Hey everyone, I've had a user report a suspicious DUO push notification they received while shopping. They weren't trying to log in, so they were puzzled. Upon investigating, I found that the push appeared to come from their home IP and showed as a Windows 10 device, while their work computer is usually listed as Windows 11. The logs indicated it was associated with Outlook.
This got me thinking because I had a similar experience of a phantom DUO push right when I got home from work. That too was logged from the same area, showing as a Windows 10 device even though I use Windows 11.
We did recently update our CA policy: users can skip DUO when on the network, but must use it when off the network. Could it be that the system is mistakenly detecting the user as off the network and sending a DUO push using cached credentials through email? And if that's the case, how do I prevent this from happening? Any insights would be appreciated!
1 Answer
It sounds wise to open a support ticket with DUO to get a professional opinion on this. It's better to have accurate information rather than guessing about what might be happening. Plus, they can investigate the logs for you to see if there's a deeper issue. Just to be safe!
Yeah, I think that's a good step. I guess it's better to confirm everything. Thanks for the suggestion!