← Customer 14024100

#35960 [Huntress Detection] CRITICAL - ISOLATED - Incident on [email protected] (Human Resource Council)

Resolved Created Oct 1, 2025, 3:09 PM Resolved Nov 6, 2025, 4:29 PM
Huntress (internal) Oct 1, 2025, 3:09 PM 
*** The Huntress Platform will revoke all sessions, logging out the compromised identity, and disable the compromised user from the tenant environment in order to prevent attack spread. ***

If you have an urgent request for support, please go to the link below to place a request a callback from SOC Support.
https://artichoke.huntress.io/org/51616/infection_reports/1726563/soc_callback_requests/new

Organization: Human Resource Council

Incident Report: https://artichoke.huntress.io/org/51616/infection_reports/1726563
Severity: Critical

Investigative Summary
---------------------
At 2025-10-01 15:00:27 UTC, Huntress detected that the user "[email protected]" authenticated from the datacenter IP address 2a0d:5600:8:101:0:1:e5c4:96d4 from Los Angeles, California, United States of America with the suspicious user agent "axios/1.12.2". This user agent has been associated with the use of phishing kits and is indicative of the user's credentials being compromised.

Threat Descriptions:
-------------------
Axios_SOAR: The Axios user agent has been commonly associated with Phishing-as-a-Service (PhaaS) kits, often used by threat actors to automate credential validation and session hijacking. Its presence in authentication logs is a strong indicator of unauthorized and malicious access attempts.

Remediations:
-------------
Manual Remediations provided by the Huntress SOC are highly recommended remediation actions to be conducted by your team before resolving the incident in the Huntress Platform:
- Disable and/or rotate credentials for any affected user accounts.
- Enable complex conditional access policies and MFA for the identity if otherwise not enabled.
- Rotate the credentials for this identity.
- Please audit any suspicious application registrations and Enterprise applications added or consented to
- Rotate the credentials for [email protected].
- Audit activity for user [email protected].
- Enable and enforce MFA for [email protected], if otherwise not enabled.
- Enable complex conditional access policies for [email protected].

All remediations provided can be found in the Huntress Platform: Incident Report: https://artichoke.huntress.io/org/51616/infection_reports/1726563#remediations-tab

Lead Signal Information
-----------------------
Signal Name: Login Observed With Axios User Agent
Occurred At: 2025-10-01 15:00:27 UTC
Received At: 2025-10-01 15:05:53 UTC
Detected At: 2025-10-01 15:07:07 UTC
Username: [email protected]
Rule Name: Login Observed with Axios User Agent
Rule Description: Detects successful logins from Axios user agent, which is a strong indicator of Phishing as a Service infrastructure.
All investigated signals can be found in the Huntress Platform: https://artichoke.huntress.io/org/51616/infection_reports/1726563#signals-investigated-tab

-------------------------
Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.
Artichoke Support - Peet (internal) Oct 1, 2025, 3:15 PM 
The following updates were made to this Incident Report:

Manual Remediations Added:
	- Kill all current sessions for this identity.
	- Enroll the user in a security awareness training session to reinforce safe practices in the corporate environment.
	- Audit for malicious inbox rules and forwards.
[email protected] (internal) Nov 6, 2025, 4:29 PM 
Edits made via Bulk Update Tool - see change log for this timestamp