<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Troubleshooting Distributed Brute Force and/or Password Spray Attacks in Okta
Sep 25, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article aims to assist with troubleshooting distributed brute force and/or password spray attacks.

Applies To
  • Brute Force
  • Password Spray
  • Microsoft Office 365
Cause
Legacy protocols are not disabled in Microsoft (IMAP, POP, SMTP).
Solution

Expand authentication entries in the System Log to review the IP addresses, Country/region, and the application endpoints from which suspected unauthorized attempts are coming. In the vast majority of cases, these attempts will be coming from native mail clients. This can be confirmed by recognizing the specific Okta URL endpoint (RequestUri) that Microsoft sends the authentication request to:
 

servlet



The '/wsfed/active' endpoint handles all of the legacy protocol traffic sent over by MS for authentication. Legacy email protocols such as IMAP and POP, used by native mail clients, are not capable of processing client access policies or MFA, so they are often the target of attacks by unauthorized users. This can present a significant security risk, as potential attackers who acquire user credentials will not be challenged for MFA if they use a legacy protocol. To disable these legacy protocols in O365 tenants, refer to this Microsoft (MS) Support documentation: How to enable or disable POP3, IMAP, MAPI, Outlook Web app, or Exchange ActiveSync for a mailbox in Office 365.


Okta has also published a whitepaper with more information on locking down legacy protocols and configuring secure client access policies here: Securing Office 365 with Okta. One thing that is not covered in the article is disabling SMTP basic authentication, which is also targeted for brute force/password spray attacks.

According to Microsoft, to disable SMTP, the following commands would be issued:

  • Set-CASMailbox - Identity user@domain.com - SmtpClientAuthenticationDisabled $true.
  • Set-TransportConfig -SmtpClientAuthenticationDisabled $true (org-wide).

Following the Enable or disable authenticated client SMTP submission (SMTP AUTH) in Exchange Online MS doc:

  • Using the parameter null, the user will have the tenant setting applied.
  • Using the command above and the value true will disable SMTP Basic Auth.

Out-of-the-box methods for mitigating attacks in Okta:

  • Soft Lock (for avoiding lockouts to AD accounts). Use this in conjunction with the auto-unlock of the Okta accounts, on the Authentication page, in the Admin console.
  • IP Blocklisting

Methods for mitigating attacks in Okta with Adaptive MFA (reach out to account manager for pricing):

Recommended content

Still looking for help?
Loading
Troubleshooting Distributed Brute Force and/or Password Spray Attacks in Okta