Okta OAuth mismatched URI

okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1528-steal-application-access-token

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detects an unexpected redirect when granting OAuth tokens.

Strategy

This rule monitors failed OAuth access token grant activity where the provided reason is mismatched_redirect_uri. Alert severity is increased if Okta’s provided threat suspected field evaluates to true. An adversary leveraging phishing infrastructure to compromise users may issue redirects to the phishing domain during the OAuth flow.

This detection has been adopted from rules published by the Okta team.

Triage & Response

  1. Examine the fields within @debugContext.debugData to compare the requested redirect URI to the allowed URIs and confirm the mismatch for {{@usr.name}}.
  2. Review the source IP {{@network.client.ip}} and geo‑location for anomalies or patterns shared across other failed OAuth attempts.
  3. Analyze subsequent events to see if a successful token grant occurred shortly after, indicating bypass attempts or configuration correction.
  4. If user activity is suspicious, begin your organization’s incident response process and investigate for any account takeovers.