Brand impersonation: Okta

 1name: "Brand impersonation: Okta"
 2description: "Impersonation of Okta, an identity and access management company."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, '\bOkta\b')
 9    or strings.ilike(sender.email.domain.domain, '*Okta*')
10    or strings.ilike(subject.subject, '*Okta*')
11  )
12  and not (
13    length(headers.references) > 0
14    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
15  )
16  and not (
17    sender.email.domain.root_domain in~ (
18      'oktacdn.com',
19      'okta.com',
20      'okta-emea.com',
21      'okta-gov.com',
22      'oktapreview.com',
23      'polaris.me'
24    )
25    and headers.auth_summary.dmarc.pass
26  )
27  and any(ml.logo_detect(beta.message_screenshot()).brands,
28          .name == "Okta" and .confidence in ("medium", "high")
29  )
30  and (
31    profile.by_sender().prevalence in ("new", "outlier")
32    or (
33      profile.by_sender().any_messages_malicious_or_spam
34      and not profile.by_sender().any_false_positives
35    )
36  )
37  // negate okta relay
38  and not any(distinct(headers.domains, .domain is not null),
39              .domain == "mailrelay.okta.com"
40  )
41  // negate highly trusted sender domains unless they fail DMARC authentication
42  and (
43    (
44      sender.email.domain.root_domain in $high_trust_sender_root_domains
45      and not headers.auth_summary.dmarc.pass
46    )
47    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
48  )  
49
50attack_types:
51  - "Credential Phishing"
52tactics_and_techniques:
53  - "Impersonation: Brand"
54  - "Lookalike domain"
55  - "Social engineering"
56detection_methods:
57  - "Computer Vision"
58  - "Content analysis"
59  - "Header analysis"
60  - "Sender analysis"
61id: "b7a2989a-a5ef-5340-b1d0-6b7c51462855"