LoFP / fidelity of this is high as okta is specifying malicious infrastructure. filter and modify as needed.

Techniques

• T1078
• T1078.001
• T1556

Sample rules

Okta Phishing Detection with FastPass Origin Check

• source: splunk
• technicques:
  • T1078
  • T1078.001
  • T1556

Description

The following analytic identifies when Okta’’s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta’’s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers.

Detection logic

`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt" 
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `okta_phishing_detection_with_fastpass_origin_check_filter`