#35269 [Huntress Detection] CRITICAL - ISOLATED - Incident on [email protected] (Peet, Inc.)

*** The Huntress Platform will revoke all sessions, logging out the compromised identity, and disable the compromised user from the tenant environment in order to prevent attack spread. ***

If you have an urgent request for support, please go to the link below to place a request a callback from SOC Support.
https://artichoke.huntress.io/org/107388/infection_reports/1631827/soc_callback_requests/new

Organization: Peet, Inc.

Incident Report: https://artichoke.huntress.io/org/107388/infection_reports/1631827
Severity: Critical

Investigative Summary
---------------------
At 2025-08-06 17:50:40 UTC, Huntress identified authentication from the IP address 20.171.75.41 by the user "[email protected]" with the following anomalous behavior indicative of credential theft and malicious account takeover: 
- The anomalous authentication attempt(s) occurred from two unmanaged devices, i.e. devices that are not controlled or monitored by an organization's IT policies and security tools. 
- The authentication attempts were made without using multi-factor authentication, which is considered anomalous. 
- An anomalous authentication from an inconsistent operating system: Windows

Threat Descriptions:
-------------------
Session / Token Theft for Cloud Account: A threat actor has stolen this identity's login session or access token for a cloud service (like Gmail, Office 365, etc.), facilitating malicious account takeover and persistence without needing the password. 

Remediations:
-------------
Manual Remediations provided by the Huntress SOC are highly recommended remediation actions to be conducted by your team before resolving the incident in the Huntress Platform:
- Kill all current sessions for this identity.
- Rotate the credentials for this identity.
- Audit for malicious inbox rules and forwards.
- Consider enrolling the user in security awareness training to prevent recurrence.
- Rotate the credentials for [email protected].
- Audit activity for user [email protected].
- Enable and enforce MFA for [email protected], if otherwise not enabled.
- Enable complex conditional access policies for [email protected].

All remediations provided can be found in the Huntress Platform: Incident Report: https://artichoke.huntress.io/org/107388/infection_reports/1631827#remediations-tab

Lead Signal Information
-----------------------
Signal Name: Token Theft   Datacenter, New Os
Detected At: 2025-08-06 12:50:16 -0500
Occurred At: 2025-08-06 12:50:16 -0500
Username: [email protected]
Rule Name: Token Theft - Datacenter, New OS
Rule Description: An M365 session was observed from new datacenter infrastructure and operating system. This behavior is indicative of token theft.
All investigated signals can be found in the Huntress Platform: https://artichoke.huntress.io/org/107388/infection_reports/1631827#signals-investigated-tab

-------------------------
Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.

The following remediation plan was rejected by [email protected].
Reason: Approved User Login Location M365.
Comment: Not 100% sure why this triggered, but the device is part of my entra tenant and is legitimate.  I was working at the time on the device so  ¯\_(ツ)_/¯  ... It's a windows365 VM.