Okta FastPass Phishing Detection

 1title: Okta FastPass Phishing Detection
 2id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e
 3status: test
 4description: Detects when Okta FastPass prevents a known phishing site.
 5references:
 6    - https://sec.okta.com/fastpassphishingdetection
 7    - https://developer.okta.com/docs/reference/api/system-log/
 8    - https://developer.okta.com/docs/reference/api/event-types/
 9author: Austin Songer @austinsonger
10date: 2023-05-07
11modified: 2026-04-27
12tags:
13    - attack.initial-access
14    - attack.t1566
15logsource:
16    product: okta
17    service: okta
18detection:
19    selection:
20        outcome.reason: 'FastPass declined phishing attempt'
21        outcome.result: FAILURE
22        eventType: user.authentication.auth_via_mfa
23    condition: selection
24falsepositives:
25    - Unlikely
26level: high

References

• Detecting Real-Time Phishing Attacks

  

  In the last two installments in our series on phishing resistance, we discussed <a href="https://sec.okta.com/articles/2022/09/phishing-resistance-and

  
  Read More

• System Log

  
  Read More

• Event Types | Okta Developer

  Secure, scalable, and highly available authentication and user management for any app.

  
  Read More

Related rules

• Potential Malicious Usage of CloudTrail System Manager
• Download From Suspicious TLD - Blacklist
• Download From Suspicious TLD - Whitelist
• CVE-2021-31979 CVE-2021-33771 Exploits
• CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum