From c101ece78a3ab5b1ab4785751b771f7d339ace37 Mon Sep 17 00:00:00 2001
From: Sam Scholten <morriscode@gmail.com>
Date: Wed, 29 Nov 2023 13:56:12 -0500
Subject: [PATCH 1/4] New Rule: Okta Impersonation

---
 detection-rules/impersonation_okta.yml | 59 ++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 detection-rules/impersonation_okta.yml

diff --git a/detection-rules/impersonation_okta.yml b/detection-rules/impersonation_okta.yml
new file mode 100644
index 00000000000..e6e2ee9cb5c
--- /dev/null
+++ b/detection-rules/impersonation_okta.yml
@@ -0,0 +1,59 @@
+name: "Brand impersonation: Okta"
+description: "Impersonation of Okta an Identity and access management company."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    regex.icontains(sender.display_name, '\bOkta\b')
+    or strings.ilike(sender.email.domain.domain, '*Okta*')
+    or strings.ilike(subject.subject, '*Okta*')
+  )
+  and (
+    sender.email.domain.root_domain in~ (
+      'oktacdn.com',
+      'okta.com',
+      'okta-emea.com',
+      'okta-gov.com',
+      'oktapreview.com',
+      'polaris.me'
+    )
+    or any(distinct(headers.hops, .authentication_results.dmarc is not null),
+           strings.ilike(.authentication_results.dmarc, "*fail")
+    )
+  )
+  and any(ml.logo_detect(beta.message_screenshot()).brands,
+          .name == "Okta" and .confidence in ("medium", "high")
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Lookalike domain"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"

From 2dbe5eb11596cdda0eaec3e63694d7040dc765e1 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Wed, 29 Nov 2023 18:57:31 +0000
Subject: [PATCH 2/4] Auto add rule ID

---
 detection-rules/impersonation_okta.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/impersonation_okta.yml b/detection-rules/impersonation_okta.yml
index e6e2ee9cb5c..c976269ad42 100644
--- a/detection-rules/impersonation_okta.yml
+++ b/detection-rules/impersonation_okta.yml
@@ -57,3 +57,4 @@ detection_methods:
   - "Content analysis"
   - "Header analysis"
   - "Sender analysis"
+id: "b7a2989a-a5ef-5340-b1d0-6b7c51462855"

From 9a4d8b1c4a2d79f15bd0e2225830ca38f16d9799 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 29 Nov 2023 14:08:28 -0500
Subject: [PATCH 3/4] Update impersonation_okta.yml

---
 detection-rules/impersonation_okta.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection-rules/impersonation_okta.yml b/detection-rules/impersonation_okta.yml
index c976269ad42..fff682c5a66 100644
--- a/detection-rules/impersonation_okta.yml
+++ b/detection-rules/impersonation_okta.yml
@@ -10,7 +10,7 @@ source: |
     or strings.ilike(subject.subject, '*Okta*')
   )
   and (
-    sender.email.domain.root_domain in~ (
+    sender.email.domain.root_domain not in~ (
       'oktacdn.com',
       'okta.com',
       'okta-emea.com',
@@ -45,7 +45,7 @@ source: |
     )
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
-  
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:

From 45f3c24811d476a7b8aa86e9371e35fe80f4615c Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 29 Nov 2023 14:23:36 -0500
Subject: [PATCH 4/4] Update impersonation_okta.yml

---
 detection-rules/impersonation_okta.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/detection-rules/impersonation_okta.yml b/detection-rules/impersonation_okta.yml
index fff682c5a66..91ff041b99b 100644
--- a/detection-rules/impersonation_okta.yml
+++ b/detection-rules/impersonation_okta.yml
@@ -9,8 +9,8 @@ source: |
     or strings.ilike(sender.email.domain.domain, '*Okta*')
     or strings.ilike(subject.subject, '*Okta*')
   )
-  and (
-    sender.email.domain.root_domain not in~ (
+  and not(
+    sender.email.domain.root_domain in~ (
       'oktacdn.com',
       'okta.com',
       'okta-emea.com',
@@ -18,8 +18,8 @@ source: |
       'oktapreview.com',
       'polaris.me'
     )
-    or any(distinct(headers.hops, .authentication_results.dmarc is not null),
-           strings.ilike(.authentication_results.dmarc, "*fail")
+    and any(distinct(headers.hops, .authentication_results.dmarc is not null),
+           strings.ilike(.authentication_results.dmarc, "*pass")
     )
   )
   and any(ml.logo_detect(beta.message_screenshot()).brands,
@@ -46,6 +46,7 @@ source: |
     or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: