Skip to content
Threat Feed
high advisory

Okta Suspicious Session Cookie Use

This detection identifies the suspicious use of a session cookie by detecting multiple client values (IP, User Agent, etc.) changing for the same Device Token associated with a specific user, potentially indicating credential access and unauthorized account access.

This analytic detects the suspicious use of session cookies within Okta environments. The activity is identified by tracking multiple client attribute changes (IP address, User Agent, OS) associated with the same device token and user. This behavior is indicative of an attacker attempting to reuse stolen session cookies. The detection leverages Okta policy evaluation events (policy.evaluate_sign_on) and filters for successful authentication attempts to identify deviations in user behavior. The scope includes any organization using Okta for identity management. Defenders should be aware of this technique as it can bypass multi-factor authentication, granting unauthorized access to user accounts and sensitive resources.

Attack Chain

  1. Attacker gains access to a valid Okta session cookie (e.g., via malware or phishing).
  2. Attacker attempts to authenticate to Okta using the stolen session cookie.
  3. Okta generates a policy evaluation event (policy.evaluate_sign_on) upon successful authentication.
  4. The attacker initiates subsequent login attempts from a different IP address than the original session.
  5. The attacker may also change the User-Agent string (browser/OS) to further mask their activity.
  6. Okta logs these changes in client attributes (client.ipAddress, client.userAgent) associated with the same device token (debugContext.debugData.dtHash).
  7. The detection identifies the multiple client attribute changes, specifically IP address, browser, and OS.
  8. If the activity is not authorized, the attacker gains unauthorized access to the user's Okta account, potentially leading to further lateral movement and data exfiltration.

Impact

Compromised Okta accounts can lead to significant data breaches and unauthorized access to sensitive applications and resources. Attackers can leverage these accounts for lateral movement within the network and access confidential data stored within cloud applications. The number of affected users depends on the scope of the compromised Okta tenant. Organizations in all sectors are potentially vulnerable.

Recommendation

  • Deploy the Sigma rule Okta Suspicious Session Cookie Use to your SIEM and tune for your environment to detect the described activity.
  • Investigate any alerts generated by the Okta Suspicious Session Cookie Use rule, focusing on identifying the source of the session cookie theft and any subsequent unauthorized access.
  • Ensure that Okta logs, specifically OktaIm2 logs, are being ingested through the Splunk Add-on for Okta Identity Cloud to enable the detection (reference: https://splunkbase.splunk.com/app/6553).
  • Monitor Okta policy evaluation events (policy.evaluate_sign_on) for unexpected changes in client attributes (IP address, user agent) associated with the same device token.
  • Review Okta's risk scoring and authentication policies to strengthen defenses against session cookie theft and reuse.

Detection coverage 2

Okta Suspicious Session Cookie Use

high

Detects suspicious use of a session cookie by identifying multiple client IP addresses and/or User Agents associated with the same device token.

sigma tactics: credential_access techniques: T1539 sources: webserver, okta

Okta Multiple Geolocation Anomalies

medium

Detects anomalies in geolocation data associated with Okta authentication events, potentially indicating account compromise or unauthorized access.

sigma tactics: credential_access techniques: T1539 sources: webserver, okta

Detection queries are available on the platform. Get full rules →