Brand impersonation: Okta

 1name: "Brand impersonation: Okta"
 2description: "Impersonation of Okta, an identity and access management company."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    regex.icontains(sender.display_name, '\bOkta\b')
 9    or strings.ilike(sender.email.domain.domain, '*Okta*')
10    or strings.ilike(subject.subject, '*Okta*')
11  )
12  and not (length(headers.references) > 0 or headers.in_reply_to is not null)
13  and not (
14    sender.email.domain.root_domain in~ (
15      'oktacdn.com',
16      'okta.com',
17      'okta-emea.com',
18      'okta-gov.com',
19      'oktapreview.com',
20      'polaris.me',
21      'examity.com' // exam service used by okta
22    )
23    and headers.auth_summary.dmarc.pass
24  )
25  and any(ml.logo_detect(file.message_screenshot()).brands,
26          .name == "Okta" and .confidence in ("medium", "high")
27  )
28  and (
29    profile.by_sender().prevalence in ("new", "outlier")
30    or (
31      profile.by_sender().any_messages_malicious_or_spam
32      and not profile.by_sender().any_messages_benign
33    )
34  )
35  // negate okta relay
36  and not any(distinct(headers.domains, .domain is not null),
37              .domain == "mailrelay.okta.com"
38  )
39  // negate highly trusted sender domains unless they fail DMARC authentication
40  and (
41    (
42      sender.email.domain.root_domain in $high_trust_sender_root_domains
43      and not headers.auth_summary.dmarc.pass
44    )
45    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
46  )  
47attack_types:
48  - "Credential Phishing"
49tactics_and_techniques:
50  - "Impersonation: Brand"
51  - "Lookalike domain"
52  - "Social engineering"
53detection_methods:
54  - "Computer Vision"
55  - "Content analysis"
56  - "Header analysis"
57  - "Sender analysis"
58id: "b7a2989a-a5ef-5340-b1d0-6b7c51462855"