← Customer 13179878

#25783 [Huntress Detection] CRITICAL - ISOLATED - Incident on [email protected] (Peet, Inc.)

Resolved Created Jan 28, 2024, 1:47 AM Resolved Nov 15, 2024, 9:28 PM
Huntress (internal) Jan 28, 2024, 1:47 AM 
*** The Huntress Platform will logout and disable the compromised user from the Microsoft 365 environment in order to prevent attack spread. ***

User: [email protected] - https://artichoke.huntress.io/org/107388/managed_identity/user_entities/31598434
Organization: Peet, Inc.

Incident Report: https://artichoke.huntress.io/org/107388/infection_reports/1088619
Severity: Critical

Huntress detected the following items that require remediation:

Huntress Analysis Details: 
[email protected] successfully logged in via the IP address '138.199.12.75' on 2024-01-28 at 01:33:16 UTC. This IP address has been associated with the use of the ADGUARD_VPN service. VPN providers are frequently abused by threat actors at a high rate to compromise and facilitate attacks in M365 environments. 

75% of confirmed malicious actions reported by Huntress come from a VPN. 

If this activity is authorized and performed by the user, please reject this report and comment any relevant details so we may improve our detection logic.

Remediation Instructions
------------------------

Perform the following remediations:

- Audit activity for user [email protected].
- Enable complex conditional access policies for [email protected].
- Enable and enforce MFA for [email protected], if otherwise not enabled.
- Rotate the credentials for [email protected].

MDR for Microsoft 365
-----------------------
Occurred At: 2024-01-28T01:33:16
User Principal Name: [email protected]
Rule Name: New Login Via Suspicious VPN (Baselined Identity)
Rule Description: Detects a login from VPN that has not been seen before for this identity. Excludes VPNs that have a noted low abuse potential. Adversaries may use anonymized networks to access an account from a location that deviates from the user's normal login locations. This rule applies to baselined identities.
operators: ["ADGUARD_VPN"]
percentile: 100

Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.
[email protected] (internal) Nov 15, 2024, 9:28 PM 
Edits made via Bulk Update Tool - see change log for this timestamp