Skip to content
Threat Feed
medium advisory

Okta Initial Access via Proxy

Detection of a first-time user session started via a proxy, potentially indicating unauthorized initial access.

This brief addresses the potential threat of unauthorized initial access to Okta environments through proxy servers. While the Elastic detection rule "initial_access_first_occurrence_user_session_started_via_proxy.toml" hosted on GitHub provides a starting point, detailed information regarding specific threat actors, campaigns, or observed exploitation is not available from the provided source material. The focus is on detecting anomalous login behavior where a user establishes a session via a proxy for the first time, which could be indicative of account compromise or an attacker attempting to blend in with legitimate traffic. This alert is particularly relevant as it can highlight unusual access patterns that bypass typical security controls and require further investigation.

Attack Chain

  1. Initial Access via Phishing/Credential Theft: An attacker obtains user credentials through phishing or other credential-stealing methods (hypothetical, as no delivery mechanism is given).
  2. Proxy Server Setup: The attacker configures a proxy server to mask their true IP address and location, potentially to bypass geo-fencing or other access controls.
  3. Okta Authentication: The attacker uses the stolen credentials to authenticate to Okta through the configured proxy server.
  4. Session Establishment: Okta logs the successful authentication and the initiation of a new user session originating from the proxy server's IP address.
  5. Privilege Escalation (Potential): After gaining initial access, the attacker may attempt to escalate privileges within the Okta environment to access sensitive applications or data.
  6. Lateral Movement (Potential): The attacker may use the compromised Okta account to pivot and gain access to other systems or applications integrated with Okta.
  7. Data Exfiltration/Malicious Actions (Potential): The attacker may exfiltrate sensitive data, modify configurations, or perform other malicious actions depending on the compromised account's privileges.

Impact

Successful initial access via a proxy can lead to account compromise, data breaches, and unauthorized access to sensitive applications and resources. The impact will vary depending on the permissions and roles assigned to the compromised user account, but it can potentially affect all users and applications within the Okta environment. The number of affected users is unknown.

Recommendation

  • Deploy the Sigma rule "Okta First Time User Session via Proxy" to your SIEM and tune it to your environment, focusing on identifying legitimate use cases for proxy access (e.g., remote workers) to minimize false positives.
  • Investigate any alerts generated by the Sigma rule "Okta First Time User Session via Proxy" to determine the legitimacy of the proxy access and whether the user account has been compromised.
  • Review Okta access logs to identify other suspicious activities associated with the user account that initiated the session via proxy.
  • Implement multi-factor authentication (MFA) to reduce the risk of unauthorized access even if credentials are compromised (related to initial access).

Detection coverage 2

Okta First Time User Session via Proxy

medium

Detects the first occurrence of a user session started via a proxy server in Okta, potentially indicating unauthorized access.

sigma tactics: initial_access techniques: T1190 sources: web, okta

Okta Session Started from Known Proxy IPs

high

Detects Okta sessions initiated from known malicious or suspicious proxy IP addresses.

sigma tactics: initial_access techniques: T1190 sources: web, okta

Detection queries are available on the platform. Get full rules →