Okta Phishing Detection with FastPass Origin Check

Status: experimental
Severity: medium
Group by: "client.userAgent.browser", "client.userAgent.rawUserAgent", "outcome.reason", eventType, user
Author: Okta, Inc, Michael Haag, Splunk
Source: github.com/splunk/security_content

The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason "FastPass declined phishing attempt." This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078.001` Valid Accounts: Default Accounts
Persistence	`T1078.001` Valid Accounts: Default Accounts, `T1556` Modify Authentication Process
Privilege Escalation	`T1078.001` Valid Accounts: Default Accounts
Stealth	`T1078.001` Valid Accounts: Default Accounts
Defense Impairment	`T1556` Modify Authentication Process
Credential Access	`T1556` Modify Authentication Process

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

First Occurrence of Okta User Session Started via Proxy (Elastic)
MFA Fatigue (OKTA) (Kusto)
Okta AiTM Phishing Attempt Blocked by FastPass (Panther)
Okta Fast Pass phishing Detection (Kusto)
Okta FastPass Phishing Detection (Sigma)
Okta FastPass Phishing Detection (Elastic)
Okta MFA Bruteforce Attack (YARA-L)
Okta Mismatch Between Source And Response For Verify Push Request (YARA-L)

Rule body splunk

name: Okta Phishing Detection with FastPass Origin Check
id: f4ca0057-cbf3-44f8-82ea-4e330ee901d3
version: 9
creation_date: '2024-04-17'
modification_date: '2026-05-13'
author: Okta, Inc, Michael Haag, Splunk
status: experimental
type: TTP
description: The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason "FastPass declined phishing attempt." This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization.
data_source:
    - Okta
search: |-
    `okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt"
      | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage)
        BY user eventType client.userAgent.rawUserAgent
           client.userAgent.browser outcome.reason
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `okta_phishing_detection_with_fastpass_origin_check_filter`
how_to_implement: This search is specific to Okta and requires Okta logs to be ingested in your Splunk deployment.
known_false_positives: Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed.
references:
    - https://sec.okta.com/fastpassphishingdetection
finding:
    title: Okta FastPass has prevented $user$ from authenticating to a malicious site.
    entity:
        field: user
        type: user
        score: 50
analytic_story:
    - Okta Account Takeover
asset_type: Infrastructure
mitre_attack_id:
    - T1078.001
    - T1556
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: application
security_domain: access

Stages and Predicates

Stage 1: `search`

`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt"

Stage 2: `stats`

| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage)
    BY user eventType client.userAgent.rawUserAgent
       client.userAgent.browser outcome.reason

Stage 3: `search`

| `security_content_ctime(firstTime)`

Stage 4: `search`

| `security_content_ctime(lastTime)`

Stage 5: `search`

| `okta_phishing_detection_with_fastpass_origin_check_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`eventType`	eq	`"user.authentication.auth_via_mfa"`
`outcome.reason`	eq	`"FastPass declined phishing attempt"`
`result`	eq	`"FAILURE"`
`sourcetype`	eq	`OktaIM2:log`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Okta Phishing Detection with FastPass Origin Check

MITRE ATT&CK coverage

Rules detecting the same action

Rule body splunk

Stages and Predicates

Stage 1: `search`

Stage 2: `stats`

Stage 3: `search`

Stage 4: `search`

Stage 5: `search`

Indicators

Keyboard shortcuts

Search operators

Okta Phishing Detection with FastPass Origin Check

MITRE ATT&CK coverage

Rules detecting the same action

Rule body splunk

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: search

Stage 4: search

Stage 5: search

Indicators

Stage 1: `search`

Stage 2: `stats`

Stage 3: `search`

Stage 4: `search`

Stage 5: `search`