#30959 [Huntress Detection] CRITICAL - ISOLATED - Incident on [email protected] (Five Valleys Land Trust)

*** The Huntress Platform will revoke all sessions, logging out the compromised identity, and disable the compromised user from the Microsoft 365 environment in order to prevent attack spread. ***

User: [email protected] - https://artichoke.huntress.io/org/83316/managed_identity/user_entities/37363316
Organization: Five Valleys Land Trust

Incident Report: https://artichoke.huntress.io/org/83316/infection_reports/1360401
Severity: Critical

Investigative Summary
---------------------
Huntress detected the following items that require remediation:

Evidence suggests that on December 23, 2024 at 08:23 PM UTC, the user [email protected] authenticated from the datacenter IP address 212.18.104.15 from Phoenix, US with the suspicious user agent 'axios/1.7.*'. This user agent has been associated with the use of phishing kits and is indicative of the user's credentials being compromised.

Remediation Instructions
------------------------
Perform the following remediations:
- Please audit any suspicious application registrations and Enterprise applications added or consented to for [email protected]
- Audit activity for user [email protected].
- Enable complex conditional access policies for [email protected].
- Enable and enforce MFA for [email protected], if otherwise not enabled.
- Kill the current session for [email protected]
- Rotate the credentials for [email protected].

MDR for Microsoft 365
-----------------------
Occurred At: 2024-12-23T20:06:01
User Principal Name: [email protected]
Rule Name: Login Observed with Axios User Agent
Rule Description: Detects successful logins from Axios user agent, which is a strong indicator of Phishing as a Service infrastructure.
ActorIpAddress: 212.18.104.15
name: GLOBAL CONNECTIVITY SOLUTIONS LLP

Occurred At: 2024-12-23T20:06:02
User Principal Name: [email protected]
Rule Name: Login Observed with Axios User Agent
Rule Description: Detects successful logins from Axios user agent, which is a strong indicator of Phishing as a Service infrastructure.
ActorIpAddress: 212.18.104.15
name: GLOBAL CONNECTIVITY SOLUTIONS LLP

-------------------------
Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.

Looks like Ramey approved an MFA prompt while being phished. Checking logging to see if any data was accessed.

Peet

Thanks Peet keep me posted. I've been thinking lately before this how we may be overdue for a security training.

Get [Outlook for Android](https://aka.ms/AAb9ysg)
---------------------------------------------------------------

From: Artichoke Support - Peet <[email protected]>
Sent: Monday, December 23, 2024 2:10:00 PM
To: Boston Wakeham <[email protected]>
Subject: [Huntress Detection] CRITICAL - ISOLATED - Incident on [email protected] (Five Valleys Land Trust) (message id: 89899901)

I can talk to you more about that ... but for the moment. There were no changes post phish, and she should be back in.

I'll keep an eye out.

Peet

The following remediation plan was approved by [email protected]:

Manual Remediations:
Cloud: Kill the current session for [email protected]
Cloud: Please audit any suspicious application registrations and Enterprise applications added or consented to for [email protected]
Cloud: Rotate the credentials for [email protected].
Cloud: Audit activity for user [email protected].
Cloud: Enable and enforce MFA for [email protected], if otherwise not enabled.
Cloud: Enable complex conditional access policies for [email protected].

Automation AutoResolve-Waiting for Customer ran on this ticket. Actions: Change Status to Resolved