Okta phishing detection with FastPass origin check

okta

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1566-phishing

Set up the okta integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when Okta raises a phishing detection with FastPass origin check.

Strategy

This rule monitors Okta for when a phishing detection with FastPass origin check has been raised. Okta provides a platform detection for when a user enrolled in FastPass fails to authenticate via a real-time adversary in the middle (AiTM) phishing proxy.

Triage and response

  1. Extract the attackers IP address {{@network.client.ip}}.
  2. Determine if any other users have authenticated from this address.
  3. If yes, clear any user sessions and reset passwords if the users entered a password as part of the authenitication flow.
  4. Begin your organization’s incident response process and investigate for any account takeovers.