Question about URLscan.io results and geolocale

I’m chasing something down at my org. We had a user who is a sales person (so not inside our org) and their account was compromised.

These sales employees logon to a vpn into a sales platform that sits in the dmz.

Reviewing the logs, I see a favicon.ico. I download it. It’s got a script in it, that appears to take the session/cookie from the referrer and pass it to the sales site. This “cookie” is set to expire …

account compromised cookie cybersecurity dmz down download employees favicon ico logon logs org platform question referrer results sales script session urlscan urlscan.io vpn