Tom is a Staff Detection and Response Engineer within Okta’s Defensive Cyber Operations team. Tom has spent two decades in the security industry and is an expert at intrusion research, incident response and engineering secure systems, which he’s demonstrated at Okta, TikTok, CrowdStrike, and in the Australian Defence industry. Tom currently holds the GSEC, GCIH and GREM, previously volunteering as a SANS teaching assistant. He enjoys researching the latest trends in adversary tactics and sharing his findings through security research blogs and conference talks.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/il6yytExKSSeXHdwvwkpR/b957a8aaf8f9fa7ec963bb62b6d9e289/tom.png?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/il6yytExKSSeXHdwvwkpR/b957a8aaf8f9fa7ec963bb62b6d9e289/tom.png?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/il6yytExKSSeXHdwvwkpR/b957a8aaf8f9fa7ec963bb62b6d9e289/tom.png?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/il6yytExKSSeXHdwvwkpR/b957a8aaf8f9fa7ec963bb62b6d9e289/tom.png?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/il6yytExKSSeXHdwvwkpR/b957a8aaf8f9fa7ec963bb62b6d9e289/tom.png?w=58&h=58&q=50&fm=png","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/il6yytExKSSeXHdwvwkpR/b957a8aaf8f9fa7ec963bb62b6d9e289/tom.png?w=15&h=15&q=50&fm=png 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/il6yytExKSSeXHdwvwkpR/b957a8aaf8f9fa7ec963bb62b6d9e289/tom.png?w=29&h=29&q=50&fm=png 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/il6yytExKSSeXHdwvwkpR/b957a8aaf8f9fa7ec963bb62b6d9e289/tom.png?w=58&h=58&q=50&fm=png 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/il6yytExKSSeXHdwvwkpR/b957a8aaf8f9fa7ec963bb62b6d9e289/tom.png?w=116&h=116&q=50&fm=png 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#080808","width":58,"height":58}}},{"name":"Jordan Ruocco","slug":"jordan-ruocco","jobTitle":"Senior Manager, Okta Cyber Defense Team","id":"cdd9fb32-226d-558d-a986-4084b4f3dc5a","bio":{"bio":"Jordan is a cybersecurity leader specialising in security operations, threat intelligence, and security engineering. With a career in technology that began as a teen, Jordan brings nearly two decades of experience to his role as a Senior Manager within Okta’s Cyber Defense team. He leads an expert group of engineers dedicated to building the defenses and response capabilities required to promptly identify, contain, and evict advanced persistent threats from Okta’s environment.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/4LyCQIOujOjDJDzFjU7aSW/c09849ac8281c32a39dd5d30d58078b2/jordan.jpg?w=15&h=17&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4LyCQIOujOjDJDzFjU7aSW/c09849ac8281c32a39dd5d30d58078b2/jordan.jpg?w=29&h=34&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4LyCQIOujOjDJDzFjU7aSW/c09849ac8281c32a39dd5d30d58078b2/jordan.jpg?w=58&h=67&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4LyCQIOujOjDJDzFjU7aSW/c09849ac8281c32a39dd5d30d58078b2/jordan.jpg?w=116&h=134&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/4LyCQIOujOjDJDzFjU7aSW/c09849ac8281c32a39dd5d30d58078b2/jordan.jpg?w=58&h=67&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/4LyCQIOujOjDJDzFjU7aSW/c09849ac8281c32a39dd5d30d58078b2/jordan.jpg?w=15&h=17&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4LyCQIOujOjDJDzFjU7aSW/c09849ac8281c32a39dd5d30d58078b2/jordan.jpg?w=29&h=34&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4LyCQIOujOjDJDzFjU7aSW/c09849ac8281c32a39dd5d30d58078b2/jordan.jpg?w=58&h=67&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4LyCQIOujOjDJDzFjU7aSW/c09849ac8281c32a39dd5d30d58078b2/jordan.jpg?w=116&h=134&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#d8c8a8","width":58,"height":67}}},{"name":"Julie Agnes Sparks","slug":"julie-agnes-sparks","jobTitle":"Senior Security Engineer, Security Research, Datadog","id":"95387d00-f345-53e4-b163-89443cfea8d0","bio":{"bio":"Julie Agnes Sparks is a Senior Security Engineer in the Security Research organization at Datadog. Julie has previous experience on detection and response teams at Brex and Cloudflare with a focus on how to identify attacks, help the organization stay on top of emerging threats, and mature detection processes. She prioritizes involvement and connection in the security community and mentoring women who are entering the field.
"},"image":null},{"name":"Greg Foss","slug":"greg-foss","jobTitle":"Engineering Manager, Threat Detection Engineering, Datadog","id":"060f5c6d-61f5-53b8-b144-1da729bb97cb","bio":{"bio":"Greg Foss is a cybersecurity leader with over 15 years of experience spanning threat research, security operations, and offensive security. As the Engineering Manager of Threat Detection Engineering at Datadog, he leads a team of elite threat hunters and detection engineers, developing cutting-edge defenses against sophisticated cloud-native intrusions by nation-state and criminally motivated adversaries.
"},"image":null}],"title":"Datadog and Okta Combine for New Customer Detections","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Okta and Datadog have collaborated to enhance the Out-of-the-Box (OotB) detection capabilities of Datadog’s Cloud SIEM by including rules from the Okta Security Detection Catalog. These rules have been engineered to enable the identification of identity-related threats with minimal configuration. "},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Comprehensive monitoring of identity activity is crucial to the security of any organization. A compromised identity can lead to widespread data breaches and significant financial loss. However, the challenge for many security teams is that effective detection engineering has historically required significant manual effort and dedicated resources. Analysts are required to observe techniques used for identity-based attacks and then write, test and optimize detections for their Security Information Event Management (SIEM) or logging platforms.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Okta’s Cyber Defense team is at the forefront of identity attacks, observing and developing new detections and reducing customers’ operational burden. This work is also powering security product innovations such as Okta \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/en-au/products/identity-threat-protection/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Identity Threat Protection\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" (ITP), which continually assesses user sessions using the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/blog/identity-security/oktas-commitment-to-caep-and-ssf-pioneering-secure-interoperable-identity-standards/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Continuous Access Evaluation Profile (CAEP)\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" standard and enabling new security automation capabilities. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"To further assist Okta customers, in May 2025 we took a foundational step and released the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/okta/customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Security Detection Catalog\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", a repository of detection queries and preventative configurations designed to empower Okta customers to proactively identify and prevent potential security threats.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Today we are announcing a collaboration with the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://securitylabs.datadoghq.com/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Security Research team at Datadog\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" to make it even easier to implement these detections.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Together, we have enhanced the Out-of-the-Box (OotB) detection capabilities of \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.datadoghq.com/product/cloud-siem/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Datadog’s Cloud SIEM\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" by including rules from the Okta Security Detection Catalog. These rules have been engineered to enable the identification of identity-related threats with minimal configuration. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Crucially, this partnership is bi-directional. The enhanced logic developed by Datadog’s own Security Research team during this collaboration has been contributed back to the public \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/okta/customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Security Detection Catalog\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", ensuring that the broader security community benefits from this joint research regardless of their tooling. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"This integration goes beyond simple logging; it utilizes signal correlation, combining multiple signals from Okta’s system log, Identity Threat Protection, and \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://okta-help.helptechsolucoes.com.br/en-us/content/topics/security/threat-insight/about-threatinsight.htm\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"ThreatInsights\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", to provide higher fidelity detections and reduce false positives.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Getting Started\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"These new detection rules are available now in Datadog Cloud SIEM, with plans to add new rules over time. Developed in collaboration between the Okta Detection and Response team and Datadog Security Engineers, these rules can be configured and run directly within the Datadog platform for any organization that ingests Okta System Log events.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"For those who are not Datadog customers, we have ensured this collaboration benefits the wider community as well. All foundational logic developed during this partnership has been contributed back to the public Okta Security Detection Catalog. This allows security teams using other SIEM platforms to review, adapt, and deploy these high-value detections within their own environments.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Preview The New Detections:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" View Datadog’s Out-of-the-Box Default Rules for Okta here.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Ingest Okta System Logs:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Follow the instructions here to integrate Okta with your Datadog instance.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Enable the New Detections:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Ensure the Okta customer detections are active within your Datadog environment.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Review Alerting Policies:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Customize alerting thresholds and notification channels to fit your organisation's needs.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"New Detection Rule Highlights\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"To give you an idea of the capabilities now available, here are a few examples of the new rules and the specific identity threats they help detect:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Okta OAuth mismatched URI\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" \\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Tactic:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Credential Access\\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Technique:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Steal Application Access Token (\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1528/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"T1528\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\")\\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Description: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"This rule monitors failed OAuth access token grant activity where the provided reason is \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"mismatched_redirect_uri.\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Alert severity is increased if Okta’s provided \\\"threat suspected\\\" field evaluates to true. This is critical for detecting adversaries leveraging phishing infrastructure; they may attempt to compromise users by issuing redirects to a phishing domain during the OAuth flow.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Okta policy rule modified to downgrade MFA\\nTactic: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Defense Evasion\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"\\nTechnique: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Modify Authentication Process: Multi-Factor Authentication (\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1556/006/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"T1556.006\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\")\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"\\nDescription: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"This rule monitors when an administrator updates an Okta policy rule (indicated by a policy.rule.update event). When the previous policy logic did not contain 1FA but the updated logic does, an alert will trigger. A higher‑severity alert is generated when the source IP address has been classified as suspicious or malicious. Downgrading multi-factor authentication (MFA) requirements reduces security posture and can be used by an attacker to maintain persistence or facilitate account compromise via social engineering.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Okta phone number assigned to multiple users\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" \\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Tactic:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Persistence\\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Technique:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Account Manipulation: Device Registration (\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1098/005/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"T1098.005\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\")\\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Description: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"This rule monitors phone number enrollment verification by SMS within a short period. The reuse of a single phone number across multiple user accounts is a strong indicator of an attacker trying to maintain persistence or enroll a controlled device across compromised accounts.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Okta temporary password granted and MFA reset\\nTactic: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Persistence\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"\\nTechnique: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Account Manipulation (\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://attack.mitre.org/techniques/T1098/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"T1098\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\") \\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Description: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"This rule monitors Okta account recovery and factor administration events, alerting when both user.account.expire_password and user.mfa.factor.reset_all succeed for the same account. When an administrator expires a user password, they may generate a temporary password which an attacker can use to login and set their own. If factors are also reset, the attacker can register their own MFA devices. This behavior is a strong signal of account takeover, especially when stemming from uncommon locations or hosting provider IP addresses.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Conclusion\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"In a decentralized cloud environment, identity sprawl can quickly lead to chaos. Okta brings structure to this landscape by centralizing access, provisioning, and governance across an organization’s entire application stack.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Because Okta is the chosen platform for protecting access to these critical resources, administrative access to Okta must be treated as highly privileged. Just as you monitor your most sensitive infrastructure, monitoring the platform that governs access to it is a fundamental security practice.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Together, Okta and Datadog enable organizations to safeguard this centralized control point, arming security teams with the high-fidelity signals and pre-built intelligence needed to detect and respond to threats at scale in real-time.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Resources:\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Okta Security Detection Catalog:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/okta/customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"https://github.com/okta/customer-detections\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Okta Identity Threat Protection:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/en-au/products/identity-threat-protection/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"https://okta-www.helptechsolucoes.com.br/en-au/products/identity-threat-protection/\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \\n\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"Datadog Default Rules for Okta:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://docs.datadoghq.com/security/default_rules/?search=okta\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"https://docs.datadoghq.com/security/default_rules/?search=okta\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\"\\nDatadog Cloud SIEM: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.datadoghq.com/product/cloud-siem/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"https://www.datadoghq.com/product/cloud-siem/\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"}},{"updatedAt":"2026-02-11T04:22:55.937Z","slug":"/articles/2026/02/st-detecting-openclaw","node_locale":"en","date":"2026-02-11T00:00","secAuthor":[{"name":"Okta","slug":"okta","jobTitle":"","id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#f8f8f8","width":58,"height":58}}}],"title":"Detecting OpenClaw at Sign-In","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Okta Verify has a neat trick under the hood that can help you identify the use of personal AI assistants and other \"not just yet\" software."},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"If like most organizations you are still coming to grips with the implications of what personal AI assistants like OpenClaw mean for your security posture, you might need to at least identify where they are being used.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Turns out Okta Verify can do that for you.\\n\\nAdvanced posture checks is an early access feature in the Okta Verify client that gives administrators the ability to write custom rules that evaluate device hygiene at sign-in. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Administrators can write simple osquery checks that evaluate, for example:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Persistant services and installed apps\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Currently running processes\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The presence of configuration files and binaries in common installation paths.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Installs of Homebrew or npm packages\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Listening ports\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Docker images and artifacts \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"There are multiple ways you can apply this to something like OpenClaw, and lots of good reasons to do it.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"A personal AI assistant doesn’t need to be malicious or vulnerable for you to want to wrap some policy around its use on corporate-issued devices. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"blockquote\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"For a list of sample queries relevant to OpenClaw, head over to the Okta Threat Intelligence blog:\\n\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/blog/threat-intelligence/detecting-openclaw-advanced-posture-checks/\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"https://okta-www.helptechsolucoes.com.br/blog/threat-intelligence/detecting-openclaw-advanced-posture-checks/\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"}},{"updatedAt":"2026-02-03T14:00:10.572Z","slug":"/articles/2026/02/okta-STIG-hardening-nhi","node_locale":"en","date":"2026-02-03T08:00","secAuthor":[{"name":"Rob Gil","slug":"/hackers/rob-gil","jobTitle":"Sr. Director, Federal Architecture","id":"96970804-8b58-5b39-9146-0928bc8a399b","bio":{"bio":"Rob Gil is a Sr. Director, Federal Architecture at Okta and is responsible for leading the Public Sector technology initiatives for FedRAMP, DoD Impact Levels, and StateRAMP. Prior to Okta, Rob worked on the JEDI project for the DoD Cloud Computing Program Office as well as leading the Cloud SecOps team at Elastic. Rob’s work at Elastic helped set the foundations for the Elastic SIEM as an initial core contributor to the Elastic Common Schema and first version of the Elastic SIEM. Before Elastic, Rob led operations and engineering teams at Salesforce and a variety of financial institutions. When not working, Rob enjoys the quiet life on his homestead and dabbling with tech.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/11kEKbX276TFKp9aj2o5MB/798256469b0fb164973e5cb213df4fc6/Rob_Gil_Headshot.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/11kEKbX276TFKp9aj2o5MB/798256469b0fb164973e5cb213df4fc6/Rob_Gil_Headshot.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/11kEKbX276TFKp9aj2o5MB/798256469b0fb164973e5cb213df4fc6/Rob_Gil_Headshot.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/11kEKbX276TFKp9aj2o5MB/798256469b0fb164973e5cb213df4fc6/Rob_Gil_Headshot.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/11kEKbX276TFKp9aj2o5MB/798256469b0fb164973e5cb213df4fc6/Rob_Gil_Headshot.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/11kEKbX276TFKp9aj2o5MB/798256469b0fb164973e5cb213df4fc6/Rob_Gil_Headshot.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/11kEKbX276TFKp9aj2o5MB/798256469b0fb164973e5cb213df4fc6/Rob_Gil_Headshot.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/11kEKbX276TFKp9aj2o5MB/798256469b0fb164973e5cb213df4fc6/Rob_Gil_Headshot.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/11kEKbX276TFKp9aj2o5MB/798256469b0fb164973e5cb213df4fc6/Rob_Gil_Headshot.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#e8e8e8","width":58,"height":58}}},{"name":"Naveed Mirza","slug":"/hackers/naveed-mirza","jobTitle":"Senior Solutions Architect","id":"110196ee-f45a-5ada-b02c-40d591fa732c","bio":{"bio":"Naveed is a Senior Solutions Architect at Okta, focusing on the DoD and Federal customer base. He has worked in cybersecurity since leaving the US Navy in the late 1990s. Before coming to Okta, Naveed was a consultant for several DoD customers, and he continues to offer advice via active participation in the DoD community. He grew up in Stafford, Virginia, and upon returning from active duty, took up residence there once more. In his free time, he enjoys beer brewing, gaming, and the occasional date night with his wife.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6UBnEaJwXGbMNzXI390g4S/4c4c0cad86f4f7da055e92405db05ac2/Naveed_Mirza_Headshot.jpg?w=15&h=16&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6UBnEaJwXGbMNzXI390g4S/4c4c0cad86f4f7da055e92405db05ac2/Naveed_Mirza_Headshot.jpg?w=29&h=32&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6UBnEaJwXGbMNzXI390g4S/4c4c0cad86f4f7da055e92405db05ac2/Naveed_Mirza_Headshot.jpg?w=58&h=63&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6UBnEaJwXGbMNzXI390g4S/4c4c0cad86f4f7da055e92405db05ac2/Naveed_Mirza_Headshot.jpg?w=116&h=126&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/6UBnEaJwXGbMNzXI390g4S/4c4c0cad86f4f7da055e92405db05ac2/Naveed_Mirza_Headshot.jpg?w=58&h=63&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6UBnEaJwXGbMNzXI390g4S/4c4c0cad86f4f7da055e92405db05ac2/Naveed_Mirza_Headshot.jpg?w=15&h=16&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6UBnEaJwXGbMNzXI390g4S/4c4c0cad86f4f7da055e92405db05ac2/Naveed_Mirza_Headshot.jpg?w=29&h=32&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6UBnEaJwXGbMNzXI390g4S/4c4c0cad86f4f7da055e92405db05ac2/Naveed_Mirza_Headshot.jpg?w=58&h=63&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6UBnEaJwXGbMNzXI390g4S/4c4c0cad86f4f7da055e92405db05ac2/Naveed_Mirza_Headshot.jpg?w=116&h=126&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#c8d8d8","width":58,"height":63}}},{"name":"Brandon Iske","slug":"/hackers/brandon-iske","jobTitle":"Principal Solutions Architect","id":"76ecc069-7d69-5aa8-a81d-cf72595f683e","bio":{"bio":"Brandon Iske is a Principal Solutions Architect focused on enabling Federal Government and strategic accounts at Okta. He is passionate about strengthening our nation’s cybersecurity and user experience through Identity-focused IT modernization and cyber best practices. Before joining Okta, Brandon worked for over a decade in government public service to deliver and secure joint Department of Defense enterprise capabilities in endpoint security, mobile management, identity and access management, and Zero Trust architecture at the Defense Information Systems Agency. He earned a Bachelor’s Degree in Computer Science from the University of Nebraska at Omaha. He is also a National Science Foundation CyberCorps Scholarship for Service Alumnus and an Okta Certified Professional.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5UjVohmErip1kidEotcSrT/159aad6c3a255e465aed93ecbd75d626/Brandon_Iske_Headshot.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5UjVohmErip1kidEotcSrT/159aad6c3a255e465aed93ecbd75d626/Brandon_Iske_Headshot.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5UjVohmErip1kidEotcSrT/159aad6c3a255e465aed93ecbd75d626/Brandon_Iske_Headshot.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5UjVohmErip1kidEotcSrT/159aad6c3a255e465aed93ecbd75d626/Brandon_Iske_Headshot.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/5UjVohmErip1kidEotcSrT/159aad6c3a255e465aed93ecbd75d626/Brandon_Iske_Headshot.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5UjVohmErip1kidEotcSrT/159aad6c3a255e465aed93ecbd75d626/Brandon_Iske_Headshot.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5UjVohmErip1kidEotcSrT/159aad6c3a255e465aed93ecbd75d626/Brandon_Iske_Headshot.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5UjVohmErip1kidEotcSrT/159aad6c3a255e465aed93ecbd75d626/Brandon_Iske_Headshot.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5UjVohmErip1kidEotcSrT/159aad6c3a255e465aed93ecbd75d626/Brandon_Iske_Headshot.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#b8c8c8","width":58,"height":58}}}],"title":"Okta Hardening Guide Updated to Secure Non-Human Identities","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Version 1.1 of the Okta Security Technical Implementation Guide (STIG) provides U.S. government agencies additional hardening recommendations related to network security and non-human identities.\n"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is proud to announce the latest version (1.1) of the Okta Security Technical Implementation Guide (STIG), which provides U.S. government agencies additional security hardening recommendations related to network security and non-human identities.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"First published by Okta and the U.S. Defense Information Systems Agency (DISA) in \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-sec.helptechsolucoes.com.br/articles/2025/05/oktas-new-stig/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"March 2025\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", the Okta Identity as a Service (IDaaS) STIG provides instrumental hardening guidance for identity and security practitioners.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The new checks introduced in version 1.1 are critical for securing service accounts, integrations, users, automation, and AI agents. This updated guidance provides security mitigations in addition to protocols like \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://datatracker.ietf.org/doc/html/rfc9449\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"DPoP\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/integrations/cross-app-access/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cross App Access\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"With the updated version of the STIG, we introduce five new checks. These checks are important in the efforts to protect NHI use cases as well as aligning with the latest version of the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.cyber.mil/dccs/dccs-documents\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"DoD Cloud Computing Security Requirements Guide (CC SRG)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". One update to the CC SRG is: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Section 5.9.3.1\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"blockquote\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"“…PaaS/SaaS offerings must ensure that exposing any allowlisted services does not enable all Mission Owner or tenants internet facing access by default. This can be accomplished through implementing internal firewall rules, proxies or other solutions that are compatible with the CSOs specific infrastructure and offerings.”\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For commercial entities reading this, it essentially means don’t open your services to the internet by default. Our updated guidance provides the checks to help lock down access by IP, IP Range, or Geographic location. In addition to the network restrictions, we added a check to help block ‘anonymized proxies’, which are often a source of malicious traffic. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The FedRAMP Program Management Office (PMO) requires Cloud Service Providers (CSPs) to provide “\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.fedramp.gov/docs/rev5/balance/recommended-secure-configuration/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Recommended Secure Configuration\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"” related to their service offerings. The Okta IDaaS STIG is Okta’s “Recommended Secure Configuration.” The benefit of doing a STIG is the additional independent validation and assessment provided by DISA. Our collaboration with DISA has been extremely valuable. We share the mission of helping our customers become as secure as possible. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Commercial customers should take a risk-based approach to determine which STIGs to apply. We understand that commercial CSPs and vendors will often pursue maximum compatibility for customers, nevertheless these additional checks can be used for all privileged access (administrative and NHI) use cases. These are the kinds of checks that Okta leveraged to help prevent attacks, such as the recent \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/newsroom/articles/the-salesloft-incident--a-wake-up-call-for-saas-security-and-ips/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Salesloft Drift\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/newsroom/articles/first-drift--now-gainsight--closing-the-gaps-in-saas-hygiene/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Gainsight\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" attacks. These checks are specific to Okta’s offerings, but the same approach should be used for other service offerings. We hope these checks will serve you as well as they have served Okta. At the end of the day, this is a ‘least privilege’ issue. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Five Additional Checks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta API tokens must be configured with Network Zones to restrict authorization from known networks. API tokens are almost always privileged and sensitive. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This check helps to verify that for all Okta-specific API tokens, an IP restriction is in place to help confirm that if a token is compromised, it cannot be used from an unapproved IP. Typically, a customer would configure this to be either VPN/SASE IP ranges, datacenter (cloud) ranges, or known office ranges. These should be configured to known and “owned” contiguous IP space. In the case of cloud, it should be a known contiguous IP range that is allocated only to your organization. Allowlisting the entire IP range of a public cloud service provider like AWS, Google or Azure would not be appropriate. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta API tokens must be created under dedicated user accounts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This is an Okta-specific check to help confirm that API tokens (NHI) are under a dedicated account that is not tied to an administrator. This aims to reduce privileges for NHIs and check if they are appropriate for their use cases. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta Global Session policy must be configured to allow or deny IP based access in accordance with the Access Control policy for Okta.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This check helps confirm that a Global Policy is defined for your users. In many companies, workforce users should only request resources from approved VPNs or SASE services (i.e. not from the general internet). In the DoD use cases, this may be restricted to NIPRNet or other approved networks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta must be configured with Network Zones defined to block anonymized proxies according to organizational defined policy.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Anonymized proxies are often a source of malicious traffic. Blocking this from the outset can help reduce probes as well as attack vectors. As a commercial customer, you may want to allow anonymized proxies for maximum reach and compatibility, but consider blocking them for privileged use cases. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For each application integrated with Okta, network zones must be defined in its authentication policy.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This check helps to confirm that every application configured in an Okta organization takes IP restrictions into consideration. Does it really need to be accessible to any malicious actor on the internet? Customers should take a risk-based approach and work to verify that network restrictions are appropriate for the accessibility and use cases. The default is to allow internet access to the application; so, care should be taken to evaluate whether that is appropriate for the application.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Call to Action\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We recommend customers assess their Okta organizations against the updated STIG. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The Okta IDaaS STIG is available to download at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://public.cyber.mil/stigs/downloads/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://public.cyber.mil/stigs/downloads/\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", search for Okta. If you have feedback on the STIG, please contact \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"mailto:fedramp@okta.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"fedramp@okta.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2026-01-12T23:56:33.135Z","slug":"/pooledauditretro","node_locale":"en","date":"2026-01-12T00:00","secAuthor":[{"name":"Tushar Badlani","slug":"/hacker/tushar-badlani","jobTitle":"Global Customer Audit Manager","id":"0549c9bd-5615-52a0-8683-f6b734b931cc","bio":{"bio":"Tushar Badlani is the Global Customer Audit Manager within the Security Trust and Culture team at Okta. He leads Okta’s global customer audit program, ensuring consistent, risk-aligned assurance engagements across all regions. He brings extensive experience in customer assurance, compliance, and cross-functional collaboration, shaped by his consulting background at EY and work across industries and in professional services. Originally from India, he earned his master’s degree from Syracuse University and is now based in San Francisco. Outside of work, he enjoys hiking, backpacking, and travelling to explore new places and cultures; he’s now been to 27 countries and 45 US States.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/61duT68OiTwHjxJS8gPPuy/f02be27b559de0ada96a7902d219f067/Tushar_HeadShot.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#f8f8f8","width":58,"height":58}}}],"title":"Okta Pooled Security Audits: a One-Year Retrospective ","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Okta and its customers are benefitting from \"pooled\" security audits."},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Customer audit is evolving beyond the traditional one-to-one audit model. When Okta's Customer Audit team first published \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://okta-sec.helptechsolucoes.com.br/articles/2025/06/paving-the-path-pooled-audits-with-okta-security/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Paving the Path: Pooled Audits with Okta Security\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" last year, we shared our vision for moving beyond the limitations of siloed assessments. Today, as successive SaaS supply chain attacks continue to ring alarm bells across the industry, that strategic vision is now a reality.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"This year-in-review retrospective demonstrates how our pooled audit methodology has become a powerful mechanism for collaborative peer discussion - raising the bar for supply chain security for both Okta and our customers. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"The Rationale: Designed to be Different \",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Traditional audit models create a heavy, linear burden: each customer audit request requires Okta's security team to provide a tailored evidence package in response. Our pooled audit program was designed to break the status quo. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We measure success based on the program's ability to minimize redundant effort for our internal teams, while offering customers something a traditional audit cannot: context and community. By shifting to this model, we deliver assurance faster, but also provide a forum for peer-to-peer exchange that turns a compliance checkbox into a strategic value-add . \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Quantifying Success: The Metrics Validating the 1:Many Shift\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Our results validate the success of the pooled audit program. We track several KPIs that demonstrate a consistent, positive shift in our compliance efficiency and translate to business impact for customers.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Most notably, participant feedback highlights the quality and effectiveness of the new model. In our post-audit survey, customers indicated:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"94% reported feeling supported in achieving their organizational compliance and assurance goals, and\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"98% reported a high level of confidence in Okta as a security partner.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Our KPIs demonstrate program efficiency across the following strategic priorities;\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Key Performance Indicator (KPI)\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Trend (1-Year Retrospective)\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Business Impact\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"}],\"nodeType\":\"table-row\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Individual Audit Request Burden\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"As more customers participate in the pooled audit program, Okta's security team has been able to assist additional customers with unique requirements. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Demonstrates the successful transition from a 1:1 service model to a scalable, sustainable 1:Many approach, freeing up the team to support new audits.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"}],\"nodeType\":\"table-row\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Pooled Audit Participation Rate\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Increase in the number of customers participating in a single pooled session.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Proves the scalability and value of the program, resulting in a higher number of customers supported.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"}],\"nodeType\":\"table-row\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Customer Audit Days Saved\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Significant reduction in total FTE-days required from Okta Security supporting 1:1 audits. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Cost avoidance, allowing the team to focus on other value-add work. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"}],\"nodeType\":\"table-row\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Time-to-Assurance (TTA)\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Consistent decrease in the average time required for a participating customer to receive full audit assurance.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Accelerated compliance: Enables customers to meet their regulatory deadlines faster.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"table-cell\"}],\"nodeType\":\"table-row\"}],\"nodeType\":\"table\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Supply Chain Assurance\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Beyond compliance, the validation of the pooled audit program is its role in educating customers about current threats, and Okta’s best practice guidance to defend identities. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Audit sessions deep-dive into the controls that close the gaps exploited in the recent compromises of \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/newsroom/articles/the-salesloft-incident--a-wake-up-call-for-saas-security-and-ips/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Salesloft\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/de-de/newsroom/articles/first-drift--now-gainsight--closing-the-gaps-in-saas-hygiene/\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Gainsight\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", specifically validating our adherence to the five pillars of SaaS hygiene: \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Strong authentication,\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Strong identity governance,\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Interactive session security,\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Non-interactive session security, and\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Strong auditability.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"ordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"By aligning these technical verifications against global regulatory expectations (e.g. for financial services: DORA, APRA or NYDFS), the program does more than prove compliance; it provides customers with high-assurance evidence that their critical identity vendor is built to withstand and recover from major supply chain disruptions.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Deep-Dive Assurance at Scale\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The strategic value of the pooled audit program extends beyond efficiency; it redefines the depth of assurance. We move beyond static document exchanges, and instead host multiple industry-specific customers for multi-day, hands-on sessions to collectively assess our controls against their regulatory expectations. We encourage peer challenge, and this peer review makes us stronger. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Our recent engagements with financial services customers prove out this model. These were detailed, collective assessments across nine critical domains key to operational resilience and security.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The result is genuine assurance in a peer setting, offering value exceeding a compliance checkmark. By delivering granular, domain-specific coverage for specific regulations, we reduce reliance on bespoke, time-consuming customer audits in favor of a better outcome. Okta’s pooled audit methodology is increasing the depth of scrutiny our controls receive. Good for customers, and good for Okta. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Conclusion: A Call for a New Industry Norm\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We have transitioned from \\\"paving\\\" to \\\"practice\\\". The pooled audit program is no longer just an efficiency initiative; it is the assurance mechanism that informs our customers’ supply chain security posture and offers Okta valuable customer insight in a peer-to-peer forum. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"However, this success shouldn't be unique to Okta. This is our call to action for the wider SaaS industry in making the Pooled Audit model the norm, and not the exception. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We invite Okta customers to be part of this evolution: reach out to your account team today to join our next pooled audit cohort for your industry.\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"By adopting this shared assurance approach, we can collectively reduce the compliance burden on customers, eliminate redundancy, and focus our resources on what truly matters — securing the ecosystem against evolving threats.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"}},{"updatedAt":"2025-12-11T23:14:03.223Z","slug":"/articles/2025/12/account-recovery-without-password-resets","node_locale":"en","date":"2025-12-10T00:00","secAuthor":[{"name":"Brett Winterford","slug":"brett-winterford","jobTitle":"VP, Okta Threat Intelligence","id":"e0099522-136e-5003-b6a5-f4499896bf19","bio":{"bio":"Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=15&h=12&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=29&h=24&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=58&h=47&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5cVIStynit3itWxHA4pv8S/8e8e647b20b34abcaff72ee837cb797c/Brett_20Resized.jpg?w=116&h=94&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#887808","width":58,"height":47}}}],"title":"Account Recovery, without Password Resets","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Temporary Access Codes provide an opportunity to constrain the ability of help desk staff to reset user passwords and MFA factors."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the joys of passwordless authentication is the huge reduction in help desk tickets arising from users who have forgotten or otherwise can’t access their passwords.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Organizations that have embraced \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-help.helptechsolucoes.com.br/oie/en-us/content/topics/identity-engine/devices/fp/fp-main.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta FastPass\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" report lower costs of support after the initial hurdle of getting their users enrolled. They also report greater confidence in their security posture, knowing that access to sensitive resources requires a tight coupling of a user and their device.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Those organizations that continue to rely on passwords as a primary authenticator still have good options for securing sign-on events: they can lock down sign-ins using device trust and multifactor authentication, among other options. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In any case, strong \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-help.helptechsolucoes.com.br/oie/en-us/content/topics/identity-engine/policies/about-policies.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"sign-in policies\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" shift the threat actor’s available options to the next weakest point in the user lifecycle: enrollment and account recovery. Threat actors continue to enjoy success when impersonating users in calls to IT helpdesks, requesting the service desk staff perform a password reset (typically followed by follow-up calls to reset other MFA factors).\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These attacks are often successful in organizations with outsourced service desks. Outsourced IT service desk professionals are highly incentivized around how responsive they are to client needs. In doing so they are highly vulnerable to a skilled social engineer who impersonates a senior figure in a client organization. While it’s the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://arstechnica.com/security/2025/07/how-do-hackers-get-passwords-sometimes-they-just-ask/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"subject of some debate\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", it’s the client organization’s duty to set up outsourced service desk professionals with the guardrails they need to withstand social engineering attacks. Those guardrails need to include strong identity verification processes, which present challenges in a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/newsroom/articles/verifying-identity-remote-workforce/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"remote and extended workforce\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \\n\\nTo help solve this problem, Okta has partnered with \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-help.helptechsolucoes.com.br/oie/en-us/content/topics/security/idp-idv.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"multiple identity verification providers\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-sec.helptechsolucoes.com.br/articles/2025/06/building-confidence-in-support-comms-with-caller-verify-at-okta/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"specialists in recovery workflows\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to prove the identity of an inbound caller. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once a user’s identity is verified, the next question is how to provide support desk personnel with a safe way to recover access for the user. That’s where \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-help.helptechsolucoes.com.br/oie/en-us/content/topics/identity-engine/authenticators/configure-temporary-access-code.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Temporary Access Codes (TACs)\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" come in very handy. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Constraining account recovery\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Even if you have sufficiently verified the identity of an inbound caller, there are residual risks associated with service desk professionals being asked to create and share temporary passwords. A temporary password can be shared or intercepted and abused prior to use and rotation by the legitimate account holder.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Ideally, any use of temporary credentials is constrained to an expected context. A TAC, unlike a temporary password, is a time-bound secret that is classed in Okta as an authenticator, which means it can be subject to authentication policies. Administrators can decide, for example, which users are able to be issued a TAC, how long the TAC is valid for use, and from what location and device a TAC can be used. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"TACs bring an important account recovery option to passwordless environments, where a misplaced security key or other possession factor may temporarily prevent a user from accessing their resources. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But the utility of a TAC doesn’t end there. Any Okta workforce customer now has the option to disable the issuing of temporary passwords or resetting of passwords and MFA factors from front-line helpdesk roles. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I’ve previously \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-sec.helptechsolucoes.com.br/articles/2023/09/go-secure-default-custom-admin-roles-it-support-staff/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"recommended the use of custom admin roles\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to create helpdesk roles that constrain the ability of service desk professionals to reset the factors of privileged users like administrators. Now there’s an opportunity to go one step further and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-support.helptechsolucoes.com.br/help/s/article/create-custom-admin-roles-for-user-account-recovery-processes\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"create custom admin roles that can’t reset passwords or factors\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The custom helpdesk role would need, at minimum:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The ability to read user information (“View Users and their Details”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The ability to add a user to a specific group of users that are eligible for assigning Temporary Access Codes (“Edit user’s group membership,” “View groups and their details,” “Manage group membership”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The ability to issue Temporary Access Codes (“Manage user's Temporary Access Code”)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"More crucially, the custom helpdesk role would \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"no longer need\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" to be assigned permissions to:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reset a user’s password (“Reset users' passwords”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Assign a temporary password to a user (“Set users' temporary password”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Reset the MFA factors of a user (“Reset users' authenticators”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enroll a user in MFA (“Enroll users' authenticators”)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Once an inbound caller has verified their identity, a TAC issued to a user for account recovery could be constrained to be:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Only valid for a few minutes\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Only used in conjunction with another previously enrolled factor (“authenticator method chaining”)\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Only used from a specific set of locations\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Only used from a registered or managed device\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For guidance on how to use TACs as an account recovery factor, please refer to the following \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-support.helptechsolucoes.com.br/help/s/article/create-custom-admin-roles-for-user-account-recovery-processes\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"help desk article\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2025-12-05T12:38:36.424Z","slug":"/okta-response-to-react2shell","node_locale":"en","date":"2025-12-05T00:00","secAuthor":[{"name":"Okta","slug":"okta","jobTitle":"","id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#f8f8f8","width":58,"height":58}}}],"title":"Okta’s Response to React2Shell","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Read on for Okta’s response to React2Shell (CVE-2025-55182) and to learn more about actions required by developers."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On December 3, 2025, the maintainers of React and Next.js disclosed a critical pre-authentication remote code execution (RCE) vulnerability in React Server Components (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CVE-2025-55182\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\") with a CVSS score of 10.0.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The vulnerability impacts versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of RSC, as well as all frameworks that support React Server Components, including Next.js (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://nextjs.org/blog/CVE-2025-66478\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CVE-2025-66478\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\").\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s Response\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has upgraded all production systems to fixed versions,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta has published actions required for application developers that rely on \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://a0-support.helptechsolucoes.com.br/center/s/article/developer-statement-react-server-components-critical-vulnerability-cve-2025-55182-action-required\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-support.helptechsolucoes.com.br/help/s/article/Developer-Statement-React-Server-Components-Critical-Vulnerability-CVE-2025-55182-Action-Required-Okta?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" SDKs to build React or Next.js applications,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While we have detected opportunistic scanning activity on non-vulnerable systems, we have not observed successful exploitation of this vulnerability against Auth0 or Okta services. \\n\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Action for Auth0 and Okta SDKs users\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For actions required and developer guidance, please refer to the appropriate KnowledgeBase article:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://a0-support.helptechsolucoes.com.br/center/s/article/developer-statement-react-server-components-critical-vulnerability-cve-2025-55182-action-required\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0 React Server Components Critical Vulnerability (CVE-2025-55182) Action Required\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-support.helptechsolucoes.com.br/help/s/article/Developer-Statement-React-Server-Components-Critical-Vulnerability-CVE-2025-55182-Action-Required-Okta?language=en_US\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta React Server Components Critical Vulnerability (CVE-2025-55182) Action Required\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2025-09-15T23:07:15.355Z","slug":"/articles/uncloakingvoidproxy","node_locale":"en","date":"2025-09-11T00:00","secAuthor":[{"name":"Houssem Eddine Bordjiba","slug":"/hackers/houssem-eddine-bordjiba","jobTitle":"Senior Identity Threat Intelligence Engineer","id":"28e977b7-7d49-5b94-a4ef-2ef866bf23e0","bio":{"bio":"Houssem Eddine Bordjiba is a Senior Identity Threat Research Engineer at Okta, bringing over a decade of expertise in cyber threat intelligence and threat hunting. He focuses on tracking threat actor activities and leading investigations into their motivations, tactics, techniques, and procedures (TTPs). His deep understanding of adversaries' motives and TTPs allows him to provide actionable intelligence that strengthens the defenses of Okta and its customers against evolving cyber threats. Houssem holds a Master's degree in Information Systems Security (MASc) from Concordia University in Montreal, Canada. Outside of work, Houssem enjoys an active lifestyle, pursuing his passions for soccer, martial arts, and various outdoor activities.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/78BflQYRAMZ06yNpD88cFj/80dbc1c31b0c5a9e8b0d9f40d023c3c4/Screenshot_2025-10-09_at_11.11.41â__AM.png?w=15&h=16&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/78BflQYRAMZ06yNpD88cFj/80dbc1c31b0c5a9e8b0d9f40d023c3c4/Screenshot_2025-10-09_at_11.11.41â__AM.png?w=29&h=31&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/78BflQYRAMZ06yNpD88cFj/80dbc1c31b0c5a9e8b0d9f40d023c3c4/Screenshot_2025-10-09_at_11.11.41â__AM.png?w=58&h=61&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/78BflQYRAMZ06yNpD88cFj/80dbc1c31b0c5a9e8b0d9f40d023c3c4/Screenshot_2025-10-09_at_11.11.41â__AM.png?w=116&h=122&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/78BflQYRAMZ06yNpD88cFj/80dbc1c31b0c5a9e8b0d9f40d023c3c4/Screenshot_2025-10-09_at_11.11.41â__AM.png?w=58&h=61&q=50&fm=png","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/78BflQYRAMZ06yNpD88cFj/80dbc1c31b0c5a9e8b0d9f40d023c3c4/Screenshot_2025-10-09_at_11.11.41â__AM.png?w=15&h=16&q=50&fm=png 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/78BflQYRAMZ06yNpD88cFj/80dbc1c31b0c5a9e8b0d9f40d023c3c4/Screenshot_2025-10-09_at_11.11.41â__AM.png?w=29&h=31&q=50&fm=png 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/78BflQYRAMZ06yNpD88cFj/80dbc1c31b0c5a9e8b0d9f40d023c3c4/Screenshot_2025-10-09_at_11.11.41â__AM.png?w=58&h=61&q=50&fm=png 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/78BflQYRAMZ06yNpD88cFj/80dbc1c31b0c5a9e8b0d9f40d023c3c4/Screenshot_2025-10-09_at_11.11.41â__AM.png?w=116&h=122&q=50&fm=png 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#e8e8e8","width":58,"height":61}}}],"title":"Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Take a peek inside the latest AitM phishing kit."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence has published a detailed analysis on a previously unreported Phishing-as-a-Service (PhaaS) operation, which its authors name \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"VoidProxy\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"VoidProxy is a novel and highly evasive service used by attackers to target Microsoft and Google accounts. The service is also capable of redirecting accounts protected by third-party single sign-on (SSO) providers like Okta to second-stage phishing pages. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"VoidProxy represents a mature, scalable and evasive threat to traditional email security and authentication controls. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The service uses Adversary-in-the-Middle (AitM) techniques to intercept authentication flows in real-time, capturing credentials, MFA codes and any session tokens established during the sign-in event. This capability can bypass the protection of several common MFA methods, such as SMS codes and one-time passwords (OTP) from authenticator apps.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By offering this sophisticated PhaaS, VoidProxy lowers the technical barrier for a wide range of threat actors to execute AitM phishing attacks. Accounts compromised using PhaaS platforms facilitate numerous malicious activities such as Business Email Compromise (BEC), financial fraud, data exfiltration and lateral movement within victim networks.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In all attacks we observed, users enrolled in phishing-resistant authenticators (in this case, Okta FastPass) were unable to share credentials or sign-in via VoidProxy infrastructure, and were warned that their account was under attack.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The VoidProxy platform has been able to evade analysis until this point by using multiple layers of anti-analysis features, including compromised email accounts, multiple redirects, Cloudflare CAPTCHA challenges, Cloudflare Workers and dynamic DNS services. Our understanding of VoidProxy arose from Okta’s unique ability to detect and alert on phishing attacks in customer environments where FastPass is used, as well as the dedicated work of our threat analysis and research team. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Below, we summarize each anti-analysis technique, analyze the attacker’s infrastructure, and offer recommendations to defend against this threat. A \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-security.helptechsolucoes.com.br/product/okta/uncloaking-voidproxy-phaas-framework\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"complete threat advisory\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", available to Okta customers at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-security.helptechsolucoes.com.br/product/okta/uncloaking-voidproxy-phaas-framework\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta-security.helptechsolucoes.com.br\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", also includes:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An in-depth, 20-page analysis of VoidProxy PhaaS infrastructure\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A peek inside the attacker’s admin panel\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Indicators of Compromise that identify threat actors known to be using the service. These indicators have been uploaded to Identity Threat Protection, a service that enables Okta customers to take in-line responses to user interactions with this infrastructure. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A VoidProxy attack, step-by-step\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Stage 1: Delivery and lure\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the first phase of attacks we observed, phishing lures were sent from compromised accounts of legitimate Email Service Providers (ESPs) such as Constant Contact, Active Campaign (Postmarkapp), NotifyVisitors, and others, leveraging the reputation of these accounts to bypass spam filters.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Embedded in each phishing email were links to URL shortening services (such as TinyURL), which would each be redirected a number of times before the user is directed to first-stage landing sites in order to evade automated analysis.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5N67hYr5CYWtdJabKPPzHn\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 1. URLscan data showing the redirects from a tinyurl link to the phishing domain\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These first-stage phishing pages are hosted on domains registered with a variety of low-cost, low-reputation TLDs, such as .icu, .sbs, .cfd, .xyz, .top, and .home. This strategy minimizes operational costs and allows the attackers to treat the domains as disposable assets, quickly abandoning them once they are identified and blocklisted. The phishing sites are placed behind Cloudflare, effectively hiding the real IP address of the phishing site's server and making it much harder for security teams to trace and take down the malicious host.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Stage 2: Evasion and lure loading\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Before any first-stage landing sites load, the user is presented with a Cloudflare CAPTCHA challenge to determine if the request is from an interactive user or a bot.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5J57QOckBsKqXbu88FViQC\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 2. Cloudflare CAPTCHA challenges presented on a phishing domain\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The targeted user’s browser then communicates with a Cloudflare Worker (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"*.workers.dev\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"). We assess that this worker is likely to act as a gatekeeper and lure loader. Its primary functions are to filter incoming traffic and to load the appropriate phishing page for any given target. This architecture separates initial filtering from the core phishing operations of the campaign. Once a challenge is passed, the user is presented with a phishing page, which is a perfect replica of a legitimate login portal. \\n\\nFirst-stage phishing sites follow a consistent domain registration pattern, as described in the captions below:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"3Co59Y6nNpjeVG8dFq7zKt\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 3. Domain pattern for Microsoft phishing pages: \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"login.Daniel López is a Cyber Threat Researcher at Okta, where he focuses on tracking threat actor activity and the evolving threat landscape to best protect Okta’s employees and customers. Prior to joining Okta, Daniel worked at international companies across the consulting, financial services, and technology sectors. He enjoys participating in trusted infosec groups, continuously learning (both tech and non-tech topics), and staying physically active.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5TRBUU3rk3GJGj4L5naq6U/47bc1a7014e29ab8e1407dadf672ab20/Daniel_Lopez.png?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5TRBUU3rk3GJGj4L5naq6U/47bc1a7014e29ab8e1407dadf672ab20/Daniel_Lopez.png?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5TRBUU3rk3GJGj4L5naq6U/47bc1a7014e29ab8e1407dadf672ab20/Daniel_Lopez.png?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5TRBUU3rk3GJGj4L5naq6U/47bc1a7014e29ab8e1407dadf672ab20/Daniel_Lopez.png?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/5TRBUU3rk3GJGj4L5naq6U/47bc1a7014e29ab8e1407dadf672ab20/Daniel_Lopez.png?w=58&h=58&q=50&fm=png","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5TRBUU3rk3GJGj4L5naq6U/47bc1a7014e29ab8e1407dadf672ab20/Daniel_Lopez.png?w=15&h=15&q=50&fm=png 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5TRBUU3rk3GJGj4L5naq6U/47bc1a7014e29ab8e1407dadf672ab20/Daniel_Lopez.png?w=29&h=29&q=50&fm=png 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5TRBUU3rk3GJGj4L5naq6U/47bc1a7014e29ab8e1407dadf672ab20/Daniel_Lopez.png?w=58&h=58&q=50&fm=png 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5TRBUU3rk3GJGj4L5naq6U/47bc1a7014e29ab8e1407dadf672ab20/Daniel_Lopez.png?w=116&h=116&q=50&fm=png 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#182828","width":58,"height":58}}}],"title":"Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Russia-linked campaign targets hospitality and vacation rental providers."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Threat Intelligence is tracking a large-scale phishing campaign that has impersonated at least a dozen service providers that specialize in hotels and vacation rentals. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In these attacks, targeted users are lured to highly deceptive phishing sites using malicious search engine advertisements, particularly sponsored ads on platforms like Google Search. The attacks leverage convincing fake login pages and social engineering tactics to bypass security controls and exploit user trust. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We observed at least thirteen hospitality companies impersonated with these lures.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Based on the targeting and nature of the phishing lures, the campaign appears designed to compromise accounts for cloud-based property management and guest messaging platforms.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Initial Access\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We observed campaigns in which malvertising - the purchase of malicious search engine advertisements – was used to lure unsuspecting users of the impersonated hospitality or vacation rental company. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For instance, a search query for the name of one of these companies might display a number of sponsored ads that direct users to a malicious site:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"6KchhSwDXuhaoDciF41oew\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 1. Example of malvertising showing two fake websites promoted above a legitimate domain\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"3Wyhfx7OsROvwh75NTrpi\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 2. Example of malvertising directing users to another phishing site \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Observed domains used a typosquatting variation of the legitimate website. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A user that navigates to one of these malicious domains is presented a fake login page. We observed a large number of phishing sites that impersonated at least thirteen hospitality companies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5jJtfPCU4pQjaDTnSZoprA\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 3. Oracle Hospitality was one of numerous service providers impersonated\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Based on the targeting and nature of the phishing lures, the campaign appears designed to compromise accounts for cloud-based property management and guest messaging platforms.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tactics, Techniques and Procedures\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The objective of the first stage of the campaign is credential harvesting. The phishing pages were configured to capture usernames, email addresses, phone numbers and passwords. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The observed activity demonstrates an intent to bypass or capture multi-factor authentication (MFA) codes. For instance, some phishing pages explicitly prompt for \\\"One time password\\\" or offer \\\"Sign in with SMS Code\\\" and \\\"Email Code\\\" options.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"4kmrDtDymbOoVI9eyhsscW\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 4. Screenshot of a phishing website impersonating Airbnb\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"29OuDoCcHLs7eZpV56RJbQ\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Figure 5. Once a phone number is entered, the phishing page prompts for OTP codes sent via SMS\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Inspecting the source code of these websites, we can observe the following text: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[{\"type\":\"code\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The error message “Ошибка запроса” (“Request error”) and comment “Запускаем запрос каждые 10 секунд” (“We start the request every 10 seconds”) suggest the possibility of Russian-speaking actors behind this campaign. The campaign also employed a large Russian datacenter proxy provider during attacker sign-in activity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The campaign also employs a beaconing technique for tracking and analytics. This allows the attacker to gather valuable real-time information about the victims who have landed on the phishing page, including: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Visitor Analytics\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Geolocation & Targeting\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Session Duration\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bot Detection\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Status Monitoring\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta customers can access a detailed set of indicators of compromise by selecting Okta Threat Intelligence at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-security.helptechsolucoes.com.br/product/okta/hospitality-firms-impersonated-in-malvertising-phishing-campaign \"},\"content\":[{\"nodeType\":\"text\",\"value\":\"okta-security.helptechsolucoes.com.br\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\".\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Mitigating Controls\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Enrol customers and partners in the strongest available authenticator, prioritising possession factors like passkeys to introduce phishing resistance while minimizing user friction. Enroll workforce users in strong authenticators such as Okta FastPass, passkeys (FIDO2 WebAuthn) and smart cards and enforce phishing resistance in policy. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Deny or require higher assurance for requests from rarely-used networks. \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Identify and automate responses to requests for access to applications that deviate from previously established patterns of user activity using adaptive risk assessments.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Monitor suspicious domain registrations to observe any changes in the content served up to users. Review application logs for any evidence of communication with suspicious domains. If content hosted on the domain violates copyright or legal marks, consider providing evidence and issuing a takedown request with the domain registrar and/or web hosting provider.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Warn users when malvertising and phishing campaigns appear to be targeting your brand.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Notify end users if suspicious activity is observed on their account.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Moussa Diallo contributed to this research.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]}]}"}},{"updatedAt":"2025-08-27T08:29:13.811Z","slug":"/articles/2025/08/auth0-detection-catalog","node_locale":"en","date":"2025-08-19T00:00","secAuthor":[{"name":"Maria Vasilevskaya","slug":"/hackers/maria-vasilevskaya","jobTitle":"Principal Security Engineer","id":"5b413046-3f81-5938-bcaf-2631feccae6a","bio":{"bio":"Maria Vasilevskaya is a leading Identity Defense Security Engineer at Okta. With her extensive experience in identity security, she has held diverse roles including security executive advisory, professional consulting services, identity and security solutions architecture, and solutions engineering. Her primary objective at Okta is to empower customers in maintaining robust security postures by offering expert assistance during critical incidents and providing strategic advice on implementing security practices to prevent future crises.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5I9s1hF8KWpGBmULB45xsz/0c88ef2e82d499d9b21fe261bdc645d0/Maria_Vasilevskaya_1753479368125001xuTE.png?w=15&h=16&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5I9s1hF8KWpGBmULB45xsz/0c88ef2e82d499d9b21fe261bdc645d0/Maria_Vasilevskaya_1753479368125001xuTE.png?w=29&h=31&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5I9s1hF8KWpGBmULB45xsz/0c88ef2e82d499d9b21fe261bdc645d0/Maria_Vasilevskaya_1753479368125001xuTE.png?w=58&h=61&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5I9s1hF8KWpGBmULB45xsz/0c88ef2e82d499d9b21fe261bdc645d0/Maria_Vasilevskaya_1753479368125001xuTE.png?w=116&h=122&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/5I9s1hF8KWpGBmULB45xsz/0c88ef2e82d499d9b21fe261bdc645d0/Maria_Vasilevskaya_1753479368125001xuTE.png?w=58&h=61&q=50&fm=png","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5I9s1hF8KWpGBmULB45xsz/0c88ef2e82d499d9b21fe261bdc645d0/Maria_Vasilevskaya_1753479368125001xuTE.png?w=15&h=16&q=50&fm=png 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5I9s1hF8KWpGBmULB45xsz/0c88ef2e82d499d9b21fe261bdc645d0/Maria_Vasilevskaya_1753479368125001xuTE.png?w=29&h=31&q=50&fm=png 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5I9s1hF8KWpGBmULB45xsz/0c88ef2e82d499d9b21fe261bdc645d0/Maria_Vasilevskaya_1753479368125001xuTE.png?w=58&h=61&q=50&fm=png 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5I9s1hF8KWpGBmULB45xsz/0c88ef2e82d499d9b21fe261bdc645d0/Maria_Vasilevskaya_1753479368125001xuTE.png?w=116&h=122&q=50&fm=png 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#c8d8d8","width":58,"height":61}}}],"title":"Using Auth0 Logs for Proactive Threat Detection","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"The Auth0 Customer Detection Catalog is an open-source repository of detection rules designed to help the security teams at Auth0 customers to proactively identify and respond to security threats."},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We are thrilled to announce the launch of the\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\" Auth0 Customer Detection Catalog\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", an open-source repository of detection rules designed to help the security teams at Auth0 customers to proactively identify and respond to security threats.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"This catalog, now \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"available on GitHub\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", is a powerful complement to Auth0’s\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://auth0.com/docs/secure/security-center\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Security Center\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and existing\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://auth0.com/docs/secure/security-center/security-alerts\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"security monitoring alerting\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" offerings. The Auth0 Customer Detection Catalog allows security teams to integrate custom, real-world detection logic directly into their log streaming and monitoring tools, enriching the detection capabilities of the Auth0 platform.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The catalog provides a growing collection of pre-built queries, contributed by Okta personnel and the wider security community, that surface suspicious activities like anomalous user behavior, potential account takeovers and misconfigurations.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"This resource is ideal for a variety of users, including:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Tenant administrators and developers:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Security-focused rules helping administrators to catch unintentional misconfigurations early.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"DevOps teams:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Incorporate advanced security monitoring into your existing operational workflows.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Security analysts and threat hunters:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Gain a strong foundation for building sophisticated detection rules tailored to your unique environment.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Why you should use it\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The Auth0 Customer Detection Catalog is a force multiplier for your security efforts. Here's why this resource is an essential addition to your toolkit:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Sigma-Compatible:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" All detections valid\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://sigmahq.io/\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Sigma rules\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", a generic signature format that can be easily converted into a variety of SIEM and log analysis tools. This allows you to set up rules in familiar tooling without needing to rewrite them.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Actionable Intelligence:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Each detection contains valuable metadata, including descriptions of the threat, relevant log fields, and recommended preventative actions. This provides security analysts with the context needed to respond quickly and effectively.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Proactive Threat Updates:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" The catalog is regularly updated with new detections from Okta and Auth0, based on our analysis of real-world threats. This ensures you can stay ahead of emerging attack techniques.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Community-Powered:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" By being open source, the catalog benefits from the collective expertise of the security community. This collaborative approach allows for the rapid dissemination of detection strategies, making everyone more resilient.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Putting Detections to Work\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The Auth0 Customer Detection Catalog is designed for immediate use. Here's how to integrate these queries into your security workflows:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Access the Catalog:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" The entire collection of detection rules is available in our public\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\" GitHub repository\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\".\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Generate Queries from\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://sigmahq.io/docs/guide/about.html\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"Sigma\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\":\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" All detections are available in the\",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://sigmahq.io/docs/basics/rules.html\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Sigma format\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". You can use a Sigma converter tool \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/SigmaHQ/sigma-cli\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"sigma-cli\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" to translate these universal rules into the specific query language for your SIEM or logging tool.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Integrate with Your Tooling:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Extract the included queries and integrate them into your existing security monitoring and alerting workflows. This allows you to leverage your current logging tools to detect sophisticated threats against your Auth0 tenant.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Explore Example Detections:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" To help you get started, the catalog includes a variety of examples that highlight its potential. These cover a range of threats, such as:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Suspicious Tenant Settings:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Detections for changes to security-critical settings, like an IP being added to an allowlist or the deactivation of attack protection features.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Administrator Behavior:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Rules for detecting suspicious activities by administrators, such as copying of the most powerful tokens and checking applications’ secrets. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Attacker Behavior:\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" Queries that identify known attack patterns, like SMS pumping attempts (e.g. \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections/blob/260efc3bc0bb3dd81788c1ca13c6be24e7ffe098/detections/sms_bombarding.yml\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"sms_bombarding.yaml\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\") or refresh token rotation failures.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"ordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Your Contribution Matters\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"If you identify a gap in our current detection coverage or encounter an issue, we encourage you to open a \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections/issues\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"GitHub Issue\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections/blob/260efc3bc0bb3dd81788c1ca13c6be24e7ffe098/CONTRIBUTING.md\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"contribute directly\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". Even better, submit your own detection rules via a \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://github.com/auth0/auth0-customer-detections/pulls\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"pull request\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" to share your expertise and help the entire community become more resilient.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"Mathew Woodyard contributed to this post.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"}},{"updatedAt":"2025-07-31T12:37:20.996Z","slug":"/controllingoauthsprawl","node_locale":"en","date":"2025-07-31T00:00","secAuthor":[{"name":"Lana Grechko","slug":"hackers/lana-grechko","jobTitle":"Director of Business Technology, Security","id":"fc46d989-8232-5b6d-b14b-0773571a4d5c","bio":{"bio":"Lana Grechko is a Director of Business Technology Security at Okta. Lana leads a high-impact team focused on securing corporate infrastructure and driving key security initiatives across Identity and Access Management (IAM), Infrastructure Security, and Federal Compliance. Partnering closely with engineering, security, and BT teams, she designs and implements strategies that align security with business goals. Prior to Okta, Lana led the design and implementation of the KYC and AML Programs at Bank of West/BNP Paribas. Outside of work, she is San Francisco-based and enjoys playing tennis, pickleball, and reading.
"},"image":null},{"name":"Mike Hennessey","slug":"/hackers-mike-hennessey","jobTitle":"Enterprise Security Architect","id":"c3f1a2c5-fd9d-5675-9915-c3574309e91c","bio":{"bio":"Mike Hennessey is an Enterprise Security Architect at Okta. He is a passionate advocate for modern cybersecurity paradigms and specializes in building resilient and intelligent security frameworks that go beyond traditional perimeters and focuses on enabling secure access and protecting critical data in today's dynamic threat landscape. Mike has spearheaded multiple initiatives in Zero Trust network architecture, refining identity access management, implementing contextual access controls, and fortifying data protection strategies. His expertise lies in translating complex security challenges into practical, scalable solutions. When not dissecting network packets or architecting secure systems, Mike is navigating the joyful chaos of being a father to three energetic kids, often finding real-world parallels to the importance of strong boundaries and adaptive strategies.
"},"image":null},{"name":"Mat Clinton","slug":"/hackers/mat-clinton","jobTitle":"Senior Engineering Manager","id":"28ee0ce3-3827-537f-adee-23f41419d16e","bio":{"bio":"Mat Clinton is a Senior Engineering Manager at Okta. He has a background in software development working on internal tools, infrastructure, and security focussed automation at some of the most well-known companies in the industry. Mat and his team’s contributions at Okta push forward the company’s OSIC goals, in pursuit of being the most secure company in the world, while also balancing the needs of productivity enablement for our internal teams. Mat’s recent focus has been related to safe AI usage at Okta through his work on the internal AI Governance board where they evaluate a constant stream of new AI features being released by SAAS providers. Outside of work, Mat likes to spend time at the beach surfing, playing golf with friends, and automating things around the house.
"},"image":null}],"title":"Controlling Cross-App Data Sprawl in Google Workspace","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"The world needs a better way to manage app-to-app access."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One of the most difficult challenges in third party risk management (TPRM) is how to effectively manage application sprawl. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It’s possible, but painful to allowlist apps at the operating system level using execution control tools. It’s possible, but painful to allowlist browser extensions using managed or isolated browsers. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"It’s also painful to manage the ability of users to authorise third party applications to access data in sanctioned SaaS platforms, such as Microsoft 365 or Google Workspace. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For many years, the default configuration in productivity platforms was to allow users to provide their consent to allow third party apps to access data in their account using OAuth consent grants.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"This was empowering for individual (consumer) users, and facilitated strong growth in these platform ecosystems. It wasn’t so rosy for the enterprise, however, which now had to contend with users sharing unbridled access to corporate-owned resources. The risks were exacerbated because the tools to manage OAuth content grants were \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://risky.biz/newsletter22/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"gated by premium licenses\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"OAuth Consent Phishing\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As a result, legitimate OAuth apps have become a prime target for attackers and rogue OAuth apps have become a \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"useful tool for phishing enterprise users\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In an OAuth Consent Phishing attack, social engineers create a pretext that convinces users to allow a third-party application to access data in their account. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Public examples of these attacks have impersonated trusted entities such as:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://risky.biz/newsletter15/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Email filtering software\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (e.g. “Please update your email security extension”) \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Google Developer Support\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (e.g. “Your item is at risk of being removed from the Chrome web store. Please accept our policies to continue publishing your products”) \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.bleepingcomputer.com/news/security/sans-shares-details-on-attack-that-led-to-their-data-breach/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"internal HR team\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (e.g. a shared file with the words “July bonus” in the filename)\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"You can’t blame the user for these attacks. In these examples, developers of browser extensions and even security experts at the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://risky.biz/newsletter22/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"SANS Institute\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (yes, the guys that train cybersecurity professionals) were duped into allowing rogue apps to raid their inboxes, wikis and calendars. This is an attack that can trick just about anybody.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The risk is exacerbated in environments where an administrative user performs their administrative tasks and their general productivity work using the same account: one erroneous consent and they can easily give away the keys to the kingdom. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tackling unsanctioned apps at Okta\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A few months ago, concerns over OAuth consent grants resurfaced after Patrick Opet, Chief Information Security Officer at JP Morgan, wrote an \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.jpmorgan.com/technology/technology-blog/open-letter-to-our-suppliers\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"open letter to third-party suppliers\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" expressing his anxiety about the erosion of traditional enterprise boundaries.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"His primary concern was integration patterns that enable users to \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"create direct, often unchecked interactions between third-party services and firms’ sensitive internal resources.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We’ve had to tackle this internally at Okta. Our team has blocked thousands of attempts by corporate users to provide consent to OAuth applications to access data in their Google Workspace accounts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The vast majority of these requests were for app scripts developed by Okta staff who wanted to extend the functionality of Google Sheets or Google Calendar. Okta is an organization that prides itself on employees being “builders and owners” with the technical skills to automate their way out of problems. So the key to a good security program is to find safe ways for them to experiment. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security tackled this problem internally by:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"configuring our Workspace environment to deny user consent to add new applications by default, \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"making it as easy as possible for legitimate apps to be allowlisted, and \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"assigning ownership and monitoring activity in allowlisted applications.\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If a user attempts to consent to an unsanctioned application, the request is denied (see image below). The user is presented with instructions on how to file a ticket to have the application reviewed by Okta’s Third Party Risk Management (TPRM) team. The process requires the user to provide a business justification for adding the application. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"yTvcSJHL7FShGEegrNbzQ\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The TPRM team assesses the business case, whether the application was developed by an approved vendor, and if so, whether the scope of the integration is appropriate for the use case. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Often applications are only allowlisted after the scope of the integration is appropriately minimized, and a service account is configured to manage the integration.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you need to tackle a backlog of integrated apps, Google Workspace includes \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://support.google.com/a/answer/7281227?sjid=15614519911387360251-NC\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"administrative tools\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that allow administrators to filter app integrations according to whether they are verified, which users or groups can access them and the allowed scopes for the app. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The world needs cross-app access!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Security was only able to manage what data stored in Google Workspace could be shared with other third party apps because Google built the required administrative controls and Okta was licensed to use them.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What about all the other apps? The average enterprise has 247 apps integrated in Okta, according to Okta’s \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"Businesses at Work\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" report. It’s naive to expect that all of those SaaS companies have the capability and resources to develop bespoke management capabilities to the degree Google can, or that enterprise CSOs have the resources to configure cross-app sharing in 200+ different consoles!\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So ultimately, if we want to solve the problem of cross-app data sharing a scale, we believe these cross-application authorization flows need to be managed centrally by the CISO, using a centralized Identity solution, rather than within each individual application. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"With this in mind, Okta recently proposed \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/integrations/cross-app-access/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cross-App Access\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", a method of securing agent-to-app and app-to-app access. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To learn more about securing app-to-app access, you can \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://okta-www.helptechsolucoes.com.br/identity-summit/securing-agentic-ai/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"register\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to join our upcoming seminar.\",\"marks\":[],\"data\":{}}]}]}"}}]}},"pageContext":{"limit":10,"skip":0,"numBlogPages":9,"currentPage":1}}, "staticQueryHashes": []}