Okta suspicious session cookie usage
Description
AlphaSOC detected suspicious usage of an Okta session cookie. This detection indicates potential session cookie theft and reuse, typically identified when a single device token is observed from multiple IP addresses with different browser and operating system signatures, suggesting unauthorized access to a legitimate user's session.
Impact
Threat actors who obtain valid session cookies can bypass authentication requirements and hijack user sessions. This provides them with unauthorized access to sensitive applications, data, and resources protected by Okta's single sign-on (SSO) feature. The threat actor inherits the compromised user account's privileges and can perform actions on behalf of the legitimate user.
Severity
| Severity | Condition |
|---|---|
Low | Okta suspicious session cookie usage |
Investigation and Remediation
Identify the affected user accounts and review their recent activity logs. Terminate all active sessions for impacted users and require them to reset their passwords with multi-factor authentication (MFA) re-enrollment. Review authentication logs for additional indicators of compromise and block any suspicious IP addresses. To prevent future unauthorized access attempts, implement additional session controls, including shorter timeout periods, IP range restrictions, and enhanced device verification checks.