Brand impersonation: Okta

 1name: "Brand impersonation: Okta"
 2description: "Impersonation of Okta, an identity and access management company."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, '\bOkta\b')
 9    or strings.ilike(sender.email.domain.domain, '*Okta*')
10    or strings.ilike(subject.subject, '*Okta*')
11  )
12  and not (
13    length(headers.references) > 0
14    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
15  )
16  and not (
17    sender.email.domain.root_domain in~ (
18      'oktacdn.com',
19      'okta.com',
20      'okta-emea.com',
21      'okta-gov.com',
22      'oktapreview.com',
23      'polaris.me',
24      'examity.com' // exam service used by okta
25    )
26    and headers.auth_summary.dmarc.pass
27  )
28  and any(ml.logo_detect(file.message_screenshot()).brands,
29          .name == "Okta" and .confidence in ("medium", "high")
30  )
31  and (
32    profile.by_sender().prevalence in ("new", "outlier")
33    or (
34      profile.by_sender().any_messages_malicious_or_spam
35      and not profile.by_sender().any_messages_benign
36    )
37  )
38  // negate okta relay
39  and not any(distinct(headers.domains, .domain is not null),
40              .domain == "mailrelay.okta.com"
41  )
42  // negate highly trusted sender domains unless they fail DMARC authentication
43  and (
44    (
45      sender.email.domain.root_domain in $high_trust_sender_root_domains
46      and not headers.auth_summary.dmarc.pass
47    )
48    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
49  )  
50
51attack_types:
52  - "Credential Phishing"
53tactics_and_techniques:
54  - "Impersonation: Brand"
55  - "Lookalike domain"
56  - "Social engineering"
57detection_methods:
58  - "Computer Vision"
59  - "Content analysis"
60  - "Header analysis"
61  - "Sender analysis"
62id: "b7a2989a-a5ef-5340-b1d0-6b7c51462855"