Splunk

Okta Phishing Detection with FastPass Origin Check

Last updated 2 days ago on 2026-07-17

About

The following analytic identifies failed user authentication attempts in Okta due to FastPass declining a phishing attempt. It leverages Okta logs, specifically looking for events where multi-factor authentication (MFA) fails with the reason "FastPass declined phishing attempt." This activity is significant as it indicates that attackers are targeting users with real-time phishing proxies, attempting to capture credentials. If confirmed malicious, this could lead to unauthorized access to user accounts, potentially compromising sensitive information and furthering lateral movement within the organization.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://sec.okta.com/fastpassphishingdetection(external, opens in a new tab or window)
False Positives
Fidelity of this is high as Okta is specifying malicious infrastructure. Filter and modify as needed.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt" | stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) BY user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_phishing_detection_with_fastpass_origin_check_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).