splunk_escuTTP

Okta Phishing Detection with FastPass Origin Check

The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason "FastPass declined phishing attempt." This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization.

MITRE ATT&CK

T1078.001 T1556

Detection Query

`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt"
  | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage)
    BY user eventType client.userAgent.rawUserAgent
       client.userAgent.browser outcome.reason
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `okta_phishing_detection_with_fastpass_origin_check_filter`

Author

Okta, Inc, Michael Haag, Splunk

Created

2026-03-10

Data Sources

Okta

References

https://sec.okta.com/fastpassphishingdetection

Tags

Okta Account Takeover

Raw Content

name: Okta Phishing Detection with FastPass Origin Check
id: f4ca0057-cbf3-44f8-82ea-4e330ee901d3
version: 8
date: '2026-03-10'
author: Okta, Inc, Michael Haag, Splunk
type: TTP
status: experimental
data_source:
    - Okta
description: The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason "FastPass declined phishing attempt." This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization.
search: |-
    `okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt"
      | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage)
        BY user eventType client.userAgent.rawUserAgent
           client.userAgent.browser outcome.reason
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `okta_phishing_detection_with_fastpass_origin_check_filter`
how_to_implement: This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.
known_false_positives: Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed.
references:
    - https://sec.okta.com/fastpassphishingdetection
rba:
    message: Okta FastPass has prevented $user$ from authenticating to a malicious site.
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Okta Account Takeover
    asset_type: Infrastructure
    mitre_attack_id:
        - T1078.001
        - T1556
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: access