
|
|
---
|
|
|
|
## Limitations
|
|
|
|
| Check | Status | Reason |
|
|
|-------|--------|--------|
|
|
| Sign-in logs (Graph API) | BLOCKED | Tenant lacks Entra P1 (O365 E3 vs M365 E3) |
|
|
| Risky users (Graph API) | BLOCKED | Same |
|
|
| Directory audit (role assignment timing) | BLOCKED | Requires AuditLog.Read.All + P1 |
|
|
| Phishing email body/URL | UNAVAILABLE | Message purged when Ken's account was disabled |
|