Techniques
Sample rules
Okta Phishing Detection with FastPass Origin Check
- source: splunk
- technicques:
- T1078
- T1078.001
- T1556
Description
The following analytic identifies when Okta’’s FastPass prevents known phishing sites. When your users are enrolled in FastPass, Okta can provide defenders a high-fidelity signal for when user applications are being targeted by attackers wielding real-time (AiTM) proxies. Okta’’s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers when suspicious infrastructure we detect appears to be targeting their users. Since March 2020, we have delivered over 1000 notifications to customers.
Detection logic
`okta` eventType="user.authentication.auth_via_mfa" AND result="FAILURE" AND outcome.reason="FastPass declined phishing attempt"
| stats count min(_time) as firstTime max(_time) as lastTime values(displayMessage) by user eventType client.userAgent.rawUserAgent client.userAgent.browser outcome.reason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `okta_phishing_detection_with_fastpass_origin_check_filter`