@f7d0478e I don’t have all the context, but session token theft doesn’t necessarily mean they interacted with a phishing website. Could have been endpoint malware that stole it from browser.