145 lines
6.3 KiB
Markdown
145 lines
6.3 KiB
Markdown
# Kittle Design & Construction — Full M365 Sweep
|
|
**Date:** 2026-06-08
|
|
**Tenant:** kittlearizona.com (3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
|
|
**Performed by:** ComputerGuru Security Investigator (read-only)
|
|
**Scope:** All 13 licensed mailboxes — inbox rules, SMTP forwarding, OAuth consents, MFA methods
|
|
|
|
---
|
|
|
|
## Summary
|
|
|
|
All critical findings from the 2026-04-23 breach check are confirmed resolved. No new active compromises found. Three legacy MFA cleanup items remain open (carried over from April).
|
|
|
|
---
|
|
|
|
## SMTP Forwarding — All Clean [OK]
|
|
|
|
This check was skipped in April (Exchange Admin role was missing on Security Investigator SP at that time). Now confirmed:
|
|
|
|
| Mailbox | ForwardingAddress | ForwardingSmtpAddress | Status |
|
|
|---|---|---|---|
|
|
| Accounting | none | none | [OK] |
|
|
| Admin | none | none | [OK] |
|
|
| Alexis | none | none | [OK] |
|
|
| Brandon | none | none | [OK] |
|
|
| Hayden | none | none | [OK] |
|
|
| Jason | none | none | [OK] |
|
|
| Joshua | none | none | [OK] |
|
|
| Ken | none | none | [OK] |
|
|
| Lori | none | none | [OK] |
|
|
| Marco | none | none | [OK] |
|
|
| Neal | none | none | [OK] |
|
|
| Scott | none | none | [OK] |
|
|
| Wrex | none | none | [OK] |
|
|
|
|
---
|
|
|
|
## Inbox Rules
|
|
|
|
| Mailbox | Rules Found | Status |
|
|
|---|---|---|
|
|
| Accounting | None | [OK] |
|
|
| Admin | None | [OK] |
|
|
| Alexis | None | [OK] — hidden rule "." confirmed deleted |
|
|
| Brandon | None | [OK] |
|
|
| Hayden | None | [OK] |
|
|
| Jason | None | [OK] |
|
|
| Joshua | None | [OK] |
|
|
| Ken | "Christina Micek" (copy-to-folder on emails sent TO Christina) | [OK] — benign org rule |
|
|
| Lori | None | [OK] |
|
|
| Marco | None | [OK] |
|
|
| Neal | None | [OK] |
|
|
| Scott | None | [OK] |
|
|
| Wrex | None | [OK] |
|
|
|
|
**Ken's prior "Admin" rule (Capital One/Bill.com/@flystucson.com filter) — CONFIRMED GONE [RESOLVED]**
|
|
|
|
---
|
|
|
|
## OAuth App Consents — No Suspicious Grants
|
|
|
|
| App | Publisher | Grant Type | Scope | Verdict |
|
|
|---|---|---|---|---|
|
|
| iOS Accounts | Apple Inc. (verified) | AllPrincipals | EAS.AccessAsUser.All, EWS.AccessAsUser.All | [OK] — standard iOS native mail |
|
|
| SharePoint Online Web Client Extensibility | Microsoft | AllPrincipals | Files.ReadWrite.All, Sites.FullControl.All, etc. | [OK] — Microsoft SP |
|
|
| Microsoft Teams | Microsoft | AllPrincipals | standard Teams scopes | [OK] |
|
|
| ComputerGuru AI Remediation | Arizona Computer Guru LLC (verified) | AllPrincipals | User.Read | [OK] — our app |
|
|
| QuickBooks Desktop | Intuit (verified) | Accounting only | Mail.Send | [OK] — QB uses it to send email |
|
|
| Gmail | Google LLC (verified) | Scott only | EAS.AccessAsUser.All, offline_access | [OK] — Scott using Gmail as email client |
|
|
| MyFiles (Samsung) | Samsung (unverified) | Jason only | Files.ReadWrite, User.Read | [OK] — Samsung My Files app (SM-X218U tablet) |
|
|
| One Calendar | Code Spark (verified) | Wrex only | Calendars.ReadWrite, Contacts.Read | [OK] — calendar sync app |
|
|
| Read AI | Unverified | Marco only | User.Read, email, offline_access | [OK] — meeting notes AI, low scope |
|
|
| Virtru | Unverified | AllPrincipals | User.Read only | [INFO] — email encryption, no mail access |
|
|
| BMO Secure Email (Echoworx) | Echoworx (verified) | AllPrincipals | User.Read only | [OK] — secure email portal |
|
|
|
|
**Old malicious app c5df10ae (Directory.ReadWrite.All, Mail.Send, 50+ scopes) — CONFIRMED GONE [RESOLVED]**
|
|
|
|
---
|
|
|
|
## MFA Authentication Methods
|
|
|
|
| User | Authenticator | Phone | Software OATH | Status |
|
|
|---|---|---|---|---|
|
|
| Accounting | SM-F731U1 | — | — | [OK] |
|
|
| Admin (Kimberly) | moto g power 5G | — | — | [OK] |
|
|
| Alexis | iPhone 12 Pro Max (x2) | +1 5206280921 | Yes (7d1425ca) | [WARNING] see below |
|
|
| Brandon | SM-F741U | — | — | [OK] |
|
|
| Hayden | iPhone 12 Pro Max | — | — | [OK] |
|
|
| Jason | SM-X218U | — | — | [OK] |
|
|
| Joshua | iPad Pro 11" (2nd gen) | — | — | [OK] |
|
|
| Ken | iPhone 12 Pro Max | — | — | [OK] |
|
|
| Lori | SM-G975U + SM-F766U | — | — | [WARNING] see below |
|
|
| Marco | iPhone 14 | — | — | [OK] |
|
|
| Neal | iPhone 16 Pro | — | — | [OK] |
|
|
| Scott | — | +1 5202884444 | — | [WARNING] no Authenticator app |
|
|
| Wrex | iPhone 14 | +1 5209122806 | — | [OK] |
|
|
|
|
### MFA Open Items
|
|
|
|
**[WARNING] Alexis — suspicious Authenticator still present:**
|
|
- Entry `c927402a-75c6-4a55-840a-86d1eea43a9b` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
|
|
- Entry `7365a870-4809-4fdc-9e9b-dcd76eddb8ef` — "iPhone 12 Pro Max", deviceTag: SoftwareTokenActivated
|
|
- Both entries identical display names, both SoftwareTokenActivated. One is legitimate; one should be removed.
|
|
- Action: Ask Alexis how many Authenticator entries she sees in her Microsoft Authenticator app. If she sees only one kittlearizona.com account, remove `c927402a`.
|
|
- Alexis also has a software OATH token (7d1425ca) — if she doesn't use a hardware TOTP key, remove this too.
|
|
|
|
**[WARNING] Lori — old Samsung device still registered:**
|
|
- SM-G975U (Samsung S10+) — old phone
|
|
- SM-F766U (Samsung Z Flip) — current phone (presumably)
|
|
- Action: Confirm with Lori which is her current phone, then remove the old entry.
|
|
|
|
**[WARNING] Scott — phone-only MFA:**
|
|
- Only MFA method is SMS/call to +1 5202884444
|
|
- No Microsoft Authenticator enrolled
|
|
- SMS MFA is significantly weaker than app-based MFA
|
|
- Action: Enroll Scott in Microsoft Authenticator
|
|
|
|
---
|
|
|
|
## Resolved Findings (from 2026-04-23)
|
|
|
|
| Finding | Status |
|
|
|---|---|
|
|
| Alexis hidden inbox rule "." (routing Howmet emails) | [RESOLVED] — confirmed gone |
|
|
| Ken "Admin" inbox rule (Capital One/Bill.com/@flystucson.com) | [RESOLVED] — confirmed gone |
|
|
| Malicious OAuth app c5df10ae (Directory.ReadWrite.All + 50 scopes) | [RESOLVED] — confirmed gone |
|
|
| IMAP legacy auth grant 9b504397 | [RESOLVED] — confirmed gone |
|
|
| SMTP forwarding check (was incomplete in April) | [RESOLVED] — all clean, confirmed 2026-06-08 |
|
|
|
|
---
|
|
|
|
## Outstanding Items
|
|
|
|
| Priority | Item | Owner |
|
|
|---|---|---|
|
|
| P1 | Ask Alexis: count Authenticator entries on phone. If only one, remove `c927402a`. Also remove software OATH token if unused. | Mike |
|
|
| P2 | Ask Lori: confirm current phone is the Z Flip (SM-F766U), then remove SM-G975U entry | Mike |
|
|
| P3 | Enroll Scott in Microsoft Authenticator (replace phone-only MFA) | Mike |
|
|
| P3 | Invoice ticket #32207 (1.0 hr Labor - Remote Business) | Mike |
|
|
|
|
---
|
|
|
|
## Vault Paths Accessed
|
|
|
|
- `msp-tools/computerguru-security-investigator.sops.yaml` (investigator + investigator-exo tiers)
|