CTN Solutions · Tabletop Exercise
Scenario Two · Cloud Identity Hygiene
The Account
Nobody Owns
A silent breach through a shared administrator credential and OAuth admin consent.
Prepared for The Pontifical Mission Societies USA
May 2026
Agenda
  1. 1Rules of Engagement~3 min
  2. 2Glossary~2 min
  3. 3Scenario Setup — the world before the alert~5 min
  4. 4Injects — five beats across five days~60 min
  5. 5Hot-Wash — decisions made, deferred, owners~15 min
  6. 6Review & three things to take away~10 min
CTN Solutions · Confidential 02 of 17
Rules of Engagement
  • Injects bring new information. Each inject reveals something the room could not have known a moment earlier. Discuss what the new information changes — not what the next slide will say.
  • “We don’t know” is a complete answer. If something is genuinely unknown today, that is the finding. We will capture it as an open question with an owner.
  • Talk through the reasoning, not just the answer. The back-and-forth is the artifact. The decisions are easy to write down; the way they were made is what we want to surface.
  • This is not meant to be a breeze. The injects are designed to surface friction. Friction in this room is cheap; friction during a real incident is not.
CTN Solutions · Confidential 03 of 17
Glossary
TermWhat it means in this scenario
OAuth admin consentA one-click action that grants a third-party application permission to access data across the entire M365 tenant on behalf of an administrator. The permission survives password resets and MFA enforcement.
Enterprise applicationA third-party app registered in the tenant with delegated or application-level permissions. Lives independently of any user account.
Microsoft Graph APIThe single programmatic interface to all M365 data — mail, files, calendars, users, groups. What a consented app uses to read or write.
Audit log retentionHow long Microsoft retains tenant activity records. Default in many tenants: 90 days. Events older than this are rolled off and unrecoverable.
Refresh tokenA long-lived credential issued after sign-in that allows continued access without re-authenticating. Independent of the user’s current password.
InfostealerCommodity malware that harvests browser-stored credentials, session cookies, and access tokens from infected machines. Output is sold on initial access broker markets.
Initial access brokerA criminal intermediary that sells working credentials and tokens to other attackers, often years after the initial harvest.
Forwarding ruleAn inbox rule that automatically copies incoming messages to another address. Commonly used by attackers for silent persistence.
CTN Solutions · Confidential 04 of 17
Scenario Setup — the world before the alert
It is a Thursday morning in May. TPMS’s Microsoft tenant has been operating normally. The IT environment includes a shared administrator credential, administrator@missio.org, which over the past two years has been used by at least four people — two of whom have since left the organization. The credential carries Global Administrator and four other privileged roles. Nothing has happened today. Everything is normal. Until 09:14, when an email arrives.
Day 0 · H09
Microsoft notification arrives
Day 2 · H16
Third-party SaaS vendor contacts TPMS
Day 5 · H09
Forensic findings emerge
Day 5 · H17
Remediation
Day 5+
Hot-wash & decisions
CTN Solutions · Confidential 05 of 17
Inject 1 · The Notification
Timeline Day 0 · Hour 09:00:00
Microsoft
M
Mission Insights Sync
Unverified publisher · insights-platform.io
This app would like to:
  • Read mail in all mailboxes (Mail.Read, application)
  • Read all users’ full profiles (User.Read.All, application)
  • Sign in and read user profile (User.Read, delegated)
  • Access directory as the signed-in user (Directory.AccessAsUser.All)
Consenting on behalf of your organization. This will grant the application access for all users in your organization.
Signed in as administrator@missio.org · Consent recorded 09:14:17 UTC
The screen Keith would have received — representative, not a real notification.
CTN Solutions · Confidential 06 of 17
Timeline Day 0 · Hour 09:00:00
Inject 1 — The Notification
∗∗ New Information ∗∗
  • Microsoft sends an automated notification to the tenant’s admin notification address: an enterprise application named Mission Insights Sync has been granted tenant-wide permission to read mail and user profiles across the entire organization.
  • The audit log records that the consent was granted by administrator@missio.org.
  • No one in IT admits to having done it. No one can definitively say they didn’t — that credential has been used by at least four people over the past two years.
  • The application is unfamiliar. Bryan has never registered it. Nobody has heard of the vendor.
What is Next?
  1. What severity is this — an incident, a misconfiguration, or a notification that doesn’t need action?
  2. Who is the first person you call, and what do you ask them?
  3. The permission the app holds is tenant-wide. What do you do before you do anything else?
  4. How do you find out, in the next thirty minutes, whether the app has actually read anything yet?
CTN Solutions · Confidential 07 of 17
Inject 2 · The Vendor Call
Timeline Day 2 · Hour 16:00:00
Microsoft Entra ID  ›  Enterprise applications  ›  All applications
🔍  Search by application name
Filter: User consent granted by admin
Name Object ID Created on Consented by Scope
M
Microsoft 365 Apps for Enterprise
 4a8ec320-1b9d-... 17-Jan-2020 System Standard
T
Microsoft Teams
 1fec8e78-bce4-... 17-Jan-2020 System Standard
M
Mission Insights Sync
 a8f3d712-c2d1-... 14-May-2026 · 09:14 UTC administrator@missio.org Tenant-wide
P
Power BI Service
 00000009-0000-... 17-Jan-2020 System Standard
The Enterprise Applications view Bryan would open — representative, not a live screenshot.
CTN Solutions · Confidential 08 of 17
Timeline Day 2 · Hour 16:00:00
Inject 2 — The Vendor Call
∗∗ New Information ∗∗
  • Forty-eight hours after the Microsoft notification, the abuse desk of Raiser’s Edge — the donor management platform TPMS uses every day — phones Bryan’s number directly.
  • Their platform has flagged an unusually high volume of Microsoft Graph API requests originating from the TPMS tenant over the prior week, tied to integration accounts that share authentication context with the compromised admin credential.
  • The requests are reading mail — thousands of messages, indexed and pulled.
  • Raiser’s Edge is calling because their internal abuse heuristic matches a pattern they have seen in two prior breaches at other not-for-profit customers in the past ninety days.
  • They are asking: “Do you know this is happening, and would you like our incident response contact to walk Bryan through what to look for?”
What is Next?
  1. You now have a second, independent source saying something is happening. What does that change about Inject 1?
  2. Do you accept Raiser’s Edge’s offer to help, or do you treat it as a vendor sales pitch dressed as concern?
  3. Who needs to know about this in the next hour — inside TPMS, and outside?
  4. The consented Microsoft application is still active. What stops you from revoking it right now, and is that the right call?
CTN Solutions · Confidential 09 of 17
Inject 3 · What the Logs Did and Didn’t Say
Timeline Day 5 · Hour 09:00:00

Tenant audit log — sign-in events for administrator@missio.org

Past 180 days · daily event count · retention floor at Day −90
Day −180 Day −90 · retention floor Today
The bar that lights up: on Day −3, a sign-in from 71.184.218.42 (residential, FiOS, Northeast US) issued the consent grant to Mission Insights Sync. The IP’s historical pattern matches a former employee’s home network from the period when they still worked at TPMS. The earlier history — how long the attacker had been replaying that account, what they did before Day −90 — cannot be reconstructed. The hatched bars to the left have rolled off retention.
What forensic reconstruction surfaces — representative visualization.
CTN Solutions · Confidential 10 of 17
Timeline Day 5 · Hour 09:00:00
Inject 3 — What the Logs Did and Didn’t Say
∗∗ New Information ∗∗
  • Bryan’s team has now had three days to work with the Raiser’s Edge IR contact. By Tuesday morning, the picture is darker than expected.
  • The audit log has a floor. The credential’s first anomalous activity predates the tenant’s 90-day retention. Anything older has rolled off; the question of how long the attacker has held the account cannot be answered from the logs.
  • The trail does lead somewhere — just not where you’d expect. The consent grant came from a session whose origin IP belongs to a residential network in the home town of a former TPMS employee — one of the two people who used administrator@missio.org before they left. The former employee is not the attacker. The pattern is consistent with infostealer malware on a home device harvesting their M365 access token years ago, and that token being silently re-used (or sold and re-used) ever since. The shared credential was a key with no name on it — it didn’t matter who left, the key stayed warm.
  • And then there is what they read. Of the messages the consented application pulled in the past five days, one folder stands out: the draft minutes from the November 2025 board executive session — material that was not formally circulated outside the inner circle. Other folders pulled: donor stewardship correspondence, two HR files, the IT vendor renewal thread.
  • Nothing was encrypted. Nothing was deleted. Everything was seen.
What is Next?
  1. The trail isn’t cold — it’s organizational. The credential never had a name on it. What is the immediate corrective action, and who owns it by end of day?
  2. The board chair will be informed; the question is when, by whom, and with what level of specificity about the November minutes.
  3. Do you contact the former employee whose home network is implicated, and if so, who makes that call?
  4. What is the scope of the disclosure — board only, donors mentioned in stewardship correspondence, HR subjects, the IT vendor?
CTN Solutions · Confidential 11 of 17
Inject 4 · Remediation Begins
Timeline · Optional Day 5 · Hour 17:00:00
Microsoft Entra ID  ›  Enterprise applications  ›  Filter: Consented by administrator@missio.org
administrator@missio.org
2 results
Name Object ID Created on Publisher Scope
M
Mission Insights Sync
Revoked 17:12 UTC
 a8f3d712-c2d1-... 14-May-2026 09:14 UTC insights-platform.io Tenant-wide
D
Donor Relationship Insights
Active · not yet revoked
 e2c91f44-7a08-... 15-Sep-2025 09:31 UTC relationship-analytics.co Tenant-wide
The attacker hedged — representative view, not a live screenshot.
CTN Solutions · Confidential 13 of 17
Timeline · Optional Day 5 · Hour 17:00:00
Inject 4 — Remediation Begins
∗∗ New Information ∗∗
  • Bryan walks through the procedure to remove a consented enterprise application. He locates Mission Insights Sync in Entra and revokes its admin consent. The app disappears from the active list.
  • As part of the cleanup, he sorts the Enterprise Applications list by “Consented by” to confirm nothing else was authorized under the shared credential.
  • There is a second one. An application named Donor Relationship Insights was granted similar tenant-wide permissions four months later. Same source credential. Same permission scope. Different publisher name. Different object ID.
  • The attacker hedged.
  • Bryan has not yet revoked the second app. The question is whether to revoke it now — or whether to leave it in place for thirty more minutes to observe what it does.
What is Next?
  1. Revoke immediately or observe? Who has the authority to make that call, and on what basis?
  2. If there are two, what is the probability there are zero versus three or more — and how would you find out?
  3. This changes the scope of the disclosure conversation again. Does the board chair’s message you drafted an hour ago still hold?
  4. What is the 30-day commitment you make to TPMS leadership coming out of this exercise?
CTN Solutions · Confidential 14 of 17
Inject 5 · The Note in the Description Field
Timeline Day 5 · Hour 18:00:00
Microsoft Entra ID  ›  Users  ›  administrator
A
administrator
administrator@missio.org
⚠ Description field modified · Day −3 · 09:47 UTC
Description
Don't bother. We have been here longer than your logs go back. We have keys you have not found. Pay the fee — $750,000 BTC — and we walk away clean. Resist and we publish what we have, starting with the November board minutes. — FB
Authentication methods
Type Device / Identifier Added on
Password 17-Jan-2020
Microsoft Authenticator
⚠ Unrecognized device · not in TPMS asset inventory
 Pixel 6 Pro — "Personal" 26-Apr-2026
What Bryan saw when he opened the user properties — representative view, not a live screenshot.
CTN Solutions · Confidential 15 of 19
Timeline Day 5 · Hour 18:00:00
Inject 5 — They Knew You Were Coming
∗∗ New Information ∗∗
  • With both consented apps revoked, Bryan opens administrator@missio.org in Entra to disable the account entirely.
  • The Description field has been edited. Where it normally holds an HR note from 2020, it now reads a message addressed to TPMS: “Don’t bother. We have been here longer than your logs go back. We have keys you have not found. Pay the fee — $750,000 BTC — and we walk away clean. Resist and we publish what we have, starting with the November board minutes. — FB”
  • There is a rogue authentication method. A Microsoft Authenticator method tied to a device named “Pixel 6 Pro — Personal” was added to the account on April 26 — eighteen days ago. The device is not in any TPMS asset inventory and does not match any current or former employee’s known hardware. The attacker has had a working second factor for the entire ramp-up to today.
  • The Raiser’s Edge IR contact tentatively associates the “FB” signature with an initial access broker collective seen in two prior nonprofit incidents this year. Whether the threat to publish is real or psychological — or both — cannot be determined from the artifact alone.
  • The note specifically names the November board minutes that Inject 3 surfaced. They are not bluffing about what they have.
What is Next?
  1. Is this a credible threat, a bluff, or both? Who decides — TPMS leadership, the cyber insurance carrier, outside counsel, or law enforcement?
  2. The note names the board minutes. Does that change the disclosure conversation you started after Inject 3 — in timing, audience, or specificity?
  3. Before clearing the Description field and removing the rogue MFA method, who captures the evidence (screenshot, JSON export, sworn affidavit), and on whose authority?
  4. The MFA method means the attacker has persistence beyond the consented apps. What does that change about the remediation plan agreed in Inject 4?
  5. Cyber insurance carrier: call now or after the board chair? Same for the FBI Internet Crime Complaint Center, outside counsel, and a ransomware negotiation firm.
  6. Does anyone in this room have the authority to say the word “no” to a ransom request, on TPMS’s behalf, without further consultation? If not, who does, and how fast can they be reached?
CTN Solutions · Confidential 16 of 19
Hot-Wash — Decisions, Owners, Open Questions

Captured live during this exercise. Click into any box and type — notes auto-save to this browser.

Decisions Made

Deferred

Open Questions

CTN Solutions · Confidential 15 of 17
Review

Captured at the close. Click into any box and type.

What went well?

Opportunities

Lessons learned

CTN Solutions · Confidential 16 of 17
Three Things to Take Away
1
Shared credentials carry further than the people who shared them. A login that has had several users over time can persist as a quiet access path long after those users are gone — through tokens harvested on devices nobody owns anymore. It is a feature of how the cloud authenticates, not a question of anyone’s choices.
2
OAuth admin consent has earned a place on the first-check list. A consented enterprise application keeps its access independent of password changes or MFA enforcement. Revoking it has moved up alongside the older basics in the cloud incident-response order.
3
When the audit window closes, the scope question stays open. Ninety days of retention is plenty for operational work; rarely is it enough for the full arc of a forensic story. The gap is a constraint to plan around — and the one the room wrestled with most today.
CTN Solutions · Confidential 17 of 17