Brand impersonation: Okta

Impersonation of Okta, an identity and access management company.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Okta"
 2description: "Impersonation of Okta, an identity and access management company."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, '\bOkta\b')
 9    or strings.ilike(sender.email.domain.domain, '*Okta*')
10    or strings.ilike(subject.subject, '*Okta*')
11  )
12  and not (
13    length(headers.references) > 0
14    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
15  )
16  and not (
17    sender.email.domain.root_domain in~ (
18      'oktacdn.com',
19      'okta.com',
20      'okta-emea.com',
21      'okta-gov.com',
22      'oktapreview.com',
23      'polaris.me'
24    )
25    and any(distinct(headers.hops, .authentication_results.dmarc is not null),
26            strings.ilike(.authentication_results.dmarc, "*pass")
27    )
28  )
29  and any(ml.logo_detect(beta.message_screenshot()).brands,
30          .name == "Okta" and .confidence in ("medium", "high")
31  )
32  and (
33    profile.by_sender().prevalence in ("new", "outlier")
34    or (
35      profile.by_sender().any_messages_malicious_or_spam
36      and not profile.by_sender().any_false_positives
37    )
38  )
39  // negate okta relay
40  and not any(distinct(headers.domains, .domain is not null),
41              .domain == "mailrelay.okta.com"
42  )
43  // negate highly trusted sender domains unless they fail DMARC authentication
44  and (
45    (
46      sender.email.domain.root_domain in $high_trust_sender_root_domains
47      and (
48        any(distinct(headers.hops, .authentication_results.dmarc is not null),
49            strings.ilike(.authentication_results.dmarc, "*fail")
50        )
51      )
52    )
53    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54  )  
55
56attack_types:
57  - "Credential Phishing"
58tactics_and_techniques:
59  - "Impersonation: Brand"
60  - "Lookalike domain"
61  - "Social engineering"
62detection_methods:
63  - "Computer Vision"
64  - "Content analysis"
65  - "Header analysis"
66  - "Sender analysis"
67id: "b7a2989a-a5ef-5340-b1d0-6b7c51462855"
to-top