← Customer 14024100

#35961 [Huntress Detection] CRITICAL - ISOLATED - Incident on [email protected] (Human Resource Council)

Resolved Created Oct 1, 2025, 3:48 PM Resolved Nov 6, 2025, 4:29 PM
Huntress (internal) Oct 1, 2025, 3:48 PM 
*** The Huntress Platform will revoke all sessions, logging out the compromised identity, and disable the compromised user from the tenant environment in order to prevent attack spread. ***

Organization: Human Resource Council

Incident Report: https://artichoke.huntress.io/org/51616/infection_reports/1726633
Severity: Critical

Investigative Summary
---------------------
At , Huntress identified authentication from the IP address  by the user "[email protected]" with the following anomalous behavior indicative of credential theft and malicious account takeover:
- An anomalous authentication from a new VPN: EXPRESS_VPN

Remediations:
-------------
Manual Remediations provided by the Huntress SOC are highly recommended remediation actions to be conducted by your team before resolving the incident in the Huntress Platform:
- Rotate the credentials for [email protected].
- Audit activity for user [email protected].
- Enable and enforce MFA for [email protected], if otherwise not enabled.
- Enable complex conditional access policies for [email protected].

All remediations provided can be found in the Huntress Platform: Incident Report: https://artichoke.huntress.io/org/51616/infection_reports/1726633#remediations-tab

Lead Signal Information
-----------------------
Signal Name: Unwanted Access Tunnel Operator Rule Violation
Occurred At: No data
Received At: No data
Detected At: 2025-10-01 15:42:15 UTC
Username: [email protected]
Rule Name: Unwanted Access Tunnel Operator Rule Violation
Rule Description: An event was escalated with attributes that lacked attribute rule configurations. The escalation was resolved by creating an attribute rule the event is now in violation of.
All investigated signals can be found in the Huntress Platform: https://artichoke.huntress.io/org/51616/infection_reports/1726633#signals-investigated-tab

-------------------------
Thanks again for trusting Huntress and please don't hesitate to reach out to [email protected] if you have any questions.
[email protected] (internal) Nov 6, 2025, 4:29 PM 
Edits made via Bulk Update Tool - see change log for this timestamp