Okta Alert Details
Alert ID: OKTA-MFA-BOMB-1621-7842 Alert Time: 2024-02-23 09:30:22 EST Severity: HIGH (88/100) Source: Okta Identity Cloud Rule: “Multiple MFA Push Requests – Potential MFA Fatigue Attack” MITRE ATT&CK: T1621 – Multi-Factor Authentication Request Generation
Alert Details:
Detection: User received multiple MFA push notifications in short time window
User: cjohnson@company.com (CEO) Application: Okta Verify (MFA) Time Window: 09:15 – 09:30 EST
Event Details:
09:15:32 – Login attempt from IP 45.134.225[.]78 (Russia)
09:15:33 – MFA push sent to user’s device (DENIED – user declined)
09:16:45 – Login attempt from IP 185.143.221[.]89 (Bulgaria)
09:16:46 – MFA push sent (DENIED – user declined)
09:18:12 – Login attempt from IP 194.165.16[.]89 (Romania)
09:18:13 – MFA push sent (DENIED)
09:20:05 – Login attempt from IP 45.134.225[.]78 (Russia)
09:20:06 – MFA push sent (DENIED)
… (continues every 2-3 minutes)
Total MFA Requests: 24 in 15 minutes
23 DENIED by user
1 APPROVED at 09:28:45 (user accepted after multiple requests)
Successful Login:
Time: 09:28:45
Source IP: 45.134.225[.]78 (Russia)
User Agent: Chrome 121 on Windows
Session Duration: 8 minutes (until detection)
Detection Logic:
24 MFA requests in 15 minutes (highly anomalous)
User normally receives 1-2 MFA requests per day
Multiple source IPs across different countries
Pattern matches “MFA fatigue” or “MFA bombing” attack
Additional Context:
CEO cjohnson is high-value target
User reported “annoying MFA notifications” at 09:20
User accidentally approved one request at 09:28
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Okta alert
Okta Admin Console
Confirmed MFA fatigue attack
2. Immediate Action
Terminate active session
Okta Admin
Session terminated
3. User Account
Temporarily disable account
Okta, Azure AD
Account disabled
4. User Contact
Call CEO immediately
Phone
User confirmed accidental approval
5. Password Reset
Force password reset
Okta, Azure AD
Password reset; MFA re-enrolled
6. IP Blocking
Block attacker IPs
Okta, Firewall
All 3 IPs blocked
Jira Incident Report
Ticket: SOC-2024-116 Summary: T1621 – MFA Fatigue Attack Compromises CEO Account Status: RESOLVED Resolution: MALICIOUS – Session Terminated Priority: P1 – CRITICAL Labels: T1621, mfa-fatigue, mfa-bombing, okta, executive-targeting Components: Identity-Management, Executive-Protection
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Okta Identity Cloud.
Alert: “Multiple MFA Push Requests – Potential MFA Fatigue Attack”.
User: cjohnson@company.com (CEO).
Time: 2024-02-23 09:30 EST.
Technique: MITRE ATT&CK T1621 – Multi-Factor Authentication Request Generation.
2. Technical Analysis:
Attack Chain:
09:15 – Attacker obtains CEO’s password (via prior phishing)
09:15-09:28 – Attacker repeatedly attempts login with password
Each attempt triggers MFA push to CEO’s phone
09:15-09:27 – User declines 23 requests (annoyed)
09:28 – User accidentally approves request (MFA fatigue)
09:28-09:36 – Attacker has active session
09:30 – Okta detects anomalous pattern
Attacker IPs:
45.134.225[.]78 (Russia) – primary
185.143.221[.]89 (Bulgaria) – secondary
194.165.16[.]89 (Romania) – tertiary
Attacker Activity During Session (8 minutes):
Accessed email (Outlook Web Access)
Viewed 3 emails (board meeting minutes)
Attempted to reset passwords for 2 other executives (blocked – required additional auth)
Downloaded 1 attachment (financial summary)
No data exfiltration beyond attachment
User Behavior:
User reported “annoying notifications” to assistant
Accidentally approved while trying to dismiss
Did not realize approval was for attacker
3. Investigation Findings:
Timeline:
09:15-09:28 – MFA bombing
09:28 – Accidental approval
09:28-09:36 – Attacker access
09:30 – Alert triggers
09:32 – SOC investigates
09:34 – Session terminated
09:35 – Account disabled
09:36 – CEO contacted
Indicators of Compromise (IoCs):
Network:
– Attacker IPs: 45.134.225[.]78, 185.143.221[.]89, 194.165.16[.]89
Session:
– Okta session ID: 78a9b2c3-d4e5-f6a7-b8c9-d0e1f2a3b4c5 (terminated)
Data:
– Financial summary (attachment) potentially accessed
4. Containment Actions:
Immediate Actions:
Terminated active Okta session.
Disabled CEO account temporarily.
Reset CEO password.
Re-enrolled MFA (new device registration).
Blocked all 3 attacker IPs at Okta and firewall.
Data Protection:
Reviewed accessed emails and attachment.
Attachment contained non-public financial data (Q1 projections).
No evidence of further distribution.
User Education:
CEO briefed on MFA fatigue attacks.
Instructed to never approve unexpected MFA requests.
5. Root Cause Analysis:
Primary Cause: User fatigue led to accidental approval of malicious MFA request.
Contributing Factors:
Password compromised via prior phishing.
No number matching in MFA (just approve/deny).
No rate limiting on MFA requests.
6. Business Impact:
Operational Impact: CEO offline for 2 hours.
Data Exposure: Q1 financial projections viewed; not public.
Reputational Impact: Internal only.
7. Remediation & Prevention:
Completed Actions:
Session terminated.
Password reset.
MFA re-enrolled.
IPs blocked.
Technical Controls Enhanced:
Enabled number matching in Okta Verify (user must enter number from screen).
Implemented rate limiting for MFA requests (max 5 per 15 minutes).
Added alerting for excessive MFA denials.
Enforced Conditional Access policies requiring trusted locations for executives.
8. Conclusion:
An attacker used an MFA fatigue attack against the CEO, sending 24 push notifications until the user accidentally approved one. The attacker accessed email and viewed a financial document before detection. Okta’s anomaly detection triggered within minutes, terminating the session.
Closure Rationale: Session terminated; account secured; MFA number matching enabled.
Analyst: [Walter White], SOC Analyst Date: 2024-02-23 10:30 EST