Okta Warns of Real-Time Vishing Phishing Kits Targeting SSO and MFA
Okta reported that threat actors are using and selling custom voice-phishing (vishing) kits that enable helpdesk-style social engineering to steal credentials and bypass MFA for Okta SSO and other identity providers, including Google and Microsoft. The kits are offered “as a service” on dark web forums and messaging platforms and are designed to closely mimic legitimate identity-provider authentication flows, making the victim experience appear authentic during a live phone call.
Unlike static phishing pages, the kits function as adversary-in-the-middle platforms that let attackers monitor a victim’s session in real time and dynamically change what the victim sees (e.g., dialogs prompting for credentials or MFA approval) as the call progresses. Okta said operators typically conduct reconnaissance on targeted employees (names, applications used, and IT/helpdesk phone numbers), then call victims—often with spoofed corporate/helpdesk numbers—while guiding them through a tailored phishing page; captured credentials and MFA responses are relayed to the attacker to complete login and enable downstream data theft and extortion activity, echoing prior “IT support call” tradecraft associated with Scattered Spider-like intrusions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
GTIG identifies UNC6671/BlackFile as distinct vishing-extortion actor
Google Threat Intelligence Group reported that UNC6671, operating under the BlackFile brand, has run a large-scale vishing and SSO-compromise extortion campaign since early 2026 against organizations in North America, Australia, and the UK. GTIG assessed the actor is distinct from ShinyHunters and described tradecraft including AiTM credential theft during live calls, attacker-controlled MFA enrollment, and automated SaaS data exfiltration from Microsoft 365, Okta-linked environments, SharePoint, OneDrive, Zendesk, and Salesforce.
Abnormal reports ATHR AI-powered vishing platform
Abnormal disclosed a new cybercrime platform called ATHR that automates telephone-oriented attack delivery and voice-phishing campaigns using spoofed emails, telephony routing, and AI voice agents impersonating support staff. The service was advertised on underground forums for $4,000 plus a 10% commission and targeted accounts at providers including Google, Microsoft, and major cryptocurrency platforms.
Silent Push reports 100+ organizations targeted in SSO vishing campaign
Silent Push reported a large-scale, active campaign targeting more than 100 high-value enterprises through live phishing panels and voice-phishing attacks against Okta and other SSO systems. The firm attributed the activity to an alliance it called 'SLSH,' linking tactics associated with Scattered Spider, LAPSUS$, and ShinyHunters.
Crunchbase confirms document exfiltration and contacts law enforcement
In related reporting tied to ShinyHunters' relaunch of its leak site, Crunchbase confirmed a document exfiltration incident from its corporate network. The company said it engaged outside experts and notified federal law enforcement.
ShinyHunters claims responsibility for the SSO-focused vishing campaign
ShinyHunters told BleepingComputer it was behind the ongoing wave of vishing attacks targeting Okta, Microsoft Entra, and Google-linked SSO accounts, and said Salesforce was its primary target. The claim connected the campaign's extortion phase to a named threat actor, though broader reporting still described multiple actors using similar kits.
Okta details post-compromise data theft and extortion pattern
Public reporting on Okta's findings said attackers used compromised Okta dashboards to enumerate connected SaaS apps, with Salesforce highlighted as a common data-theft target. After detection, victims received extortion emails threatening publication of stolen data, with some demands signed 'ShinyHunters.'
Okta publicly reports vishing kits targeting SSO accounts
Okta publicly disclosed that custom adversary-in-the-middle phishing kits sold as a service were being used in active attacks against Okta, Microsoft, Google, and cryptocurrency-related accounts. The company described real-time phishing pages synchronized with phone calls to capture credentials and defeat non-phishing-resistant MFA.
Okta privately warned customer CISOs about active vishing attacks
Earlier in the week before its public report, Okta privately alerted customer CISOs that attackers were using custom phishing kits in active campaigns to steal Okta SSO credentials and access downstream SaaS applications. The warning described subsequent data theft and extortion risk.
Vishing kit activity evolved significantly in late 2025
Okta said the voice-phishing ecosystem and related phishing kits evolved significantly in late 2025, with criminals selling more specialized tooling and even recruiting native English-speaking callers to impersonate IT help desks. This marked a maturation of the social-engineering-as-a-service model.
Similar vishing/AiTM activity observed by at least April 2025
Reporting indicates comparable voice-phishing and adversary-in-the-middle activity had been observed since at least April 2025, establishing that the tradecraft predated the January 2026 disclosures. The attacks used phone-based social engineering and phishing pages to capture credentials and MFA factors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
Welcome to BlackFile: Inside a Vishing Extortion Operation | Google Cloud Blog
cloud.google.com
Open sourceNew ATHR vishing platform uses AI voice agents for automated attacks
bleepingcomputer.com
Open sourceVishing attacks on Okta identity systems on the rise | news | SC Media
scworld.com
Open sourceHackers Bypass Phishing Emails and Target Okta Identity Systems Instead
cybersecuritynews.com
Open sourceNew Phishing Kit As-a-service Attacking Google, Microsoft, and Okta Users
cybersecuritynews.com
Open sourceCrims hit the easy button for IT helpdesk scams • The Register
go.theregister.com
Open sourceOkta SSO accounts targeted in vishing-based data theft attacks
bleepingcomputer.com
Open sourceOkta SSO accounts targeted in vishing-based data theft attacks
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Voice and SMS phishing campaigns abused Okta workflows to breach hundreds of firms
A series of social-engineering campaigns targeted organizations that relied on **Okta** and similar identity systems, using SMS phishing, fake login portals, and later voice calls impersonating IT staff to steal credentials, MFA codes, and session tokens. Group-IB said the **0ktapus** operation targeted **136 organizations**, used **169** lookalike domains, and compromised thousands of accounts, with victims concentrated in technology, software, and cloud sectors in the United States and Canada. Reporting tied the same activity to breaches at **Twilio**, **Cloudflare**, **DoorDash**, and later **Coinbase**, where an attacker obtained an employee username and password and accessed limited corporate directory data but was blocked from broader access by MFA controls and incident response. Subsequent reporting described an evolution from SMS phishing to **vishing** and adversary-in-the-middle phishing kits that mirrored corporate SSO flows in real time, enabling theft of session tokens even after MFA was completed. Mandiant and other researchers linked a 2026 wave under the **ShinyHunters** banner to more than **400 organizations**, with attackers using branded phishing sites, harvesting cloud data from **SharePoint**, **OneDrive**, **Salesforce**, and **Slack**, and following theft with extortion demands. Across the incidents, phishing-resistant **FIDO2** security keys stood out as an effective defense, while earlier disputes over Okta-related intrusions, including claims by **Lapsus$**, underscored how compromises of identity providers and support channels can cascade into downstream customer exposure.
May 25, 2026
MFA Bypass via Phishing and Authentication Abuse (OAuth Device Code, Vishing Kits, and OTP Bombing)
Threat researchers reported multiple **MFA-bypass** techniques being operationalized against enterprise users, with a notable focus on Microsoft 365 and common authentication workflows. KnowBe4 Threat Labs described an active phishing campaign targeting North American organizations that abuses the **OAuth 2.0 Device Authorization Grant** (`microsoft.com/devicelogin`) to trick users into entering an attacker-supplied device code on a legitimate Microsoft page; after the user completes MFA, the attacker obtains valid **OAuth access/refresh tokens**, enabling persistent access to M365 services (e.g., Outlook, Teams, OneDrive/SharePoint) without stealing passwords. Recommended mitigations included auditing newly consented OAuth apps, hunting for related email lure patterns, and considering disabling the device code flow via Conditional Access. Separately, Okta warned of emerging **voice-phishing (vishing) kits** that provide real-time, client-side “session orchestration,” allowing attackers to dynamically change phishing pages while on a phone call to coax victims into approving push prompts or providing OTPs; captured credentials are commonly exfiltrated to attacker-controlled channels (e.g., Telegram) and then replayed against legitimate sign-in flows. Cyble also documented the continued evolution of **SMS/OTP (and voice) bombing** ecosystems, highlighting automated, API-driven abuse of authentication endpoints across multiple sectors and regions, with tooling maturing into cross-platform applications and adding evasion features—activity that can facilitate social engineering and account takeover by overwhelming users with authentication messages or calls.
Mar 21, 2026
Adversary-in-the-Middle Phishing Campaigns Targeting Microsoft 365 and Okta Users
A sophisticated phishing campaign has been identified targeting organizations that use Microsoft 365 and Okta for single sign-on (SSO). Attackers employ adversary-in-the-middle (AiTM) techniques to hijack legitimate SSO authentication flows, bypassing multi-factor authentication (MFA) methods that are not phishing-resistant. The campaign uses lookalike domains to impersonate Okta login pages and proxies authentication requests, capturing credentials and session tokens. Hundreds of users across dozens of organizations have been targeted, with phishing emails and malicious URLs designed to closely mimic legitimate login experiences, making detection challenging. Broader trends in SaaS security highlight the increasing abuse of OAuth tokens and session cookies, enabling persistent, non-interactive access to cloud services even after password resets or MFA changes. Attackers leverage browser extensions and session exfiltration to maintain access, and AI-driven lures accelerate the speed and scale of these attacks. The combination of AiTM phishing, token replay, and browser-based persistence underscores the evolving threat landscape for organizations relying on cloud identity providers like Okta and Microsoft 365.
Mar 21, 2026