Skip to content
Threat Feed
high advisory

Okta Multiple Account Lockouts Indicative of Password Spraying

Multiple Okta accounts locked out within a 5-minute period, detected via aggregated user.account.lock events, may indicate a password spraying attack leading to potential account takeovers.

This threat brief focuses on detecting potential password spraying attacks targeting Okta environments. The detection identifies an anomalous number of account lockouts occurring within a short timeframe. Specifically, it leverages Okta's user.account.lock event, aggregating these events over a 5-minute window. The underlying assumption is that a rapid series of lockouts is indicative of an automated password guessing attack, such as password spraying, where an attacker tries common passwords against many accounts. While the specific attacker is unknown, the technique is commonly employed by various threat actors to gain initial access to corporate networks. The scope of targeting depends on the Okta tenant's configuration and user base.

Attack Chain

  1. Initial Access: The attacker attempts to gain unauthorized access to Okta accounts. (T1110)
  2. Password Spraying: The attacker employs a password spraying technique, using a list of common passwords.
  3. Authentication Attempts: The attacker makes multiple authentication attempts against various Okta accounts.
  4. Account Lockout Events: The repeated failed login attempts trigger Okta's account lockout policy, generating user.account.lock events in the Okta logs.
  5. Log Aggregation: These lockout events are aggregated and analyzed over a 5-minute window.
  6. Detection Threshold: If the number of locked-out accounts within the window exceeds a predefined threshold (e.g., 5), the alert triggers.
  7. Potential Account Takeover: If the attacker successfully guesses a password before the account locks, they achieve account takeover.
  8. Lateral Movement/Privilege Escalation: Once inside the Okta environment, the attacker may attempt lateral movement or privilege escalation to access sensitive resources.

Impact

Successful password spraying attacks can lead to unauthorized access to sensitive Okta accounts. This can result in data breaches, financial loss, and reputational damage. The number of impacted accounts and the severity of the consequences will depend on the attacker's objectives and the level of access gained. Organizations using Okta for critical authentication services are particularly vulnerable.

Recommendation

  • Deploy the Sigma rule Okta Multiple Account Lockouts to your SIEM and tune the threshold (count > 5) based on your organization's baseline.
  • Investigate any alerts generated by the Okta Multiple Account Lockouts rule, focusing on the source IP address (src) associated with the lockouts.
  • Review and enforce strong password policies to mitigate the effectiveness of password spraying attacks.
  • Implement multi-factor authentication (MFA) to add an additional layer of security and prevent unauthorized access even if passwords are compromised.
  • Monitor Okta logs for unusual login patterns or failed authentication attempts that may indicate ongoing password spraying activity.

Detection coverage 2

Okta Multiple Account Lockouts

high

Detects multiple Okta accounts being locked out within a short period, indicative of password spraying.

sigma tactics: credential_access techniques: T1110 sources: webserver, linux

Okta Account Lockout Source IP Analysis

low

Identifies the source IP addresses triggering Okta account lockouts, helping to pinpoint potential attackers.

sigma tactics: credential_access techniques: T1110 sources: webserver, linux

Detection queries are available on the platform. Get full rules →