On January 22, 2026, Okta privately warned CISOs about a surge in sophisticated vishing and Adversary-in-the-Middle (AiTM) phishing attacks targeting Okta Single Sign-On (SSO) accounts, affecting multiple organizations across critical sectors like Fintech, Wealth Management, and cryptocurrency platforms, as reported by BleepingComputer. These attacks bypass multi-factor authentication (MFA) to facilitate credential theft, data exfiltration, and subsequent extortion. This is not a flaw in Okta's infrastructure, but a direct attack on user interaction during the login process, enabled by advanced, custom phishing kits. We are seeing a significant escalation in social engineering prowess here.
What Happened
A new wave of highly sophisticated social engineering attacks began around January 22, 2026, using vishing and custom AiTM phishing kits against Okta, Google, and Microsoft identity providers, SecurityWeek reported. Threat actors, including the ShinyHunters extortion group, use these kits, often provided "as a service," to perform real-time session orchestration and bypass common multi-factor authentication (MFA) methods. Attackers first conduct reconnaissance to identify target employees, their applications, and IT support numbers, often spoofing helpdesk lines during subsequent vishing calls.
During the vishing call, which might impersonate IT staff offering passkey setup or other support, victims are directed to meticulously crafted AiTM phishing sites, according to Rescana. These sites, often using URLs like "internal" or "my" in their subdomains, mimic legitimate company login portals. The AiTM kits dynamically capture SSO credentials and Time-based One-Time Password (TOTP) codes, even bypassing push-based MFA with number matching by relaying legitimate MFA challenges. Okta confirmed these phishing kits defeat push-based MFA. Stolen credentials and MFA codes are relayed to attackers in real-time, often via a Socket.IO server, granting immediate access to connected applications.
Why It Matters
This campaign matters because it successfully neutralizes MFA, a cornerstone of modern identity security, through sophisticated social engineering and real-time proxying. The primary objective post-authentication is sensitive data exfiltration from connected applications, with Salesforce explicitly noted as a significant target for ShinyHunters. Following data theft, victim organizations face extortion demands, adding a financial and reputational layer of impact.
The targeting of highly regulated sectors like Fintech, Wealth Management, Financial advisory, and cryptocurrency platforms, BleepingComputer reports, indicates attackers are going after high-value targets with access to critical financial and personal data. Okta's own Threat Intelligence notes these phishing kits defeat any form of MFA that is not phishing-resistant. This is a full session hijacking capable of bypassing even advanced MFA.
Affected Scope & Remediation
Organizations relying on Okta, Google, or Microsoft for identity and access management are within the scope of these attacks, particularly those in the Fintech, Wealth Management, Financial, Advisory, and cryptocurrency sectors, according to BleepingComputer. Given that this is not a vulnerability in a specific product version but rather a campaign exploiting human and process weaknesses, there are no software patches to apply. Remediation focuses squarely on strengthening identity verification and user training.
Deploy phishing-resistant MFA. This means moving beyond TOTP or push notifications to hardware-backed solutions like FIDO2 (e.g., YubiKey) or certificate-based authentication, Okta states. Implement stringent policies around MFA enrollment and recovery, ensuring that IT service desk personnel are trained to resist social engineering attempts, a known attack vector, according to Okta.
Enhanced security awareness training is crucial. Employees need to be educated about the tactics, techniques, and procedures (TTPs) of vishing and AiTM phishing. This includes recognizing spoofed phone numbers, suspicious URLs (even those mimicking internal portals), and unexpected requests for credentials or MFA codes. Organizations should also consider implementing endpoint detection and response (EDR) solutions like CrowdStrike Falcon to detect anomalous activity post-compromise. Audit all SSO application logs for unusual access patterns, especially from new IP addresses or devices, and enforce strict conditional access policies based on device posture and location.
Note: Since this is not a software vulnerability but a social engineering campaign, the typical "affected versions vs. patched versions" table is not applicable. Remediation centers on process, policy, and phishing-resistant authentication methods. No new CVEs related to this specific Okta campaign were added to CISA's Known Exploited Vulnerabilities catalog in the last 7 days from the report date (June 27, 2026).
Technical Breakdown
The technical sophistication of these AiTM attacks lies in their real-time proxying capabilities. When a victim accesses the phishing site, the AiTM kit acts as a transparent intermediary, forwarding the user's login request to the legitimate Okta, Google, or Microsoft authentication portal. The legitimate portal then sends its challenge (username, password, MFA prompt) back to the AiTM kit, which in turn presents it to the user. This means the user is interacting with a legitimate backend through a malicious front-end.
For example, if the legitimate Okta portal requests a TOTP code, the AiTM kit passes that request to the user. When the user enters their TOTP, the kit captures it and immediately forwards it to Okta. This makes it appear to the user as a seamless, legitimate login flow. This dynamic proxying bypasses even push-based MFA with number matching because the AiTM kit presents the legitimate number matching prompt from the identity provider. It is a sophisticated man-in-the-middle attack for your authentication session.
The attack maps to several MITRE ATT&CK techniques:
- T1566.004 Spearphishing Voice: The initial contact via vishing calls, impersonating IT staff, guiding victims to phishing sites, as noted by Rescana.
- T1078 Valid Accounts: Once credentials and MFA tokens are stolen, attackers use them to authenticate as legitimate users, gaining access to connected SSO applications like Salesforce, BleepingComputer reports.
- T1567 Exfiltration Over Web Service: Data stolen from applications like Salesforce is then exfiltrated, likely using legitimate web service calls or APIs, for subsequent extortion, CybersecurityDive notes.
Relevant NIST SP 800-53 controls include:
- IA-2 Identification and Authentication (Organizational Users): Emphasizes proper authentication mechanisms for users, which these attacks directly undermine by subverting the authentication process itself.
- IA-5 Authenticator Management: Highlights the need for strong authenticator management, including the use of phishing-resistant MFA to prevent credential theft.
Historical Context
This current campaign represents an evolution of social engineering tactics against Okta's ecosystem, not an isolated incident. A notable precursor was the 0ktapus campaign in August 2022, reported by SecurityWeek. That campaign also leveraged phishing to steal credentials and MFA codes from over 130 organizations, though it used far more basic phishing kits and often relied on SMS phishing rather than sophisticated vishing and AiTM. The similarity lies in targeting Okta SSO users through social engineering to bypass MFA.
The key difference is the technical sophistication of the current AiTM kits. The 0ktapus campaign's tools were simpler, often relying on users manually entering codes, whereas the current kits actively proxy the entire authentication flow, making them much harder for users to detect. We also saw the Lapsus$ Group breach in early 2022 and the Okta Support System Breach in October 2023, both involving social engineering and aiming for session token or credential theft through third parties or support channels, Okta confirms. This consistent focus on human and process vulnerabilities highlights an ongoing challenge for identity providers.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Campaign Start | January 22, 2026 | BleepingComputer |
| Identity Providers Targeted | 3 | SecurityWeek |
| Targeted Sectors | 4+ | BleepingComputer |
| Past Okta Campaigns (similar) | 5+ | SecurityWeek |
| Primary Data Exfil Target | 1 (Salesforce) | CybersecurityDive |
| Threat Actors Identified | 1 (ShinyHunters) | CybersecurityDive |
The CVEDaily Take
The current vishing and AiTM campaign against Okta SSO accounts showcases a critical inflection point: reliance on any MFA short of FIDO2-level phishing resistance is increasingly untenable for high-value targets. Organizations need to assess their identity postures immediately, prioritizing hardware-backed MFA and continuous, scenario-based social engineering training. We believe the "as a service" model for these sophisticated AiTM kits significantly lowers the barrier to entry for less skilled threat actors, increasing the overall volume and success rate of these attacks. This means organizations can expect to face these threats more frequently.
Have you audited your high-privilege accounts for phishing-resistant MFA adoption this quarter?
FAQ
Q: What is the primary method attackers are using to bypass MFA in these Okta SSO attacks?
A: Attackers are using sophisticated Adversary-in-the-Middle (AiTM) phishing kits combined with vishing (voice phishing) calls. The AiTM kits act as a real-time proxy, presenting legitimate authentication prompts from Okta, Google, or Microsoft to the victim while capturing their credentials and MFA codes (including TOTP and push-based MFA responses) before forwarding them to the actual identity provider.
Q: Are these attacks exploiting a vulnerability in Okta's software or infrastructure?
A: No, the attacks do not exploit a vulnerability in Okta's software or infrastructure. Instead, they exploit the real-time user interaction during the login process and leverage social engineering tactics to trick users into providing their credentials and MFA responses to a malicious, proxying site, as Okta confirmed.
Q: What specific types of organizations are being targeted by these attacks?
A: Multiple organizations across high-value and regulated sectors are being targeted, including Fintech, Wealth Management, Financial, and Advisory services, as well as cryptocurrency platforms, according to BleepingComputer. Attackers are specifically interested in exfiltrating sensitive data from connected applications like Salesforce for extortion purposes.
