← Customer 26198793

#25784 [Huntress Detection] HIGH - Incident on [email protected] (Keema Waterfield)

Resolved Created Jan 28, 2024, 1:49 AM Resolved Nov 15, 2024, 9:28 PM
Huntress (internal) Jan 28, 2024, 1:49 AM
User: [email protected] - https://artichoke.huntress.io/org/282895/managed_identity/user_entities/207196315
Organization: Keema Waterfield

Incident Report: https://artichoke.huntress.io/org/282895/infection_reports/1088622
Severity: High

Huntress detected the following items that require remediation:

Huntress Analysis Details: 
[email protected] successfully logged in via the IP address '138.199.12.75' on 2024-01-28 at 01:35:42 UTC. This IP address has been associated with the use of the ADGUARD_VPN service. VPN providers are frequently abused by threat actors at a high rate to compromise and facilitate attacks in M365 environments. 

75% of confirmed malicious actions reported by Huntress come from a VPN. 

If this activity is authorized and performed by the user, please reject this report and comment any relevant details so we may improve our detection logic.

Remediation Instructions
------------------------

Perform the following remediations:

- Audit activity for user [email protected].
- Enable complex conditional access policies for [email protected].
- Enable and enforce MFA for [email protected], if otherwise not enabled.
- Rotate the credentials for [email protected].

MDR for Microsoft 365
-----------------------
Occurred At: 2024-01-28T01:35:42
User Principal Name: [email protected]
Rule Name: New Login Via Suspicious VPN (Baselined Identity)
Rule Description: Detects a login from VPN that has not been seen before for this identity. Excludes VPNs that have a noted low abuse potential. Adversaries may use anonymized networks to access an account from a location that deviates from the user's normal login locations. This rule applies to baselined identities.
operators: ["ADGUARD_VPN"]
percentile: 100

Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.
[email protected] (internal) Nov 15, 2024, 9:28 PM
Edits made via Bulk Update Tool - see change log for this timestamp