Greetings, everyone. I am watching 2021 Common Threats - SSO attack - using Okta SSO as an example...
This module shows a victim receiving an 'Okta App Resync' email with an embedded button in the email. Upon hovering the button, it shows the link points to URL: hxxps://okta-target.okta.com. Upon clicking this button, victim is redirected to hxxps://target-us.okta.group - in which the victim logs in, authenticates with 2fa, and has credentials and session token stolen.
I am guessing that hxxps://target-us.okta.group is the spoofed site that steals the credentials and session key.
Attacker then logs into hxxps://target-us.okta.com/ using the stolen key and is able to hijack the users active session.
Sounds like an MITM attack to me... But I am confused because okta-target subdomain and okta.com domain are legit login sources.
How is this possible to achieve without there being "more to the story" such as URL redirection malware installed on machine or the okta domain was hijacked or something...
Am I missing something here? Any help would be appreciated. We like to keep a "healthy paranoia" level when it comes to phishing attacks and this module has some employees here very worried about every link now.