> For the complete documentation index, see [llms.txt](https://docs.oort.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oort.io/understanding-check-failures/oort-insights/identity-threat-detection-insights/compromised-session.md). # Compromised Session Detects stolen web application session cookies by identifying the same active session being used from two or more distinct IP address-user agent pairs, which is a strong indicator that the session credential has been compromised and replayed by an unauthorized party. Sessions lasting more than 7 days, coming from managed devices or those originating only from commonly-used IP addresses are not considered in the detection logic to improve result fidelity.",If needed, you can exclude known good IP ranges via the Custom Detection Settings to reduce noise from trusted locations and improve the actionability of the results. #### **Recommended Actions** Revoke all active sessions for the affected user so that they can no longer be used and contact them to determine whether they recognize the devices or locations shown in the alert. Review recent activity logs, particularly those involving customer data, finance tools, identity settings or privileged apps, for any unauthorized actions taken during the suspicious session window as these will have the largest business impact if the session was misused. If malicious activity is confirmed, suspend the account, reset its credentials and validate MFA protections. Enable "Enforce device binding for creating sessions" in your identity provider settings, which ties each session credential to the specific device used at login and prevents it from being replayed from any other location to reduce the likelihood of compromised sessions in the future. **Default Check Settings** Exclude Known Good IPs: False #### **Compatibility** [Okta](/integrations/okta-data-integration.md) Duo [Microsoft Entra ID](/integrations/azure-active-directory-integration.md) #### **Use Cases** * An adversary-in-the-middle phishing proxy intercepts an employee's Okta session token and replays it from a foreign IP address while the legitimate session remains simultaneously active. * A shared workstation, remote support flow, or unattended browser leaves a valid session available, and another employee reuses that same signed-in access to export critical data from sensitive business systems from a separate location. * Malware installed on a corporate endpoint extracts live browser session cookies and reuses them on attacker-controlled infrastructure in another region, bypassing MFA entirely because the session is already authenticated. #### **Real-World Incidents** **Okta Support System Breach — February 2024**\ Attackers stole session cookies from customer-uploaded diagnostic files and hijacked active Okta admin sessions at 1Password, BeyondTrust, and Cloudflare - all replayed from IP addresses and devices those accounts had never used before. Within Cloudflare, the attackers accessed internal Atlassian tools from attacker-controlled devices, going undetected for 9 days before lateral movement was identified.\ [BleepingComputer, Feb 2024](https://www.bleepingcomputer.com/news/security/okta-says-its-support-system-was-breached-using-stolen-credentials/) **Storm-2372 Device Code Phishing Campaign — February 2025**\ Microsoft described token theft and subsequent access to organizational resources after device code phishing. Stolen tokens were reused from attacker-controlled infrastructure while legitimate user sessions remained active, producing the kind of overlapping authenticated activity this check is designed to surface.\ [Microsoft Security Blog, Feb 2025](https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.oort.io/understanding-check-failures/oort-insights/identity-threat-detection-insights/compromised-session.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.