Key takeaways:
- SpyCloud's integration with Okta Identity Threat Protection delivers recaptured darknet exposure data, including stolen authentication data from infostealer malware and phishing attacks, directly into Okta's risk engine through the Shared Signals Framework.
- Attackers bypass MFA and hijack live sessions using stolen Okta session data, making credential resets alone insufficient because authenticated sessions remain active.
- SpyCloud recaptured 8.6 billion session cookies and 28.6 million phished identity records from the criminal underground in the past year, with nearly half of phished records tied to corporate users.
- The integration can automate policy responses based on exposure severity, from Universal Logout for high-risk malware infections to step-up authentication for phishing exposures, with signals delivered to Okta within seconds of detection.
- SpyCloud IDLink correlates identity data across personal and corporate accounts to surface hidden exposure connections that standard domain monitoring misses, flagging elevated risk for analyst investigation.
- Organizations can deploy the SpyCloud and Okta ITP integration in less than one business day without building custom Okta Workflows or maintaining connectors.
The best ice cream shops don’t just serve good ice cream. They know which toppings will complement a flavor; where the right combination doesn’t distract from the base. The topping fills in what the base can’t do on its own.
That’s a pretty good way to think about SpyCloud’s new integration with Okta Identity Threat Protection (ITP). SpyCloud is the sprinkles on top of Okta’s ice cream.
Okta ITP sets a strong foundation for identity security, bringing together a powerful set of signals – user behavior, device context, session activity, and inputs from across the security ecosystem – to continuously evaluate risk and enforce policy during an active user session. For many organizations, it’s already the central control point for identity security. SpyCloud builds on that foundation by adding what Okta ITP can’t see on its own: identity intelligence that pinpoints which identities are already exposed on the darknet, before an attacker attempts access.
It’s two genuinely strong things working together to do things neither could do alone.
Identity protection is only as strong as the signals behind it
In an increasingly common attack scenario, the attacker doesn’t need your user’s password, because they already have access to active sessions to bypass authentication measures. When an employee’s Okta session data is captured through infostealer malware or a phishing campaign, attackers can bypass MFA, hijack live sessions, and move silently through critical SaaS environments before your team knows anything is wrong.
SpyCloud’s integration with Okta ITP introduces a new class of identity intelligence to address this issue: recaptured exposure data – including session cookies and tokens – from the criminal underground, delivered as structured risk signals through the Shared Signals Framework (SSF) directly into Okta’s risk engine. The result is that Okta ITP can automatically act on identity exposures it would otherwise never know about before an attacker gets the chance to use them to compromise active sessions.
SpyCloud recaptured 8.6 billion session cookies from the criminal underground last year – harvested by infostealer malware like LummaC2 and RedLine, and Adversary-in-the-Middle (AiTM) phishing kits like Tycoon 2FA. These are authenticated sessions that allow criminals to walk directly into applications with no login required and no anomaly visible to Okta.
SpyCloud signal: How the risk signal delivery works
When SpyCloud identifies an exposure tied to a monitored identity, it generates a Security Event Token (SET) – a signed JSON token delivered to Okta’s SSF endpoint. Each SET carries the affected user, the exposure type, a risk level, a source type, and a human-readable description of the exposure event:
- Affected user
- Risk level – Critical / High / Medium / Low - all configurable within SpyCloud
- Source Type – Malware / Phishing / Breach / Combolist
- Risk Description – Human-readable summary of the exposure event
- Other contextual details
Okta validates the token signature before ingesting the signal. The time from detecting an exposed user to enforcing the policy is a matter of seconds. Every signal is logged in the Okta System Log with full metadata – a complete audit record of who was exposed, when SpyCloud detected it, and what actions were taken within Okta.
Because SpyCloud continuously processes newly recaptured records – often within minutes of discovery – the signals delivered into Okta ITP reflect active exposures for active users.
Okta ITP action: Custom, automated remediation options based on severity
Raw exposure data without context creates noise. SpyCloud translates every recaptured artifact into a risk classification aligned to real-world attack paths, so Okta ITP can enforce the right response automatically.
| SEVERITY | High Risk | Medium Risk | Medium Risk | Low Risk | Low: Warrants Follow-up Investigation |
|---|---|---|---|---|---|
| SpyCloud Exposure Event | Okta tenant URL detected in an infostealer malware log | Infostealer malware infection with exposed application and session data | Successful phishing attack with exposed credentials | Third-party breach or modern combolist exposure | Holistic exposure identified through SpyCloud IDLink |
| Recommended Okta ITP Action | Trigger Universal Logout, launch downstream SOC workflows, and potentially suspend the account | Force an immediate password reset and execute Universal Logout for all supported applications | Trigger step-up MFA and review active sessions for signs of post-authentication abuse | Prompt users to update passwords at next login and increase authentication scrutiny | Automatically trigger adaptive authentication and route findings to the SOC for investigation |
| Why This Matters | Your identity infrastructure is being targeted and the response should be immediate and decisive | Resetting a password alone leaves authenticated sessions alive | This is an opportunity to disrupt account takeover attacks or credential stuffing | Only resetting credentials without validating active sessions may give attackers authenticated access | Identity exposures rarely exist in isolation. SpyCloud IDLink analytics correlate exposed identity data across your workforce’s entire digital identity to identify other hidden threats |
Attack chains Okta ITP alone can’t see
Each SpyCloud signal maps to a specific, observable attack chain. Here’s what that looks like in practice.
Scenario
01
Infostealer malware exfiltrates authentication data
Infostealers like LummaC2, Vidar, and MetaStealer harvest complete identity data sets from infected devices – credentials, session cookies, browser fingerprints, and device metadata. The threat escalates when a malware log contains your organization’s Okta tenant URL (yourcompany.okta.com), confirming an infected device was actively authenticated to your identity environment when the data was stolen. This level of visibility only comes from recaptured malware data from the criminal underground, not endpoint or behavioral telemetry.
What SpyCloud sees:
Recaptured malware logs containing stolen credentials, cookies, browser data, and device details tied to your monitored domains and Okta tenant.
What SpyCloud delivers to Okta ITP:
A Medium-to-High risk malware signal, escalating when your Okta tenant URL is confirmed in the log.
What Okta ITP can do:
Triggers Universal Logout for all connected applications, terminating active sessions before attackers can move across your network.
Scenario
02
Successful phishing attack exposes identity data
AiTM phishing kits like Tycoon 2FA capture session cookies, authentication tokens, and MFA artifacts alongside credentials – giving attackers a path to bypass your security measures entirely. SpyCloud recaptures data from successful phishing campaigns directly from phishing-as-a-service (PhaaS) infrastructure. In 2025, SpyCloud recaptured 28.6 million phished identity records, nearly half tied to corporate users.
When newly recaptured phished credentials tied to a monitored domain appear in SpyCloud, a signal is sent to Okta ITP to trigger follow-up investigations to understand the blast radius.
What SpyCloud sees:
Recaptured phishing data tied to monitored domains, often including credentials, session cookies, authentication tokens, and MFA workflow artifacts.
What SpyCloud delivers to Okta ITP:
A Medium-risk phishing signal. This is severe enough to warrant follow-on actions because the exposure likely extends beyond Okta.
What Okta ITP can do:
Triggers step-up authentication and initiates session review to identify potentially compromised active sessions.
What your team should do:
Treat the phishing victim’s identity as broadly exposed until proven otherwise. Reset passwords, review session history for anomalous activity, audit connected SaaS applications, and investigate the employee’s broader exposure footprint within SpyCloud’s database. The Okta response contains the identity layer and the follow-up investigation determines how far the exposure spread.
Scenario
03
Exposed credentials in third-party breaches
Say an employee signs up for a third-party SaaS application using their corporate email, and that service was later breached. SpyCloud recaptures the exposed data, recovers the plaintext password, and matches it to your employee’s identity. If the employee reused that password for Okta, attackers have a clean path to authentication. Among exposed corporate credentials recaptured by SpyCloud in last year, 80% contained plaintext passwords.
Without this added exposure intelligence, Okta sees what appears to be a legitimate login attempt using valid credentials. The advantage of SpyCloud’s signal is timing: the exposure is identified before attackers operationalize it.
What SpyCloud sees:
Recaptured breach data tied to an employee’s identity containing a corporate email address and recovered plaintext password.
What SpyCloud delivers to Okta ITP:
A Low-risk breach signal indicating exposed credentials that may still be exploitable through password reuse.
What Okta ITP can do:
Prompts a password reset at next login, closing the window between credential exposure and account takeover.
Scenario
04
SpyCloud IDLink uncovers hidden identity exposure
Not every exposure is tied directly to your corporate domain. Employees reuse passwords across personal and work accounts, use unmanaged devices, and maintain compromised digital identities outside your visibility. SpyCloud IDLink correlates identity data across SpyCloud’s recaptured malware, phishing, breach, and combolist records to surface connections between personal and corporate identities that standard domain monitoring would never find.
This doesn’t automatically mean the employee’s Okta account is compromised, but it does mean their risk profile changed, and the exposure deserves investigation.
What SpyCloud sees:
An exposed password tied to their extended digital identity, such as a personal account or unmanaged device.
What SpyCloud delivers to Okta ITP:
A Low-severity Holistic Exposure signal indicating elevated identity risk that requires analyst review.
What Okta ITP can do:
Flags the exposure for investigation rather than triggering automatic remediation. The right response depends on what else is connected to the exposure.
What your team should do:
Investigate the employee’s full exposure record in SpyCloud to understand what was exposed, where it appeared, and whether corporate access may be at risk. That investigation determines the next step:
- Is the exposed password reused across corporate applications? Force a password reset and review session activity.
- Was the password exposed from a hidden malware infection on a personal device? Escalate immediately with Universal Logout and investigate the extent of exposure
- Was the exposure tied to their personal identity with no workforce overlap? Maintain step-up authentication and continue monitoring.
IDLink exposures help security teams uncover hidden identity relationships that traditional domain monitoring misses.
Immediate time to value for real-time enforcement by your team
SpyCloud manages the SSF integration on its end for Okta ITP. We’re making it as easy as possible for teams – there are no custom Okta Workflows to build, and no connectors to maintain. With this integration, most of our customers are operational in less than one business day.
For organizations already running Okta ITP, this integration adds a layer of upstream intelligence that Okta’s own signal sources can’t provide: namely, confirmed exposure data from the criminal underground, classified by attack path, and delivered before an attacker has the chance to act.
For organizations evaluating Okta ITP, SpyCloud’s integration is a meaningful reason to move forward to address the class of threat that behavioral signals alone can’t catch.
Ready to see how SpyCloud extends Okta ITP with upstream exposure intelligence?
FAQs
Okta Identity Threat Protection (ITP) continuously assesses user context and automatically responds to identity threats across your ecosystem by analyzing user behavior, device context, session activity, and security signals to enforce policy during active user sessions.
SpyCloud delivers recaptured exposure data from the criminal underground – including session cookies, tokens, and credentials harvested by infostealer malware and phishing kits – directly into Okta’s risk engine through the Shared Signals Framework, enabling Okta ITP to act on identity exposures before attackers exploit them.
ITDR solutions identify and respond to identity-based threats like compromised user accounts and leaked passwords by monitoring user activity and access management logs, flagging malicious activity, and collecting data from multiple identity and access management systems.
Most organizations become operational in less than one business day because SpyCloud manages the SSF integration without requiring custom Okta Workflows or connectors to maintain.
Keep reading
