Okta Warns of Real-Time Vishing Phishing Kits Targeting SSO and MFA
Okta reported that threat actors are using and selling custom voice-phishing (vishing) kits that enable helpdesk-style social engineering to steal credentials and bypass MFA for Okta SSO and other identity providers, including Google and Microsoft. The kits are offered “as a service” on dark web forums and messaging platforms and are designed to closely mimic legitimate identity-provider authentication flows, making the victim experience appear authentic during a live phone call.
Unlike static phishing pages, the kits function as adversary-in-the-middle platforms that let attackers monitor a victim’s session in real time and dynamically change what the victim sees (e.g., dialogs prompting for credentials or MFA approval) as the call progresses. Okta said operators typically conduct reconnaissance on targeted employees (names, applications used, and IT/helpdesk phone numbers), then call victims—often with spoofed corporate/helpdesk numbers—while guiding them through a tailored phishing page; captured credentials and MFA responses are relayed to the attacker to complete login and enable downstream data theft and extortion activity, echoing prior “IT support call” tradecraft associated with Scattered Spider-like intrusions.
Related Entities
Threat Actors
Sources
5 more from sources like scworld, help net security, cyber security news and register security
Related Stories
MFA Bypass via Phishing and Authentication Abuse (OAuth Device Code, Vishing Kits, and OTP Bombing)
Threat researchers reported multiple **MFA-bypass** techniques being operationalized against enterprise users, with a notable focus on Microsoft 365 and common authentication workflows. KnowBe4 Threat Labs described an active phishing campaign targeting North American organizations that abuses the **OAuth 2.0 Device Authorization Grant** (`microsoft.com/devicelogin`) to trick users into entering an attacker-supplied device code on a legitimate Microsoft page; after the user completes MFA, the attacker obtains valid **OAuth access/refresh tokens**, enabling persistent access to M365 services (e.g., Outlook, Teams, OneDrive/SharePoint) without stealing passwords. Recommended mitigations included auditing newly consented OAuth apps, hunting for related email lure patterns, and considering disabling the device code flow via Conditional Access. Separately, Okta warned of emerging **voice-phishing (vishing) kits** that provide real-time, client-side “session orchestration,” allowing attackers to dynamically change phishing pages while on a phone call to coax victims into approving push prompts or providing OTPs; captured credentials are commonly exfiltrated to attacker-controlled channels (e.g., Telegram) and then replayed against legitimate sign-in flows. Cyble also documented the continued evolution of **SMS/OTP (and voice) bombing** ecosystems, highlighting automated, API-driven abuse of authentication endpoints across multiple sectors and regions, with tooling maturing into cross-platform applications and adding evasion features—activity that can facilitate social engineering and account takeover by overwhelming users with authentication messages or calls.
1 months agoAdversary-in-the-Middle Phishing Campaigns Targeting Microsoft 365 and Okta Users
A sophisticated phishing campaign has been identified targeting organizations that use Microsoft 365 and Okta for single sign-on (SSO). Attackers employ adversary-in-the-middle (AiTM) techniques to hijack legitimate SSO authentication flows, bypassing multi-factor authentication (MFA) methods that are not phishing-resistant. The campaign uses lookalike domains to impersonate Okta login pages and proxies authentication requests, capturing credentials and session tokens. Hundreds of users across dozens of organizations have been targeted, with phishing emails and malicious URLs designed to closely mimic legitimate login experiences, making detection challenging. Broader trends in SaaS security highlight the increasing abuse of OAuth tokens and session cookies, enabling persistent, non-interactive access to cloud services even after password resets or MFA changes. Attackers leverage browser extensions and session exfiltration to maintain access, and AI-driven lures accelerate the speed and scale of these attacks. The combination of AiTM phishing, token replay, and browser-based persistence underscores the evolving threat landscape for organizations relying on cloud identity providers like Okta and Microsoft 365.
3 months ago
Identity-Driven Intrusions Fueled by Infostealer Credentials and MFA-Aware Phishing
Threat actors are increasingly achieving initial access through **identity compromise** rather than software exploitation, with infostealer malware and phishing infrastructure supplying large volumes of valid credentials for automated login attempts against enterprise authentication front doors. Defused Cyber reported a large-scale credential-stuffing campaign targeting **F5 BIG-IP** and other SSO-adjacent services (including **ADFS**, **STS**, and **OWA**), where honeypots observed high-confidence corporate email/password pairs being submitted at scale from `219.75.254.166` (OPTAGE Inc., Japan). Correlation against Hudson Rock’s infostealer telemetry indicated the majority of observed credentials were harvested from **infostealer-infected employee endpoints**, suggesting a pipeline from endpoint infection to external SSO gateway intrusion attempts impacting major enterprises and public-sector entities. In parallel, Datadog Security Labs documented the evolution of the **1Phish** kit into an operationally mature, **MFA-aware** phishing framework targeting *1Password* users, shifting from simple credential capture to multi-stage workflows that explicitly collect **2FA codes**—consistent with real-time authentication attempts even without confirmed reverse-proxy session hijacking. Broader incident-response telemetry in Sophos’ Active Adversary Report reinforces the same trend: **identity-related techniques** (compromised credentials, brute force, phishing) accounted for a majority of observed root causes, and attackers often pivot quickly to **Active Directory** after initial access. A separate finance-sector “2026” threat landscape post is largely high-level and does not add specific, verifiable details to the infostealer/SSO or 1Phish activity described elsewhere.
2 weeks ago