This template uses an event hook that triggers the workflow when a phishing attempt is unsuccessful.
The flow sends the IP address of the phishing site and the affected user to a Slack channel for further investigation.
- Access to an Okta tenant with Okta Workflows enabled.
- Okta Verify enabled as an authentication factor.
- Event hook filtering enabled (this is an open beta feature).
- A Slack connection configured within Workflows
- Open the Phishing Attempt Failed flow.
- In the Slack card at the end of the flow, select the channel where Workflows should send the notifications.
- Activate the flow and click the
</>
icon at the bottom of the API Endpoint event card. - Copy the Invoke URL. You need this to configure the event hook.
-
In the Okta Admin Console, go to Workflow > Event Hooks and click Create Event Hook.
-
Paste the Invoke URL into the Endpoint URL field. Provide a helpful event hook name (example:
Phishing blocked
). -
For Select all events that apply scroll down the list of events and select Authentication of user via MFA.
-
Click Create Hook & Continue.
-
Check Apply Filter.
-
In the Expression Language text box, copy and paste the following expression:
event.outcome.reason eq "FastPass declined phishing attempt"
.This invokes the Workflow only during an unsuccessful phishing attempt.
-
Click Save & Continue. The event hook created should have an Active status because verification for Workflows endpoints is handled automatically.
- When a user logs in using Okta FastPass on a phishing site, the user is shown a
Suspicious page blocked
message. - The Phishing Attempt Failed workflow executes, sending a message to the configured Slack channel containing the IP address of the phishing site and the username.
- Keep in mind Workflows system limits.
- This template doesn't address error handling.