Suspicious login from an IP flagged by FastPass

This detection is recorded when a successful sign-in event has originated from an IP address that Okta FastPass previously flagged in a phishing attempt.

Detection risk level: High

This Account Takeover (ATO) detection uses the phishing attempts identified by Okta FastPass across the Okta customer base.

MITRE tactic

Initial Access

MITRE technique

Phishing

Policy configuration

In your entity risk policy, set these conditions:

• Detection: Suspicious Login From An IP Flagged By FastPass
• Take this action: Universal Logout, or run a Workflow to notify the SOC team to begin an investigation

Remediation strategy

1. Immediate action: Based on your policy configuration, Universal Logout should terminate the session.

2. Block the threat: Add the malicious IP address to a blocked network zone to prevent any further login attempts from that IP address.

3. Investigate: Check for malicious activity in System Log events relevant to the flagged session.

4. Secure the account:

   • Contact the user through an out-of-band method (phone call, Slack/Teams) to confirm they weren't the source of the activity.

   • Initiate a mandatory password reset for the user.

   • Review all enrolled MFA factors with the user to ensure that the attacker didn't register their own device.

5. Broader action: This signal points to an active phishing campaign. The investigating team should also check other users who may have been targeted from that IP address.