claudetools/wiki/clients/kittle-design.md

type, name, display_name, last_compiled, compiled_by, sources

type	name	display_name	last_compiled	compiled_by	sources
client	kittle-design	Kittle Design & Construction	2026-05-24	DESKTOP-0O8A1RL/claude-main	clients/kittle-design/session-logs/2026-04-24-session.md

Kittle Design & Construction

Overview

• Business type: Design & construction firm
• M365 tenant: kittlearizona.com
• Billing model: Time and materials [unverified — one ticket observed]
• Billing rate: Unknown (Labor - Remote Business, product_id 1190473)
• Contract status: Unknown
• Syncro ticket: #32207

Contacts

Name	UPN	Notes
Alexis	alexis@kittlearizona.com	Confirmed compromise — hidden inbox rule, duplicate Authenticator, password reset issued
Ken	Ken@kittlearizona.com	Suspicious inbox rule "Admin" (Capital One/Bill.com) — status unconfirmed as of session end
Lori	Lori@kittlearizona.com	Two Authenticator entries (different Samsung models — likely phone upgrade)
Scott	scott@kittlearizona.com	Phone-only MFA, no Authenticator enrolled

Infrastructure

• On-premises servers/workstations: Not documented.
• Entra P1/P2: NOT licensed — sign-in logs and Identity Protection unavailable.
• Token cache location (local): /tmp/remediation-tool/3d073ebe-806a-4a5e-9035-3c7c4a264fc0/

Network

(not documented)

Cloud / M365

Property	Value
Tenant domain	kittlearizona.com
Tenant ID	3d073ebe-806a-4a5e-9035-3c7c4a264fc0
Entra P1/P2	No — sign-in logs unavailable
Exchange Admin role	Assigned to Security Investigator SP (manually)

Service Principals (Remediation Tool)

App	SP Object ID	Role
Security Investigator	26e16c7a-0ac8-4f85-bdd7-992611bbd271	Exchange Administrator
Exchange Operator	775ec856-f032-4dcf-a499-ccf7f9bce07b	Exchange Administrator
User Manager	ea0277ab-497c-45f7-b88a-e2d53f54a4c7	User Administrator + Authentication Administrator
Tenant Admin	0caa0dde-3f8d-4d46-ab26-aa0d38add0b5	(role not documented)

[WARNING] Alexis's temp password KittleGwiNUK#2026 was in the session log. This is a force-change-on-login temp password issued 2026-04-23 — it should already be changed. Do not use. Store any active credentials in vault only.

Alexis — Compromise Details

• Hidden inbox rule "." — was routing Howmet-related emails to Conversation History folder. Deleted.
• Emails recovered (moved back to inbox, HTTP 201):
  • "RE: Kittle Visit to review open projects and Billing discrepancies" — Erick.Martinez1@howmet.com (2025-03-04)
  • "RE: HOWMET FASTENING SYSTEMS, PURCHASE ORDER: 221422333" — Miguel.Angulo@howmet.com (2025-03-04)
  • "FW: Please ignore. | Petra" — Buy.PayHowmet@howmet.com (2025-02-28)
• Duplicate Authenticator entries — two entries, same device name "iPhone 12 Pro Max" but different app versions. Suspicious entry ID: c927402a-75c6-4a55-840a-86d1eea43a9b (app version 6.8.40). Pending removal after confirmation from Alexis.
• Sessions revoked — revokeSignInSessions returned true.
• Password reset — temp password issued, force-change enforced.
• User object ID: 74a1eae1-c0dd-4544-a98f-3a18f809785a
• Exchange identity: alexis\2866869517449953281

OAuth Consents Revoked

c5df10ae-2aa7-4283-86ef-1884c267a9ac (AllPrincipals — 7 grants deleted):

• Had Directory.ReadWrite.All, RoleManagement, Mail.Send, 50+ scopes — extremely broad.

9b504397-914d-4af2-b6d9-9081e80da54e (IMAP legacy auth — 1 grant deleted):

• IMAP.AccessAsUser.All, openid, offline_access — consented by unknown user.

GuruRMM

(not documented)

Active Projects / Open Items

Priority	Action	Owner
P1	Ask Alexis: count Authenticator entries on phone. If only one, remove suspicious entry c927402a	Mike
P1	Ask Ken: does he recognize the "Admin" inbox rule (Capital One, Bill.com, @flystucson.com)? If no → escalate (password reset, session revocation, rule deletion, check Bill.com/Capital One transactions)	Mike
P2	Verify Alexis received temp password KittleGwiNUK#2026 and has changed it	Mike
P3	Remove Lori's old Authenticator (SM-G975U Samsung S10+) after confirming current phone	Mike
P3	Enroll Scott in Microsoft Authenticator (currently phone-only MFA)	Mike
P3	Invoice ticket #32207 (1.0 hr Labor - Remote Business, product_id 1190473)	Mike

Key Events / History

2026-04-23/24 — Full M365 breach check and remediation

Full report: clients/kittle-design/reports/2026-04-23-breach-check.md

• Onboarded Exchange Operator and Tenant Admin apps (consent + role assignment).
• Exchange Administrator role was NOT assigned to Security Investigator at time of initial breach check — assigned manually during remediation. SMTP forwarding check was therefore incomplete during the breach check phase.
• Two high-severity findings: Alexis's hidden inbox rule and duplicate Authenticator.
• One unresolved finding: Ken's "Admin" rule — awaiting his response.
• Seven OAuth grants deleted from the AllPrincipals consent (c5df10ae) — very broad scopes including Directory.ReadWrite.All.

Anti-Patterns / Warnings

• [WARNING] Ken's inbox rule "Admin" (filtering Capital One, Bill.com, @flystucson.com) is unresolved. If Ken cannot explain it, treat as active compromise: password reset, session revocation, rule deletion, check financial accounts immediately.
• [WARNING] SMTP forwarding check was NOT completed — Exchange Admin role was missing on Security Investigator during initial sweep. Re-run SMTP forwarding check on all mailboxes.
• [WARNING] Kittle has NO Entra P1/P2 — sign-in log queries and Identity Protection risky user signals are unavailable. Rely on Exchange audit logs and consent audits only.
• Do not use the AllPrincipals consent app ID c5df10ae for anything — it was a malicious/overbroad app and all its grants have been revoked.

Backlinks

• (no related wiki articles yet)