Suspicious login from an IP flagged by FastPass

This detection is recorded when a successful sign-in event has originated from an IP address that Okta FastPass previously flagged in a phishing attempt.

Detection risk level: High

This Account Takeover (ATO) detection uses the phishing attempts identified by Okta FastPass across the Okta customer base.

Policy configuration

In your entity risk policy, set these conditions:

• Detection: Suspicious Login From An IP Flagged By FastPass
• Take this action: Universal Logout, or run a Workflow to notify the SOC team to begin an investigation

Remediation strategy

1. Immediate action: Based on your policy configuration, Universal Logout should terminate the session.

2. Block the threat: Add the malicious IP address to a blocked network zone to prevent any further login attempts from that IP address.

3. Investigate: Check for malicious activity in System Log events relevant to the flagged session.

4. Secure the account:

   • Contact the user through an out-of-band method (phone call, Slack/Teams) to confirm they weren't the source of the activity.

   • Initiate a mandatory password reset for the user.

   • Review all enrolled MFA factors with the user to ensure that the attacker didn't register their own device.

5. Broader action: This signal points to an active phishing campaign. The investigating team should also check other users who may have been targeted from that IP address.