Hackers are using voice-based social engineering to bypass multi-factor authentication (MFA) protections and steal Okta single sign-on (SSO) credentials, according to recent reporting and a new threat advisory from the identity provider.
Recently, BleepingComputer reported that attackers posing as IT support staff used vishing calls and real-time adversary-in-the-middle infrastructure to capture Okta SSO credentials and one-time passwords during live login sessions, activity that Okta later said it had “detected and dissected” through its threat intelligence investigations.
Okta, an enterprise identity and access management provider, said the activity involved custom phishing kits designed to support live caller-led attacks, where a caller can control what a victim sees in a browser while walking them through login prompts.
Multi-factor authentication (MFA) is a security measure that requires users to provide an additional verification step beyond a password, such as a code or mobile approval.
Okta said the kits can “defeat any form of MFA that is not phishing-resistant,” because the attacker can synchronize on-screen prompts with instructions delivered over the phone.
The firm’s threat intelligence team described the kits as “as-a-service” tooling aimed at major identity providers including Google, Microsoft and Okta, plus some cryptocurrency platforms.
How the kits bypass MFA without exploiting Okta
The attacks did not exploit a flaw in Okta’s infrastructure, but abused real-time user interaction during login – according to the firm.
It said that the core capability is client-side scripting that lets an attacker swap screens in real time as the legitimate service presents MFA challenges, creating a convincing “support” flow that harvests credentials and one-time codes.
Okta said a typical sequence starts with reconnaissance (names, apps in use, real IT phone numbers), followed by a spoofed helpdesk call that steers the target to a tailored phishing site.
When the victim enters credentials, Okta said they can be auto-forwarded to the attacker (including via Telegram), while the attacker tests the real login and updates the phishing pages live to match whatever MFA prompt appears.
The technique is best understood as vishing (voice phishing)-assisted adversary-in-the-middle (AiTM) phishing.
A caller guides the victim through a login while a reverse-proxy site relays the session to the real service, capturing credentials and MFA approvals, which is why CISA and NIST both emphasize phishing-resistant authenticators such as FIDO-based methods for higher-assurance access.
Why push-based MFA fails in these attacks
According to the firm, push with number-matching, where a user receives a login prompt on their device and must approve a displayed number to complete sign-in, is still not phishing-resistant.
This is mainly because a human caller can simply instruct the user to approve a matching number while the phishing kit renders a matching screen.
Okta’s recommended mitigations include Okta FastPass and FIDO-based passkeys. These are authentication methods that rely on device-bound cryptographic credentials rather than passwords or one-time codes.
Alongside these, controls like network zones or tenant access control lists to restrict logins from anonymizing infrastructure are recommended.
BleepingComputer reported that some campaigns have explicitly posed as IT staff offering to help users set up passkeys, then used adversary-in-the-middle infrastructure to capture Okta SSO credentials and time-based one-time passwords.
In one documented case, BleepingComputer said attacks were relayed in real time through a Socket.IO server previously hosted at a domain it identified.
Confirmed victim impact and the strategic enterprise risk
In the past two weeks, both Betterment and Crunchbase publicly disclosed incidents consistent with social-engineering-led access and subsequent data exposure.
Betterment said an unauthorized actor gained access on Jan. 9 “through social engineering” involving third-party platforms used for marketing and operations, and that customer information including names and contact details was accessed.
Crunchbase told SecurityWeek it detected an incident in which a threat actor “exfiltrated certain documents” from its corporate network and that it engaged experts and contacted law enforcement.
Separately, ShinyHunters told The Register it gained access to Crunchbase and Betterment by voice-phishing Okta single sign-on codes; neither company has publicly confirmed Okta was the access path.
Silent Push described the campaign it tracked as a “human-led” operation using “live phishing panels” to intercept credentials and MFA tokens in real time, and said it observed targeting across 100+ enterprises.
Google Mandiant Consulting CTO Charles Carmakal told BankInfoSecurity the campaign is “active and ongoing,” and said an actor identifying as ShinyHunters has approached some victim organizations with extortion demands after data theft.