- Attackers now call support services instead of sending phishing emails to hack networks.
- Imposters pose as executives to manipulate support teams into resetting MFA settings.
- Personal information collected from LinkedIn makes the deception more convincing for callers
Attackers are no longer trying to break into corporate networks through phishing emails or malware, but are now targeting IT help desks through bizarre, direct phone calls.
These calls come from impostors posing as executives or staff, attempting to manipulate support teams into resetting multi-factor authentication settings or registering new authentication devices.
To make the deception more convincing, callers rely on personal information gleaned from platforms like LinkedIn, company websites, and past breach data.
Article continues below
The deception behind seemingly legitimate requests
They often invent urgent situations, claiming to be traveling abroad and demanding immediate access to locked accounts, including resetting multi-factor authentication.
In some cases, the same attacker makes bizarre, repeated calls, changing their voice or identity each time to improve their chances of success.
Meanwhile, the real leader remains at his desk, completely unaware that someone is actively impersonating him.
This isn’t just account theft: it’s real-time identity theft, carried out over the phone.
This technique, known as Okta vishing, is a form of voice phishing, and once the identity provider is compromised, attackers gain immediate access.
They support downstream applications connected via single sign-on, including Microsoft 365, SharePoint, Salesforce, and Slack.
As the attack continues, common excuses include “I have a new phone and can’t access Okta” or “My MFA keeps failing and I have a client meeting in ten minutes.”
The attacker creates urgency to pressure support staff to bypass standard verification procedures.
Several factors contribute to the growing success of Okta vishing attacks because they take advantage of the nature of help desks.
Help desks are incentivized to quickly resolve access issues, remote work environments standardize authentication troubleshooting, and employee information is easily obtained online.
Attackers can convincingly impersonate executives because organizational charts and reporting structures are often publicly available.
As identity providers become the central control plane for access to software as a service, they have become a primary target.
Once authenticated with Okta, attackers inherit the trust relationships between all connected applications without exploiting each one individually.
Post-compromise behaviors frequently include downloading SharePoint data, exporting emails, creating inbox rules, registering OAuth applications, and generating API tokens.
In many cases, an Okta compromise quickly escalates into a cloud data theft rather than a traditional account takeover.
Technically, MFA works against Okta, but fails when humans are socially induced to weaken authentication protections themselves.
Unfortunately, regular antivirus software can’t detect a phone call, and a firewall won’t block a convincing voice on the line.
Security teams should monitor MFA reset events without clear justification, or new device enrollment followed by suspicious activity.
Any login attempts from unknown ASNs immediately after MFA changes should also be treated as a red flag.
Via Blue Level
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
