Suspicious login using a sprayed password

This detection indicates that a user successfully signed in to Okta using a password that's been identified in a password spray campaign.

Detection risk level: Medium

This detection means that either an attacker was able to enter a sprayed password to sign in, or that a valid user signed in with a password that's been identified in a password spray campaign.

MITRE tactic

Credential Access

MITRE technique

Brute Force: Password Spraying

Policy configuration

In your entity risk policy, set these conditions:

  • Detection: Suspicious Login Using a Sprayed Password
  • Take this action: Universal Logout, and run a Workflow to expire the user's password

System Log query

eventType eq "user.risk.detect" and debugContext.debugData.risk co
          "detectionName=Suspicious Login Using A Sprayed Password"
Remediation strategy
  • Automated action from your entity risk policy: The user's password is expired immediately, and they're required to set a new one the next time that they sign in. If the user doesn't sign in (and therefore doesn't reset their password), their password remains exposed.
  • Additional action: Configure the Password expiry rule for the Okta account management policy to enforce MFA during password resets.