How to Handle a Login Attack

If you notice signs of a login attack (e.g., suspicious account activity mail received from auth0), follow these steps:

1. Notify the Security Team

   • Submit an IT support form to alert the security team.
   • Provide as much detail as possible, including:
     • Time and date of the incident
     • Are there any successful logins recorded during the attack?
     • Any suspicious IP addresses or patterns observed

2. Do Not Attempt to Block or Investigate on Your Own

   • Avoid making changes to user accounts or system settings unless instructed by the security team.

3. Monitor for Further Activity

   • Continue to observe the system for additional suspicious behavior and report any new findings.

4. Follow Up

   • Cooperate with the security team for any follow-up actions or investigations.
   • Block any suspicious IP addresses or accounts only if directed by the security team:
     • in auth0: Extend the blocklist with the suspicious IP address in the post-login action
     • in WAF: Add the IP address to the blocklist in the WAF configuration, see PR for adding blocked IP to WAF.

---

Last updated: March 24, 2026 at 10:39

By: Axel Tetzlaff

📄 View source

Repository: CPE-Orga/sso-docs