← Customer 14024013

#36477 [Huntress Detection] CRITICAL - ISOLATED - Incident on [email protected] (Farran Realty Partners)

New Created Nov 21, 2025, 9:41 PM
Huntress (internal) Nov 21, 2025, 9:41 PM 
*** The Huntress Platform will revoke all sessions, logging out the compromised identity, and disable the compromised user from the tenant environment in order to prevent attack spread. ***

If you have an urgent request for support, please go to the link below to place a request a callback from SOC Support.
https://artichoke.huntress.io/org/143732/infection_reports/1810016/soc_callback_requests/new

Organization: Farran Realty Partners

Incident Report: https://artichoke.huntress.io/org/143732/infection_reports/1810016
Severity: Critical

Investigative Summary:
----------------------
On 2025-11-21 at 21:39:09 UTC, Huntress detected that the user "[email protected]" successfully authenticated from datacenter infrastructure hosted by "Interserver, Inc". This autonomous system (AS) organization has high abuse potential and is known to host adversary infrastructure. This authentication has been flagged as a potential indicator of compromise.

Threat Descriptions:
--------------------
Anomalous Cloud/M365 Login: Huntress has identified an anomalous authentication for this identity. 

Remediations:
-------------
Manual Remediations provided by the Huntress SOC are highly recommended remediation actions to be conducted by your team before resolving the incident in the Huntress Platform:
- Kill all current sessions for this identity.
- Audit for malicious inbox rules and forwards.
- Enroll the user in a security awareness training session to reinforce safe practices in the corporate environment.
- Rotate the credentials for [email protected].
- Audit activity for user [email protected].
- Enable and enforce MFA for [email protected], if otherwise not enabled.
- Enable complex conditional access policies for [email protected].

All remediations provided can be found in the Huntress Platform: Incident Report: https://artichoke.huntress.io/org/143732/infection_reports/1810016#remediations-tab

Lead Signal Information:
------------------------
Signal Name: Datacenter Login   High Abuse Potential Asn
Occurred At: 2025-11-21 21:39:09 UTC
Received At: 2025-11-21 21:39:08 UTC
Detected At: 2025-11-21 21:39:44 UTC
Username: [email protected]
Rule Name: Datacenter Login - High Abuse Potential ASN
Rule Description: Identifies an authentication event for an identity that originates from datacenter infrastructure hosted on a high risk autonomous system (AS).
All investigated signals can be found in the Huntress Platform: https://artichoke.huntress.io/org/143732/infection_reports/1810016#signals-investigated-tab

-------------------------
Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.