meridian-ato — credential spray + SIM swap takeover
Meridian Financial Group VP Finance jrodriguez@meridianfg.com was compromised via password spray, SIM swap, Okta MFA push fatigue, password reset, and a hidden external mailbox forward to dropbox@proton.me. Fully synthetic.
what this proves
- every primary engine produces deterministic, fixture-locked output — verified by
npm run check:flagship(280/280 fleet · 8 for this scenario). - every output is generated 100% locally in your browser — export IdP and audit logs, never upload tenant data.
- password spray, SIM swap ICCID change, MFA push fatigue, password reset, and hidden external mailbox forward surface without uploading evidence.
primary engines locked to this fixture
build the case binder
runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for ato — no upload.
runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload
download the synthetic evidence
MIT-licensed, fully synthetic. includes Okta system log, unified audit log, mailbox rules export, security evt spray csv, browser session dump, and carrier SIM swap log.
built deterministically from scripts/fixtures/build-meridian-ato.mjs. seed: meridian-ato:v1.
methodology
ato is spray → IdP → SIM swap → UAL → rules → endpoint creds. walk password spray detector → okta log analyzer → sim swap artifact detector → audit log parsers → mail rule parser → credential artifact scanner. read the full account takeover (ATO) guide →
after the playbook
run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across password spray, SIM swap, MFA fatigue, password reset, and hidden mailbox forward — still zero upload.