Okta phone number assigned to multiple users

okta

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects the reuse of the same phone number across different Okta user accounts during multi-factor enrollment.

Strategy

This rule monitors phone number enrollment verification by SMS within a short period. The reuse of one phone number across users may indicate an attacker’s attempt to maintain persistence.

This detection has been adopted from rules published by the Okta team.

Triage & Response

  1. Identify the user account who triggered the signal, {{@actor.alternateId}}, and all other user accounts associated with {{@debugContext.debugData.phoneNumber}}.
  2. Confirm whether sharing a number is expected for those accounts within the organization, such as for a service account.
  3. Review recent factor enrollment and recovery changes for each user, focusing on additions or resets of factors.
  4. Check authentication activity around the verification for each user from source IP {{@network.client.ip}} and geo‑location for anomalies.
  5. If user activity is suspicious, begin your organization’s incident response process and investigate for any account takeovers.