#32567 [Huntress Detection] HIGH - Incident on [email protected] (Five Valleys Land Trust)

Organization: Five Valleys Land Trust

Incident Report: https://artichoke.huntress.io/org/83316/infection_reports/1415721
Severity: High

Investigative Summary
---------------------
Huntress has identified the application "rclone" with delegated permissions for "[email protected]." This application was installed in the tenant on June 01, 2022 at 05:29 PM UTC and assigned to the identity on June 01, 2022 at 05:29 PM UTC. Huntress first detected this activity on February 14, 2025 at 04:04 PM UTC. Huntress is currently rolling out the Rogue Applications Capability to all tenants and is now alerting on historic application installs as well as new application installs.

rclone is often used maliciously to maintain access to tenant environments and conduct phishing campaigns. Please remove "rclone" from your tenant environment and revoke all active sessions for the identity "[email protected]" to stop any active malicious sessions.

Instructions for how to do this can be found at this link: https://support.huntress.io/hc/en-us/articles/36625997667731-Removing-a-Rogue-Application-from-a-Tenant

Rogue Cloud Application: A suspicious application has been granted access to your cloud environment. This could be a malicious application installed without your knowledge or a legitimate application that has been granted overly broad permissions. Attackers use rogue cloud application to gain unauthorized access, steal data, and further compromise an organization.

-------------------------
Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.

The following remediation plan was rejected by [email protected].
Reason: Approved Application M365.
Comment: Approved for this user in this tenant.

Edits made via Bulk Update Tool - see change log for this timestamp