Social Engineering Attackers Target Okta’s Single Sign-On System

Security experts are advising customers of identity provider Okta utilizing its single-sign-on (SSO) services to remain vigilant amid a series of targeted attacks aimed at accessing corporate networks, extracting sensitive data, and demanding ransoms.

In recent days, Okta has cautioned its clientele about a surge in social engineering attacks linked to the cybercrime group ShinyHunters. These attacks have seen criminals deploy sophisticated voice phishing tactics to breach multifactor authentication (MFA) measures, threatening to expose corporate data if requests go unmet.

Charles Carmakal, CTO of Google’s Mandiant Consulting, noted that this ongoing operation has already compromised numerous victims, with ShinyHunters directly issuing extortion demands post-breach. He emphasized the operational nature of these attacks, highlighting the real-time interactions criminals engage in, utilizing advanced phishing toolkits that replicate legitimate login pages to deceive users.

According to threat intelligence firm Silent Push, these campaigns represent a high-interaction voice phishing operation—often referred to as ‘vishing’—that effectively bypasses robust MFA configurations. Human actors are leveraging ‘live phishing panel’ technologies to infiltrate login sessions, capturing credentials and MFA tokens as attackers guide victims through a predetermined sequence of actions.

Once access is gained, the attackers typically maneuver laterally within the organization, often employing social engineering techniques to target high-privilege administrators via internal communication platforms like Slack and Teams. Efforts are directed towards enrolling themselves in the company’s MFA system under various identities while prioritizing rapid data exfiltration for public extortion.

Research indicates that up to 150 organizations are presently in the crosshairs of this targeted campaign, supported by malicious infrastructure that emerged in December 2025. Custom domains have reportedly been registered for each target, facilitating credential theft and effective circumvention of MFA protocols.

This campaign predominantly focuses on organizations using Okta’s services, although the historical patterns of ShinyHunters suggest that their focus could expand to other SSO providers in the future, increasing the overall scope and impact of their activities.

The most effective defense against these sophisticated phishing attacks, which exploit no inherent vulnerabilities in vendor software, remains a strong MFA framework. Mandiant’s Carmakal advocates the adoption of phishing-resistant MFA solutions, such as FIDO2 security keys, and reinforcing strict application authorization policies, alongside diligent monitoring of logs for any unusual API activities.

Organizations are urged to inform their employees about the active nature of this threat, communicate potential scenarios of engagement, and provide secure channels for verifying communications with legitimate IT departments. Prompt reporting of any suspicious activities to management and security teams could prove critical in mitigating risks associated with these ongoing attacks.

Emerging from a predominantly Western, youthful cybercrime landscape, ShinyHunters represents a collection of individuals executing telephone-based vishing operations under various banners. Observations suggest that organizations falling victim to this campaign should prepare for ongoing extortion attempts, utilizing previously compromised data to mount further assaults. Expert Allison Nixon from threat intelligence group Unit 221B warns that paying these criminals is ineffective, as they typically do not honor their promises, reinforcing the need for robust incident response strategies.