Okta has published a report describing active campaigns using custom phishing kits built specifically for voice‑based social engineering (vishing). These kits don’t behave like the static fake login pages most users are trained to spot. They’re adversary‑in‑the‑middle (AitM) platforms designed for a very modern workflow: Keep the victim on the phone, control what they see in the browser, and walk them through authentication in real time.
The endgame is to steal Okta SSO credentials, bypass MFA, then pivot through the Okta dashboard into downstream SaaS for large‑scale data theft and extortion.
What happened
Okta reports that these phishing kits are sold “as‑a‑service” and are being used by multiple intrusion groups to target identity providers (Google, Microsoft, Okta) and even crypto platforms.
What makes them effective is a real‑time C2 panel that lets the caller update the phishing site on the fly. As the attacker attempts a legitimate login and triggers MFA challenges, they can instantly swap the victim’s page to match whatever the victim expects to see.
That synchronization is the whole trick. It removes the “wait, why am I seeing this?” moment.
How the attack works
- Recon first: The actor profiles the employee and the company: which apps they use, IT support numbers, and internal terminology.
- A believable pretext: Attackers call pretending to be IT. A common hook right now: “We’re helping you set up passkeys for Okta SSO.”
- Victim sent to a company‑lookalike login page: These phishing domains are often branded with the company name and include words like “internal” or “my”.
- Credentials relayed live: As the victim types username/password, the kit forwards them instantly to the attacker’s backend (Okta notes Telegram channels are commonly used).
- MFA defeated with real‑time orchestration: When Okta prompts for MFA (push, OTP/TOTP, number matching), the attacker flips the phishing site UI to show the “right” instructions and talks the victim through it. (Important: number‑matching push MFA is not phishing‑resistant in a phone call. The attacker just tells the user which number to pick.)
- Okta becomes the map to everything else: With Okta SSO access, the attacker lands on the Okta dashboard, sees what apps the employee can reach, and starts pulling data from CRM, file storage, dev tools, etc.
- Extortion follows: In reported cases, once detected, attackers move quickly to extortion demands. Some demands are signed with names like “ShinyHunters,” though attribution remains murky.
What to look for
- Okta sign‑in anomalies: new device/ASN/geo, rapid fail / success sequences.
- MFA weirdness: multiple prompts in a short window, approvals that coincide with “IT calls,” OTPs entered during odd hours.
- Post‑auth pivoting: immediate app dashboard exploration, then rapid access across multiple SaaS apps.
- Bulk extraction: exports/API pulls, especially in CRM and file storage.
A reported example of relay infrastructure in this cluster includes: inclusivity-team[.]onrender.com.
What you should do now
- Move to phishing‑resistant MFA: Adopt Okta FastPass, FIDO2 security keys, or passkeys (ideally with redundancy). Reduce reliance on factors that can be socially engineered.
- Use network zones / tenant ACLs: If you know where legitimate sign‑ins originate, allowlist those networks and deny the rest, especially anonymizers and unexpected locations.
- Fix the helpdesk problem: Train users, IT will not ask for OTP codes or to approve unexpected push prompts. Add an out‑of‑band callback process.
- Shrink the SSO blast radius: Least privilege for app assignments. Step‑up auth for high‑value apps (CRM, finance, admin consoles).
- Have a fast containment playbook: If you suspect compromise: revoke sessions, reset credentials, invalidate tokens, and hunt downstream app access immediately.
