{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/fastpass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta"],"_cs_severities":["high"],"_cs_tags":["phishing","okta","fastpass"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis alert identifies instances where Okta FastPass successfully blocked a user authentication attempt due to a detected phishing attack. This is based on Okta system logs that record when FastPass declines an authentication because the user was attempting to log in to a known phishing site. The event indicates that a user was likely targeted via phishing, potentially through email or other means, and entered their Okta credentials into a fraudulent site. While the authentication was blocked, the event warrants investigation to determine the scope of the phishing campaign and whether the user may have entered credentials elsewhere.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a phishing email or message mimicking a legitimate Okta login page.\u003c/li\u003e\n\u003cli\u003eThe user receives the phishing message and clicks the embedded link.\u003c/li\u003e\n\u003cli\u003eThe user is directed to a fake Okta login page that is designed to steal credentials.\u003c/li\u003e\n\u003cli\u003eThe user enters their Okta username and password on the phishing site.\u003c/li\u003e\n\u003cli\u003eThe phishing site attempts to authenticate the user to Okta using the stolen credentials.\u003c/li\u003e\n\u003cli\u003eOkta FastPass detects that the authentication attempt is originating from a known phishing site.\u003c/li\u003e\n\u003cli\u003eOkta FastPass declines the authentication request, preventing access.\u003c/li\u003e\n\u003cli\u003eThe Okta system logs record the event \u0026ldquo;user.authentication.auth_via_mfa\u0026rdquo; with outcome \u0026ldquo;FAILURE\u0026rdquo; and reason \u0026ldquo;FastPass declined phishing attempt\u0026rdquo;.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eWhile Okta FastPass successfully prevented the immediate breach, the incident confirms that a user was targeted by a phishing campaign. This could lead to the compromise of other accounts if the user reuses the same password. Furthermore, successful phishing attacks can lead to data breaches, financial loss, and reputational damage. The number of affected users depends on the scale of the phishing campaign.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect Okta FastPass phishing prevention events.\u003c/li\u003e\n\u003cli\u003eInvestigate users who triggered the detection to identify the phishing campaign and assess potential credential compromise.\u003c/li\u003e\n\u003cli\u003eReview Okta system logs for other suspicious activity associated with the targeted user accounts.\u003c/li\u003e\n\u003cli\u003eEducate users about phishing tactics and how to identify malicious websites to reduce susceptibility to future attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-okta-fastpass-phishing/","summary":"Okta FastPass detected and prevented a phishing attempt, indicating a user was likely targeted with a credential harvesting attack.","title":"Okta FastPass Phishing Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-fastpass-phishing/"}],"language":"en","title":"CraftedSignal Threat Feed — Fastpass","version":"https://jsonfeed.org/version/1.1"}