Okta’s Identity Defense Operations frequently observes the use of Adversary-in-the-Middle (AiTM) phishing proxies in high-volume, non-targeted attacks against users of corporate email services. Real-time phishing proxies have been used in red team activity and targeted attacks since at least 2017. Microsoft Threat Intelligence Center (MSTIC) observed campaigns in July 2022 of far higher volume, with 10,000 Microsoft 365 customers targeted in one campaign alone. MSTIC also observed that...

“Push fatigue” is a noisy form of attack that generates numerous detection opportunities. In a “push fatigue” attack (sometimes called “MFA bombing”), an attacker already in possession of a user password triggers push notifications, often in rapid succession, to trick or frustrate the legitimate user into allowing access. The attacker gains unauthorized access to the account if the user approves the request out of habit or under the assumption of system error.  The most strategic, long-term...

In an ideal world, every security function would have a Detection Engineering team. Regrettably, even organizations that are stewards of highly sensitive data often can’t afford (or don’t prioritize) the capabilities required for effective security monitoring. There can be a misconception that cloud service providers are doing the monitoring for them. It's a challenge that Okta Security wants to help address. Whenever we write a detection for our own purposes (we use Okta, too!), there’s an...

Okta Identity Engine (OIE) is an incredibly powerful platform. What other platform allows you to have this level of security, granularity and control? “Only allow access to a highly sensitive application if the user authenticates with multiple authenticators that are at least one phishing-resistant, and only from a corporate-managed device with a strong EDR posture score.” The more sensitive an application is, the more security context we might seek to verify to ensure the access is...

Okta Identity Engine offers admins the ability to vary authentication flows to applications based on everything from group membership, device management, device posture, network zones, risk evaluation, user behaviour and more. Generally speaking, the more context evaluated at the point of access, the better the security outcome. That’s what this whole zero trust journey is about: all the stars should align before a legitimate user can access a sensitive resource. The flip-side of this is that...

During a security incident, it's critical that SOC analysts (or Okta admins) can rapidly identify all activity associated with a suspicious session, user or IP.  We are often asked to provide some sort of "cheat sheet" for new analysts that are unfamiliar with the extensive library of events available in Okta's Event Library. The following blog post re-publishes a support article that offers a few of these shortcuts. Okta Security has also published a range of platform and bespoke detections...

SUMMARY: In alignment with our core value of transparency, we are sharing context and details around a recent security event affecting Okta code repositories. There is no impact to any customers, including any HIPAA, FedRAMP or DoD customers. No action is required by customers. SCOPE: The security event detailed below pertains to Okta Workforce Identity Cloud (WIC) code repositories. It does not pertain to any Auth0 (Customer Identity Cloud) products. EVENT: In early December 2022, GitHub...

In the last two installments in our series on phishing resistance, we discussed phishing resistant authenticators and how to gather signals about phishing lures directly from your users. Now let’s drill down into detection and response: what signals does Okta’s System Log provide that are indicative of in-flight phishing campaigns? Okta’s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notify Okta customers...

The OpenSSL Project has announced the availability of a security update (version 3.07) that addresses a vulnerability affecting OpenSSL versions 3.0 and above (3.0.0 - 3.0.6). The two CVE’s are listed below: CVE-2022-3602 CVE-2022-3786 Response Okta’s engineering teams have applied patches and other mitigations, where required. Customer Guidance For both CVEs, the severity level has been listed as “high” and the following information has been made available: OpenSSL versions 3.0.0 to...

All applications require a highly-privileged administrator role to deploy and maintain that application. The monitoring and oversight (audit) of actions performed by users with these roles is a cornerstone of any well-designed security program. A number of research projects have highlighted ways in which the most privileged administrators in Okta could, if unchecked, abuse their privilege in some way. These research efforts serve to reinforce some long-held security principles: most notably...