Okta phone number assigned to multiple users

okta

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detects the reuse of the same phone number across different Okta user accounts during multi-factor enrollment.

Strategy

This rule monitors phone number enrollment verification by SMS within a short period. The reuse of one phone number across users may indicate an attacker’s attempt to maintain persistence.

This detection has been adopted from rules published by the Okta team.

Triage & Response

  1. Identify the user account who triggered the signal, {{@actor.alternateId}}, and all other user accounts associated with {{@debugContext.debugData.phoneNumber}}.
  2. Confirm whether sharing a number is expected for those accounts within the organization, such as for a service account.
  3. Review recent factor enrollment and recovery changes for each user, focusing on additions or resets of factors.
  4. Check authentication activity around the verification for each user from source IP {{@network.client.ip}} and geo‑location for anomalies.
  5. If user activity is suspicious, begin your organization’s incident response process and investigate for any account takeovers.