Detection rules › Sublime MQL
Brand impersonation: Okta
Impersonation of Okta, an identity and access management company.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Lookalike domain, Social engineering |
Event coverage
Rule body MQL
type.inbound
and (
regex.icontains(sender.display_name, '\bOkta\b')
or strings.ilike(sender.email.domain.domain, '*Okta*')
or strings.ilike(subject.subject, '*Okta*')
)
and not (length(headers.references) > 0 or headers.in_reply_to is not null)
and not (
sender.email.domain.root_domain in~ (
'oktacdn.com',
'okta.com',
'okta-emea.com',
'okta-gov.com',
'oktapreview.com',
'polaris.me',
'examity.com' // exam service used by okta
)
and headers.auth_summary.dmarc.pass
)
and any(ml.logo_detect(file.message_screenshot()).brands,
.name == "Okta" and .confidence in ("medium", "high")
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate okta relay
and not any(distinct(headers.domains, .domain is not null),
.domain == "mailrelay.okta.com"
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Impersonation of Okta, an identity and access management company.
- inbound message
any of:
- sender.display_name matches '\\bOkta\\b'
- sender.email.domain.domain matches '*Okta*'
- subject.subject matches '*Okta*'
none of:
- length(headers.references) > 0
- headers.in_reply_to is set
not:
all of:
- sender.email.domain.root_domain in ('oktacdn.com', 'okta.com', 'okta-emea.com', 'okta-gov.com', 'oktapreview.com', 'polaris.me', 'examity.com')
- headers.auth_summary.dmarc.pass
any of
ml.logo_detect(file.message_screenshot()).brandswhere all hold:- .name is 'Okta'
- .confidence in ('medium', 'high')
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
not:
any of
distinct(headers.domains)where:- .domain is 'mailrelay.okta.com'
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: headers.auth_summary.dmarc.pass, headers.domains, headers.domains[].domain, headers.in_reply_to, headers.references, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: file.message_screenshot, ml.logo_detect, profile.by_sender, regex.icontains, strings.ilike. Reference lists: $high_trust_sender_root_domains.
Indicators matched (13)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | \bOkta\b |
strings.ilike | substring | *Okta* |
sender.email.domain.root_domain | member | oktacdn.com |
sender.email.domain.root_domain | member | okta.com |
sender.email.domain.root_domain | member | okta-emea.com |
sender.email.domain.root_domain | member | okta-gov.com |
sender.email.domain.root_domain | member | oktapreview.com |
sender.email.domain.root_domain | member | polaris.me |
sender.email.domain.root_domain | member | examity.com |
ml.logo_detect(file.message_screenshot()).brands[].name | equals | Okta |
ml.logo_detect(file.message_screenshot()).brands[].confidence | member | medium |
ml.logo_detect(file.message_screenshot()).brands[].confidence | member | high |
1 more
distinct(headers.domains)[].domain | equals | mailrelay.okta.com |