Okta warns of multiple vishing attacks that can defeat MFA

Okta Threat Intelligence detected and dissected multiple "as-a-service" phishing kits built specifically for voice-based vishing attacks.

In a Jan. 22 blog post, Okta researchers said the vishing kits were used by an increasing number of threat actors to target Google, Microsoft, Okta, and a range of cryptocurrency providers.

“Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages,” said Moussa Diallo, a threat researcher at Okta. “They can control what pages the target sees in their browser in perfect synchronization with the instructions they are providing on the call. The threat actor can use this synchronization to defeat any form of MFA that’s not phishing-resistant.”

Adam Burt, head of research at Vorlon, said Okta’s warning represents another clear sign that vishing and phishing-based credential theft is getting more sophisticated and more common. Burt said attackers are not just stealing a password anymore, they are guiding victims through MFA in real-time to turn SSO into a direct path to data theft, and we have seen the same pattern in recent Salesforce vishing campaigns tied to ShinyHunters.

"Assume that some identities will be compromised, and attackers will get internal access,” said Burt. “That’s why the focus has to move beyond spotting suspicious logins to monitoring behavior with data layer context, meaning what a legitimate identity actually does with sensitive data after authentication. If you can tie identity activity to sensitive data access and movement across SaaS, you can catch the theft even when the login looks normal."

Related reading:

Heath Renfrow, co-founder and chief information security officer at Fenix24, added that what makes this wave of attacks so dangerous isn’t just that credentials are being stolen, but that identity itself has become the attack surface.

“Okta and other identity providers sit at the center of the enterprise,” said Renfrow. “If an attacker compromises SSO, they’re no longer breaking into a single system; they’re inheriting the user’s entire digital life: Email, cloud consoles, SaaS platforms, source code, HR systems, financial apps — everything behind that identity becomes reachable in minutes. In real-world incidents, we routinely see this translate into rapid data exfiltration, privilege escalation, and in many cases, full ransomware deployment within hours.”

Renfrow pointed out that what’s new here is the fusion of social engineering and real-time technical exploitation. Renfrow said these vishing kits effectively collapse the gap between “convince the user” and “beat MFA.”

“The attacker is live on the phone, guiding the victim through what feels like a legitimate support interaction, while the phishing infrastructure mirrors the real log-in flow in real-time,” said Renfrow. "MFA fatigue isn’t even required since the victim is actively cooperating because the experience feels authentic.”

Noelle Murata, senior security engineer at Xcape Inc., said that these vishing-based adversary-in-the-middle attacks are particularly dangerous because they target identity systems when trust levels are at their peak. By integrating live voice manipulation with real-time phishing infrastructure, attackers can bypass traditional MFA and gain widespread access to cloud applications and data from a single Okta single sign-on (SSO) log-in.

“Once an identity is compromised, perimeter security measures become ineffective, classifying this as a high-impact threat rather than a typical phishing campaign,” said Murata. “The extensive reconnaissance involved also highlights the industrialized and targeted nature of contemporary social engineering. Security teams need to counter this by prioritizing phishing-resistant MFA solutions.”

Fenix24’s Renfrow offered three steps teams can take to counter these identity-based attacks: