Adversary-in-the-Middle Phishing Campaigns Targeting Microsoft 365 and Okta Users
A sophisticated phishing campaign has been identified targeting organizations that use Microsoft 365 and Okta for single sign-on (SSO). Attackers employ adversary-in-the-middle (AiTM) techniques to hijack legitimate SSO authentication flows, bypassing multi-factor authentication (MFA) methods that are not phishing-resistant. The campaign uses lookalike domains to impersonate Okta login pages and proxies authentication requests, capturing credentials and session tokens. Hundreds of users across dozens of organizations have been targeted, with phishing emails and malicious URLs designed to closely mimic legitimate login experiences, making detection challenging.
Broader trends in SaaS security highlight the increasing abuse of OAuth tokens and session cookies, enabling persistent, non-interactive access to cloud services even after password resets or MFA changes. Attackers leverage browser extensions and session exfiltration to maintain access, and AI-driven lures accelerate the speed and scale of these attacks. The combination of AiTM phishing, token replay, and browser-based persistence underscores the evolving threat landscape for organizations relying on cloud identity providers like Okta and Microsoft 365.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Follow-on reporting says campaign remains active and hit multiple companies
Subsequent reporting stated the AiTM campaign was still active in December 2025 and had affected hundreds of users across multiple companies. The coverage emphasized the campaign's real-time interception of authentication cookies to bypass MFA and enable account takeover.
Datadog publishes technical analysis and IOCs for the campaign
Datadog Security Labs publicly documented the campaign, explaining how attackers rewrote FederationRedirectUrl values, proxied tenant-branded Okta pages, and injected JavaScript to exfiltrate credentials and session cookies. The report also provided hunting guidance and indicators of compromise for defenders.
OAuth token supply-chain attack impacts hundreds of organizations
A supply-chain attack abusing OAuth tokens from platforms such as Salesloft and Drift enabled long-lived unauthorized access to mail, files, and CRM data across hundreds of organizations. The incident highlighted the growing risk of SaaS token abuse and multi-tenant data theft.
Active AiTM campaign targets Microsoft 365 and Okta users
In early December 2025, an active phishing campaign targeted organizations using Microsoft 365 and Okta, hijacking legitimate SSO flows to steal credentials and critical Okta session cookies. The operation used HR-themed lures, compromised legitimate mailboxes including infrastructure associated with Salesforce Marketing Cloud, Amazon SES, and Cloudflare-hosted phishing infrastructure.
AiTM phishing variants targeting M365 and Okta appear
Related adversary-in-the-middle phishing variants targeting organizations using Microsoft 365 with Okta as the identity provider were observed starting in at least August 2025. The activity used proxy phishing pages, lookalike Okta domains, and credential and session-cookie theft to bypass non-phishing-resistant MFA.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
New AiTM Attack Campaign That Bypasses MFA Targeting Microsoft 365 and Okta Users
cybersecuritynews.com
Open sourceInvestigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users | Datadog Security Labs
securitylabs.datadoghq.com
Open sourceThe Quiet Token Heist: Why 2026’s Biggest SaaS Breaches Won’t Start With Passwords
blog.alphahunt.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Adversary-in-the-Middle Phishing Attacks Targeting Microsoft 365
Threat actors are increasingly leveraging adversary-in-the-middle (AitM) phishing techniques to compromise Microsoft 365 accounts. In a recent incident, attackers used a phishing email with a malicious link that mimicked the Microsoft login page, capturing both credentials and session cookies to bypass multi-factor authentication (MFA). The attackers expanded their access through password spraying, brute force attacks, and the use of VPNs and residential proxies to evade detection. Persistence was achieved by manipulating inbox rules and abusing OAuth permissions via legitimate email clients, allowing continued access to compromised accounts. Traditional detection methods, such as URL reputation and static fingerprinting, are proving ineffective against these sophisticated AitM phishing kits, which proxy the real Microsoft authentication flow and associated assets. In response, security researchers have developed new defensive measures, including browser extensions that detect AitM attacks at the point of interaction by monitoring for unexpected HTTP referers and injecting visible warnings. However, as attackers adapt and proxy more elements of the authentication process, even these advanced defenses face challenges, highlighting the need for continuous innovation in anti-phishing strategies.
Mar 21, 2026
Multi-Stage Phishing Campaigns Bypassing MFA to Steal Microsoft 365 Credentials
A wave of sophisticated phishing campaigns is targeting organizations globally to steal Microsoft 365 credentials by bypassing traditional email security gateways and multi-factor authentication (MFA) protections. Attackers are employing advanced techniques such as multi-stage payload delivery using nested PDF attachments, legitimate content delivery networks, and mouse tracking to evade detection. Once victims interact with these emails and enter their credentials on a credential harvesting site, attackers leverage legitimate Microsoft infrastructure to bypass MFA and gain immediate access to the victim’s Microsoft 365 environment. These campaigns are engineered to filter out security analysts and block standard security tools, making detection and response more challenging. In parallel, threat actors are increasingly using attacker-in-the-middle toolkits like Evilginx and hybrid phishing-as-a-service kits such as Salty2FA and Tycoon2FA to capture both user credentials and session cookies. By stealing session cookies, attackers can impersonate users and maintain access without triggering additional MFA prompts, even after successful authentication. The blending of different phishing kits into hybrid strains is making detection harder, as traditional security rules tuned to individual kits are now being evaded. Security researchers warn that static indicators are no longer sufficient, and behavioral analysis is required to spot these evolving threats.
Mar 21, 2026
Microsoft phishing campaign stole auth tokens from 35,000 users
Microsoft disclosed a large-scale phishing campaign that targeted more than **35,000 users** at over **13,000 organizations** across **26 countries**, with most victims in the United States and concentrations in healthcare, life sciences, financial services, professional services, and technology. The operation used code-of-conduct and compliance-themed emails delivered through legitimate email services, including abuse of platforms such as Amazon SES, to make messages appear trustworthy and help them pass common email authentication checks. Victims received PDF attachments containing links that led through fake CAPTCHA and document-review pages before landing on spoofed Microsoft sign-in portals. Microsoft said the attackers used an **adversary-in-the-middle** phishing flow to capture credentials and authentication tokens in real time, allowing them to bypass weak multifactor authentication and gain immediate account access. The company described the activity as one of the most sophisticated code-of-conduct-themed credential theft campaigns it has observed and said it reflects broader trends including CAPTCHA-gated phishing, QR-code phishing, and phishing-as-a-service ecosystems such as **Tycoon 2FA**, **Kratos**, and **EvilTokens**. Microsoft urged organizations to strengthen defenses with Defender for Office 365, SmartScreen-enabled browsers, phishing awareness training, stronger authentication, conditional access policies, and automated attack disruption in Defender XDR.
May 5, 2026