← Customer 14023035

#31121 [Huntress Detection] CRITICAL - ISOLATED - Incident on [email protected] (Big Sky Brewing)

Resolved Created Dec 31, 2024, 6:09 PM Resolved Feb 19, 2025, 1:24 AM
Huntress (internal) Dec 31, 2024, 6:09 PM
*** The Huntress Platform will revoke all sessions and logout the compromised identity from the Microsoft 365 environment in order to prevent attack spread.
This identity is synced from on-premise Active Directory (AD) and the user account cannot be disabled by Huntress; we recommend manually disabling them in AD
as soon as possible. ***

Organization: Big Sky Brewing

Incident Report: https://artichoke.huntress.io/org/55997/infection_reports/1364375
Severity: Critical

Investigative Summary
---------------------
Huntress detected the following items that require remediation:

Evidence suggests [email protected] at 2024-12-31 18:05:07+00:00 authenticated from the public IP 103.125.235.24, with the following anomalous behaviour indicative of credential theft and malicious account takeover:
- An anomalous authentication from the VPN: PROTON_VPN
- An anomalous authentication from an inconsistent operating system: iOS
- An anomalous authentication from a unmanaged device
- An anomalous authentication that did not use multi-factor authentication

Remediation Instructions
------------------------
Perform the following remediations:
- Please audit any suspicious application registrations and Enterprise applications added or consented to for user [email protected]
- Audit activity for user [email protected].
- Enable complex conditional access policies for [email protected].
- Enable and enforce MFA for [email protected], if otherwise not enabled.
- Rotate the credentials for [email protected].

MDR for Microsoft 365
-----------------------
Occurred At: 2024-12-31 18:05:07 UTC
Username: [email protected]
Rule Name: Credential Theft - New VPN and OS
Rule Description: An M365 session was observed with a new VPN and OS for this identity. This signal triggers after the identity has been in the platform for at least 14 days to allow for sufficient time to baseline.

-------------------------
Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.
[email protected] (internal) Feb 19, 2025, 1:24 AM
Edits made via Bulk Update Tool - see change log for this timestamp