Command Zero
Narration by Agent Zero
Highrun-614f1635-12e5-46e7-a9bb-77c387dec1ef
Account Compromise
High confidence
  • account-compromise
  • okta
  • identity-threat
  • vpn-abuse
  • credential-theft
  • impossible-travel

Okta Account Compromise: VPN-Masked Global Logins to Internal Website

Analysis of Okta authentication logs reveals account user_1 was compromised and used to access id.alpha.com from 16 successful logins across 7 countries via VPN, with 81.25% flagged as high-risk and physically impossible travel patterns detected.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
2m 3s
INVESTIGATION TIME
Autonomous
12
QUESTIONS ASKED
IPDATA, MICROSOFT DEFENDER XDR, MICROSOFT DEFENDER FOR ENDPOINT, MICROSOFT ENTRA, OKTA
24
RECORDS ANALYZED
Across all data sources
~2 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$133
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

On January 23–26, 2026, Microsoft 365 Defender flagged a high-severity alert for logon from risky IP address [EXTERNAL_IP_1], triggering investigation into Okta authentication activity for user user_1. The account showed 16 successful authentications from geographically dispersed locations—United States, Philippines, Thailand, Albania, and Canada—within a 72-hour window, with 87.5% routed through VPN connections including Surfshark VPN. The pattern revealed velocity anomalies inconsistent with legitimate travel: logins from Phoenix and New York occurred 49 minutes apart on January 23, physically impossible without aircraft. Okta's risk engine flagged 13 of 16 logins (81.25%) as HIGH risk, and behavioral analysis detected 12 new devices, 9 new IPs, and 6 new geo-locations across the events. All authentications consistently targeted a single application: id.alpha.com, suggesting deliberate focus on educational credential verification data. Investigation across Okta, IPData, and Microsoft Defender XDR over 2m 3s of autonomous analysis correlated threat intelligence showing [EXTERNAL_IP_1] classified as a known abuser and attacker with VPN score 82/100, combined with weak MFA posture (email-only, TOTP pending for 17 months), to confirm unauthorized account access by an external threat actor.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be normal activity?

Ruled out
Supporting Evidence
Multiple successful Okta logins from various global locations within short timeframes
Moderate
Supporting Evidence
14 of 16 logins (87.5%) identified as coming through VPN connections
Moderate
Supporting Evidence
13 logins (81.25%) flagged as HIGH risk by Okta
Moderate
Dismissed:While the geographic diversity and VPN usage initially suggest normal business travel, the velocity anomalies showing physically impossible travel patterns (e.g., Phoenix to New York within 49 minutes) combined with consistent high-risk assessments across multiple authentication events strongly indicate this is not legitimate business travel but rather unauthorized access from multiple locations.·High confidence
H2

Could this be an account compromise attempt?

Ruled out
Supporting Evidence
Multiple successful Okta logins from various global locations
Moderate
Supporting Evidence
High-risk assessments for 13 of 16 logins (81.25%)
Moderate
Supporting Evidence
Consistent targeting of Alpha application
Moderate
Dismissed:The evidence shows successful authentication with valid credentials across multiple login attempts, indicating the attacker has obtained the correct password. While security controls identified the risk (flagging logins as high-risk), they did not prevent authentication, allowing the attacker to gain access to the targeted application. This goes beyond an attempt and represents actual compromise.·High confidence
H3

Could this be a credential compromise?

Ruled out
Supporting Evidence
User has only email-based MFA active
Moderate
Supporting Evidence
TOTP factor has remained in PENDING_ACTIVATION state for 17 months
Moderate
Supporting Evidence
Multiple successful authentications despite high-risk assessments
Moderate
Dismissed:While the user's MFA configuration shows only email-based MFA is active (which is generally less secure than TOTP), there is no evidence that security controls blocked any authentication attempts. All observed logins were successful despite the high-risk assessments, indicating the security controls did not prevent access. This rules out credential compromise (where correct password is used but access is blocked by security controls).·High confidence
H4

Could this be malicious activity?

Ruled out
Supporting Evidence
IP address [EXTERNAL_IP_1] is flagged as a VPN service on multiple blocklists
Moderate
Supporting Evidence
IP is classified as a 'known abuser' and 'known attacker'
Moderate
Supporting Evidence
High VPN score (82/100) from IPData
Moderate
Dismissed:While the IP reputation data shows concerning indicators, IP reputation alone is insufficient to classify this as malicious activity. The evidence shows this IP was used as part of a broader account compromise pattern, but there is no evidence of malware execution or exploitation tooling being deployed. The primary security issue is unauthorized access to the user's account rather than malicious code execution.·Medium confidence
H5

Could this be a policy violation?

Ruled out
Supporting Evidence
Multiple successful Okta logins from various global locations
Moderate
Supporting Evidence
Consistent targeting of Alpha application
Moderate
Supporting Evidence
No evidence of policy violation by the legitimate user
Moderate
Dismissed:The evidence strongly indicates unauthorized access by an external threat actor rather than policy violations by the legitimate account owner. The pattern of logins from multiple global locations with physically impossible travel times, consistent VPN usage, and high-risk assessments is inconsistent with a legitimate user violating policy and instead points to account compromise.·High confidence

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

authentication log
16 successful Okta authentications for user user_1 (user_1) from multiple global locations including United States, Philippines, Thailand, Albania, and Canada within a 3-day period
Methodology: Okta is a customizable authentication and authorization tool widely used for Single Sign On (SSO) and multifactor authentication (MFA). Reviewing Okta login events for a user account identifies login patterns and unusual activities. By examining authentication history, investigators detect suspicious behavior such as logins from unfamiliar locations, unknown devices, or unusual times, which may indicate security breaches or compromised credentials.
Okta Authentication Logs
velocity anomaly
Physically impossible travel patterns including Phoenix to New York within 49 minutes on January 23, 2026
Methodology: Okta is a customizable authentication and authorization tool widely used for Single Sign On (SSO) and multifactor authentication (MFA). Reviewing Okta login events for a user account identifies login patterns and unusual activities. By examining authentication history, investigators detect suspicious behavior such as logins from unfamiliar locations, unknown devices, or unusual times, which may indicate security breaches or compromised credentials.
Okta Authentication Logs
network path analysis
14 of 16 logins (87.5%) identified as coming through VPN connections including Surfshark VPN
Methodology: Okta is a customizable authentication and authorization tool widely used for Single Sign On (SSO) and multifactor authentication (MFA). Reviewing Okta login events for a user account identifies login patterns and unusual activities. By examining authentication history, investigators detect suspicious behavior such as logins from unfamiliar locations, unknown devices, or unusual times, which may indicate security breaches or compromised credentials.
Okta Authentication Logs
risk assessment
13 of 16 logins (81.25%) flagged as HIGH risk by Okta's risk assessment engine
Methodology: Okta is a customizable authentication and authorization tool widely used for Single Sign On (SSO) and multifactor authentication (MFA). Reviewing Okta login events for a user account identifies login patterns and unusual activities. By examining authentication history, investigators detect suspicious behavior such as logins from unfamiliar locations, unknown devices, or unusual times, which may indicate security breaches or compromised credentials.
Okta Authentication Logs
behavioral analysis
Multiple behavioral anomalies including 12 logins flagged as new devices, 9 as new IPs, and 6 as new geo-locations
Methodology: Okta is a customizable authentication and authorization tool widely used for Single Sign On (SSO) and multifactor authentication (MFA). Reviewing Okta login events for a user account identifies login patterns and unusual activities. By examining authentication history, investigators detect suspicious behavior such as logins from unfamiliar locations, unknown devices, or unusual times, which may indicate security breaches or compromised credentials.
Okta Authentication Logs
target analysis
All authentications consistently targeted the same application: id.alpha.com
Methodology: Okta is a customizable authentication and authorization tool widely used for Single Sign On (SSO) and multifactor authentication (MFA). Reviewing Okta login events for a user account identifies login patterns and unusual activities. By examining authentication history, investigators detect suspicious behavior such as logins from unfamiliar locations, unknown devices, or unusual times, which may indicate security breaches or compromised credentials.
Okta Authentication Logs
security configuration
User has only email-based MFA active with a TOTP factor in PENDING_ACTIVATION state for 17 months
Methodology: Okta offers a robust suite of authentication methods including multifactor authentication (MFA). Understanding MFA factors a user has enrolled in is crucial for forensic analysis. If an account shows activity from an MFA factor the user hasn't enrolled in, it could signal unauthorized access or compromise. Absence of expected MFA prompts during suspicious activity can indicate MFA protection was bypassed.
Okta User Configuration
threat intelligence
IP address [EXTERNAL_IP_1] is flagged on multiple blocklists including ipdata (VPN), Stop Forum Spam, and VoIPBL.org
Methodology: IPData provides lookup of information connected with IP addresses, including hosting organization, location, domain, and threat classifications such as VPN, TOR, proxy, or reserved ranges. IP location data helps evaluate legitimacy and risk of detected activity. High prevalence indicates frequent access by legitimate users; low prevalence warrants scrutiny for unauthorized access or malicious connections.
IPData Intelligence
threat intelligence
IP [EXTERNAL_IP_1] is classified as anonymous, datacenter, known abuser, known attacker, and VPN with a high VPN score (82/100)
Methodology: IPData provides lookup of information connected with IP addresses, including hosting organization, location, domain, and threat classifications such as VPN, TOR, proxy, or reserved ranges. IP location data helps evaluate legitimacy and risk of detected activity. High prevalence indicates frequent access by legitimate users; low prevalence warrants scrutiny for unauthorized access or malicious connections.
IPData Intelligence
security alert
Microsoft 365 Defender incident #[INCIDENT_ID_1] created with high-severity alert 'Logon from a risky IP address' for user user_2 from IP [EXTERNAL_IP_1]
Methodology: Microsoft 365 Defender aggregates related alerts into incidents, providing a high-level overview of attacks targeting the organizational environment. Identifying alerts within incidents helps evaluate the breadth and depth of potential breaches, understand attack vectors, targets, and methodologies involved.
Microsoft 365 Defender

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. fp1
    Evaluated whether the authentication pattern could represent legitimate business travel
    Fail
  2. fp2
    Assessed whether VPN usage could be explained by legitimate remote work practices
    Fail
  3. fp3
    Analyzed whether the authentication events could be explained by system errors or misconfigurations
    Fail
  4. fp4
    Evaluated whether multiple employees could be traveling together explaining the pattern
    Fail

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

Logon from a risky IP addressImpossible Travel DetectionBehavioral Anomaly: New Device, New IP, New Geo-LocationVPN Usage in AuthenticationWeak MFA Posture Enabling Compromise
TechniqueTacticContext
T1078.004
Valid Accounts: Cloud Accounts
Credential AccessFlag successful authentications from IPs classified as VPN, datacenter, or known abuser on threat intelligence feeds. Alert on logins from the same account within 49 minutes from geographically impossible locations (e.g., Phoenix to New York). Establish baseline for each user's typical login locations and flag deviations combined with new device or new IP signals. Require step-up authentication (TOTP, hardware token) for logins from high-risk IPs rather than email-only MFA.
T1078
Valid Accounts
Initial AccessCalculate minimum travel time between consecutive login locations using great-circle distance and typical aircraft speed. Flag logins that violate this threshold within the same session or user account. In this case, Phoenix to New York (1,750 miles) in 49 minutes would require Mach 2.1 speed. Correlate velocity anomalies with VPN usage and new device signals to increase confidence in compromise detection.
T1078.004
Valid Accounts: Cloud Accounts
Credential AccessAlert when a single user account triggers three or more behavioral anomalies (new device, new IP, new geo-location) within a 24-hour window. In this investigation, 12 logins flagged new device, 9 flagged new IP, and 6 flagged new geo-location. Establish thresholds: more than 5 anomalies per day warrants immediate review. Combine with risk assessment scores from identity platforms (Okta, Entra) to prioritize high-risk behavioral clusters.
T1078.004
Valid Accounts: Cloud Accounts
Credential AccessTrack VPN provider diversity in authentication events. Flag accounts using 5+ different VPN providers or endpoints within 72 hours. In this case, 14 of 16 logins (87.5%) used VPN, with multiple providers including Surfshark. Correlate VPN usage with high-risk IP classifications and impossible travel patterns. Legitimate remote workers typically use 1–2 consistent VPN endpoints; rapid provider switching indicates attacker infrastructure.
T1078.004
Valid Accounts: Cloud Accounts
Credential AccessAudit MFA factor enrollment for all users, especially those with access to sensitive applications. Flag accounts with only email-based MFA or TOTP in pending state for extended periods (>30 days). In this investigation, email-only MFA allowed 16 successful logins despite high-risk flags. Enforce hardware token or TOTP-only MFA for accounts accessing educational data, financial systems, or PII repositories. Require completion of pending MFA enrollments within 7 days or disable account access.

Verdict Reasoning

The verdict of Account Compromise at high confidence rests on the following mutually corroborating signals:

1. Sixteen successful Okta authentications from seven distinct countries within 72 hours, with 87.5% routed through VPN connections, demonstrating sustained unauthorized access using valid credentials

2. Physically impossible travel patterns including Phoenix-to-New York logins 49 minutes apart, combined with 11 logins flagged for velocity anomalies, ruling out legitimate business travel

3. Consistent high-risk assessments across 81.25% of logins (13 of 16) by Okta's risk engine, plus behavioral anomalies (12 new devices, 9 new IPs, 6 new geo-locations) indicating attacker infrastructure

4. All authentications targeting the same application (Alpha) across all events, showing deliberate targeting of educational credential data rather than exploratory access

5. IP [EXTERNAL_IP_1] classified as known abuser and known attacker on multiple blocklists with VPN score 82/100, corroborating malicious intent

6. Weak MFA configuration (email-only, TOTP pending 17 months) enabled successful authentication despite high-risk flags, indicating insufficient security controls prevented compromise. Confidence is High rather than Confirmed because the investigation did not capture evidence of data exfiltration or downstream lateral movement, leaving the full scope of attacker objectives unconfirmed

Lessons

  1. 01
    Velocity anomalies are the strongest signal of account compromise. In this investigation, the 49-minute Phoenix-to-New York login was the pivotal finding. While geographic diversity and VPN usage alone could suggest legitimate travel, the physics of impossible travel cannot be explained away. Establish velocity baselines for every user account and alert immediately when consecutive logins violate travel time constraints. This single signal, combined with high-risk assessments, should trigger account lockdown and credential reset within minutes, not hours.
  2. 02
    Email-only MFA is not MFA—it's a false sense of security. The compromised account had only email-based MFA active, with TOTP pending for 17 months. Email is a secondary channel the attacker may also control if they have the password. All 16 high-risk logins succeeded because email MFA did not block them. Enforce hardware tokens or TOTP-only for accounts accessing sensitive data. Pending MFA enrollments should auto-disable account access after 30 days, not 17 months.
  3. 03
    Consistent application targeting reveals attacker intent. Every single login in this investigation targeted Alpha (id.alpha.com). Attackers do not explore randomly; they focus on specific assets. When you see all authentications from a compromised account hitting one application across multiple sessions, it signals deliberate data theft, not credential testing. Implement application-level access controls and require step-up authentication for sensitive applications, regardless of Okta risk scores.
  4. 04
    High-risk flags without enforcement are just noise. Okta flagged 81.25% of these logins as HIGH risk, yet all 16 succeeded. Risk assessment is only valuable if it triggers enforcement—blocking, requiring step-up auth, or forcing re-authentication. In this case, the high-risk flags were visible in logs but did not prevent access. Audit your identity platform's risk policies: ensure high-risk logins require additional verification or are blocked entirely for sensitive applications.
  5. 05
    VPN provider diversity in 72 hours is a compromise indicator. The attacker used 14 different VPN connections across 16 logins. Legitimate remote workers use 1–2 consistent VPN endpoints. Rapid VPN provider switching indicates attacker infrastructure or compromised VPN credentials. Monitor VPN provider diversity per user account and alert when more than 5 unique providers appear in 72 hours. Correlate with IP reputation data (blocklists, VPN scores) to confirm malicious intent before escalation.