Okta SSO Vishing Attacks Use Real-Time Phishing Kits to Steal MFA Codes and Exfiltrate Cloud Data

---

Okta SSO accounts are being targeted in ongoing voice phishing operations where attackers call employees, pose as corporate IT or help desk staff, and convince them to authenticate through a malicious "internal" login flow. The goal is not just to capture a password. It is to control the victim's authentication journey in real time, intercept MFA, and immediately reuse those signals to establish a valid session.

Okta's Threat Intelligence team describes a new class of phishing kits built specifically for callers: the attacker sits in a control panel during the phone call and dynamically updates the phishing site to match the exact MFA prompt the victim expects to see.

Why these attacks are hard to spot

Most phishing fails when the page does not match the user's mental model of the real login flow. These kits solve that problem by synchronizing the phishing page with the caller's script and with the live MFA challenge returned by the real service. The victim is not "clicking blindly." They are being coached step by step by a human who can adjust the page instantly.

This is also why "push MFA with number matching" is not phishing-resistant. If the attacker is on the phone, they can simply tell the victim which number to select or enter.

How the vishing plus AitM chain works

The observed flow is consistent across incidents:

• Reconnaissance: attackers learn which apps a target uses and what phone numbers are associated with internal IT support
• Call initiation: attacker spoofs corporate or help desk numbers and impersonates IT
• Pretext: the victim is told they must "set up passkeys" or complete a security requirement to keep access
• Live phishing: the victim is guided to a company-themed AitM phishing site that captures credentials and MFA
• Real-time replay: credentials and MFA are immediately used by the attacker to sign into the real Okta tenant
• Post-compromise: the attacker opens the Okta app dashboard, identifies high-value SaaS targets, and exfiltrates data
• Extortion: once access is discovered or defenders respond, attackers pivot to rapid extortion demands

In at least some cases, reporting ties parts of the relay infrastructure to a Socket.IO service previously hosted on an onrender.com domain.

What attackers do after they get into Okta

Okta SSO is valuable because it is a gateway. A single valid Okta login can unlock a large set of business SaaS services with minimal additional friction. Once in, attackers typically:

• Enumerate the user's Okta dashboard apps to identify where sensitive data lives
• Prioritize SaaS platforms that allow quick bulk export or API-driven extraction
• Exfiltrate data and move immediately to coercive extortion messaging

Victim-facing extortion notes referenced in reporting explicitly describe data theft via compromised SSO credentials and call out Salesforce as an easy exfiltration path.

Who is being targeted

Current reporting indicates active targeting continues, with emphasis on sectors where SaaS environments often contain high-value regulated or monetizable data:

• Fintech
• Wealth management
• Financial services
• Advisory firms

Indicators and hunting pivots

Use these as investigation pivots, then validate against your own Okta system logs and network telemetry.

Technique indicators

• Employee reports of calls from "IT" requesting passkey setup or urgent authentication changes
• Logins that occur immediately after an employee confirms MFA over a call
• Sign-ins followed by rapid app enumeration and unusual SaaS access patterns

Infrastructure and naming patterns (reported)

• Relay services using Socket.IO in the phishing flow
• Phishing sites using company-themed naming, often with "internal" or "my" in the hostname
• Credentials forwarded to attacker-controlled channels during the live session (commonly described as Telegram-based)

Okta-specific log signals to alert on

• New device or new network zone sign-ins for the same user within minutes of MFA confirmation
• High-frequency authentication attempts that align with "trial and adapt" behavior during a phone call
• Suspicious sequences: sign-in, immediate access to multiple apps, then export or bulk download behavior in downstream SaaS

Mitigations that actually reduce risk

1) Enforce phishing-resistant authentication for workforce access

Prioritize methods that remain resistant even when an attacker is actively coaching the victim:

• FIDO2 security keys
• Passkeys (phishing-resistant implementations)
• Okta FastPass

Treat SMS, voice calls, and push approvals as high-risk for targeted users.

2) Tighten access context, not just MFA

• Use network zones and tenant access controls to allowlist known corporate networks and managed egress
• Deny or step up authentication for anonymizers and suspicious ASNs
• Require managed or registered devices for access to sensitive apps

3) Remove the attacker's advantage over the phone

• Implement strict help desk identity verification and call-back procedures
• Establish a policy: no authentication changes initiated from inbound calls
• Provide a trusted internal workflow for passkey enrollment that never starts from a phone call

4) Reduce downstream blast radius

• Apply least privilege for Okta app assignments
• Limit export capabilities in critical SaaS platforms
• Monitor for abnormal bulk access and automate containment where possible

Closing

These intrusions are not "better phishing pages." They are real-time session orchestration with a human operator using tooling designed to defeat anything that is not truly phishing-resistant. If Okta is your front door, the defensive priority is equally clear: enforce phishing-resistant authentication, constrain where sign-ins can originate, and harden help desk processes so voice-based social engineering cannot steer users into approving attacker-controlled login flows.