Okta OAuth mismatched URI

okta

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1528-steal-application-access-token

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects an unexpected redirect when granting OAuth tokens.

Strategy

This rule monitors failed OAuth access token grant activity where the provided reason is mismatched_redirect_uri. Alert severity is increased if Okta’s provided threat suspected field evaluates to true. An adversary leveraging phishing infrastructure to compromise users may issue redirects to the phishing domain during the OAuth flow.

This detection has been adopted from rules published by the Okta team.

Triage & Response

  1. Examine the fields within @debugContext.debugData to compare the requested redirect URI to the allowed URIs and confirm the mismatch for {{@usr.name}}.
  2. Review the source IP {{@network.client.ip}} and geo‑location for anomalies or patterns shared across other failed OAuth attempts.
  3. Analyze subsequent events to see if a successful token grant occurred shortly after, indicating bypass attempts or configuration correction.
  4. If user activity is suspicious, begin your organization’s incident response process and investigate for any account takeovers.