How Vishing Attacks Bypass Okta MFA: Defense Guide for 2026

Single sign-on platforms like Okta have become the backbone of modern enterprise security. One login gets you into dozens of apps—your email, Salesforce, Slack, and more. It's convenient. It's efficient. And right now, it's under attack.

A threat group called ShinyHunters has been running a sophisticated vishing campaign that's already compromised major companies including Crunchbase, SoundCloud, and Betterment. They're not just sending fake emails and hoping someone clicks. They're calling your employees, walking them through fake login pages, and stealing credentials in real time—all while your traditional MFA watches helplessly from the sidelines.

The campaign, tracked as O-UNC-037, has been active since at least October 2025. What makes it dangerous isn't just the technical sophistication. It's the psychology. Attackers research their targets, use employee benefits lures to create urgency, and manipulate victims over the phone while intercepting their authentication data. By the time the call ends, they've already logged into your systems.

What Is Vishing and Why Should CISOs Care?

Vishing stands for voice phishing. Unlike traditional phishing that relies on emails alone, vishing adds a human element: a phone call. The attacker talks to the victim, guiding them through the attack in real time. This direct interaction lets them adapt on the fly, answer questions, and build trust in ways that static emails can't match.

ShinyHunters is the confirmed group behind the recent wave of Okta-targeted attacks. They've published stolen data from at least three major victims after failed extortion attempts: over 20 million records from Betterment, 30 million from SoundCloud, and 2 million from Crunchbase—including databases, signed contracts, and corporate data. According to their own communications, more victims are coming.

The O-UNC-037 campaign primarily targets technology and industrial supply organizations. It uses adversary-in-the-middle techniques to intercept authentication flows, capturing not just passwords but also MFA codes and session tokens. For organizations using Okta for single sign-on, the attack escalates to a second stage, redirecting victims to a malicious replica of the Okta login page that steals SSO credentials and session cookies.

This matters because Okta acts as a gateway. Once authenticated, users access a dashboard listing all their company's connected services. They can click and get into Microsoft 365, Google Workspace, Salesforce, Zoom, Atlassian Jira—the list goes on. One compromised Okta session gives attackers lateral access to every federated application your organization uses.

Why SSO Credentials Are the Keys to the Kingdom

Think of Okta SSO as the master key to your organization's digital infrastructure. Employees log in once, and then they're trusted across platforms. No need to remember multiple passwords. No friction. But that convenience creates a single point of failure.

When attackers steal Okta credentials, they inherit all that trust. They can browse the victim's SSO dashboard and see exactly which platforms they have access to. From there, it's a shopping trip. Need customer data? Hit Salesforce. Want internal communications? Check Slack. Looking for financial records? Coupa and similar finance tools are right there.

ShinyHunters knows this. In one communication sent to a victim, they explained their process: "We then looked through various apps on the employee's Okta dashboard that they had access to looking for ones that dealt with sensitive information. We mainly exfiltrated from Salesforce due to how easy it is to exfiltrate data from Salesforce."

They even offered advice: stray away from Salesforce and use something else. The brazenness is striking, but it reveals their methodology. They're not breaking into systems through technical vulnerabilities. They're walking through the front door using stolen credentials, and the SSO architecture makes every connected application immediately accessible.

The real-world impact shows in the numbers. Betterment lost over 20 million records containing personally identifiable information. SoundCloud's breach exposed 30 million records. Crunchbase saw 2 million records compromised, including sensitive corporate documents. Each breach originated from a single compromised SSO credential.

The domino effect is what keeps CISOs up at night. One successful vishing call doesn't just compromise one account. It compromises every application tied to that account. Your security perimeter isn't at the edge of your network anymore. It's sitting in your employees' ability to recognize a fake IT support call.

How the O-UNC-037 Vishing Campaign Actually Works

The attack unfolds in five stages, each designed to bypass a different layer of defense. Understanding this progression helps you spot where your own controls might fail.

Stage 1: The HR-Themed Email Lure

It starts with an email that looks legitimate. Subject lines include the victim's name for personalization: "[Your Name]! Employee Benefits Alert - New Changes Effective Now" or "[Your Name]! You've received a secure message from HR Department." The sender appears to be ADP Benefits or your company's secure mail system.

These emails are likely generated using large language models based on their visual quality and convincing tone. Some campaigns abuse legitimate third-party email marketing platforms through compromised accounts, giving the emails clean sender reputations that slip past email security gateways.

The lure exploits a universal truth: employees care about their benefits. Changes to health insurance, retirement contributions, or compensation create urgency. People click without thinking because it feels relevant and time-sensitive.

Stage 2: Redirector Domains and the CAPTCHA Gatekeeper

The email contains a link to a newly registered domain like benefits-alerts.com or goto365.link. These redirector domains have no negative reputation history, so they sail through most email filters.

When you click, you first see a page titled "Security Verification" with a genuine Cloudflare CAPTCHA. This serves two purposes. It looks legitimate—who expects a phishing site to use real security checks? And it blocks automated security scanners from analyzing the phishing infrastructure. Bots can't easily solve CAPTCHAs, so threat intelligence tools often miss these sites until they've claimed multiple victims.

After completing the CAPTCHA, you see a brief splash screen themed around employee benefits. "Loading your secure document" or similar messages flash by. It's theatre, building anticipation and legitimacy before the real attack begins.

Stage 3: The Fake Microsoft Login and AiTM Magic

Now you're looking at what appears to be a standard Microsoft login page. Enter your email address and password. Seems normal.

But behind the scenes, something sinister is happening. The phishing site isn't just collecting your credentials. It's sitting between you and the real Microsoft server, intercepting every piece of data that flows back and forth. This is called adversary-in-the-middle, or AiTM.

When you type your password, the fake site captures it and simultaneously tries to log into the real Microsoft portal using your credentials. If Microsoft sends back an MFA challenge—a text message code or a push notification—the attackers see it instantly. The fake site updates to show you the same MFA prompt. You enter your code thinking you're authenticating normally. The attackers capture that code and use it to complete their own login session.

At the end of this process, the attackers have your username, your password, your MFA code, and most importantly, your session token. That token is your authenticated session—proof that you successfully logged in. With it, attackers can access your account without needing your password again. Traditional MFA becomes useless because the attack happens in real time, before the codes expire.

Stage 4: The FederationRedirectUrl Interception

For organizations using Okta for identity federation, the attack gets more sophisticated. When you enter an email address from a federated domain, Microsoft's real login portal normally returns a JSON response containing a "FederationRedirectUrl" that points to your company's Okta tenant.

The O-UNC-037 phishing kit intercepts this response with JavaScript. The script monitors fetch responses from the server, inspects them for keys like FederationRedirectUrl or AuthURL, and checks if the URL points to a legitimate Okta domain (.okta.com, .oktapreview.com, etc.). When it finds one, the script dynamically replaces the legitimate Okta URL with a malicious one—something like sso.oktacloud.io or sso.okta-access.com.

The modified response gets passed back to your browser. You're seamlessly redirected to what looks like your company's Okta login page. It has your organization's branding. The URL seems plausible. You enter your SSO credentials.

But you're actually on a second phishing page that's relaying everything to the attacker's servers. This second-stage AiTM captures your Okta username, password, any additional MFA codes, and the resulting session cookie. With that Okta session cookie, attackers can access your SSO dashboard and see every application you're authorized to use.

Some of these second-stage domains are hosted on Cloudflare Workers, a serverless platform that provides easy scalability and makes takedowns more complicated. Domains like sso.okta-proxy.workers.dev and okta.undermine.workers.dev have been observed in active campaigns.

Stage 5: The Vishing Call

The phone call is what transforms this from a good phishing kit into a devastating social engineering attack. While you're on the fake login page, an attacker calls you. They claim to be from IT support. They say they're helping you set up passkeys for Okta SSO, or they need to verify your identity after detecting suspicious activity.

The phishing kit includes a command-and-control panel that gives the caller real-time control over what you see in your browser. When the legitimate service sends an MFA challenge, the attacker can select dialog options that instantly update the phishing page to match. If you get a push notification with number matching, the attacker tells you which number to select, making the fake request appear legitimate.

"Can you tap the number 67 on your screen? Great, that verifies it's really you." You tap 67. The attacker taps 67 on the real login. You've just authenticated them.

Credentials and MFA codes get exfiltrated to an API endpoint or relayed through Telegram channels operated by the threat actors. By the time you hang up feeling helpful, they're already browsing your Okta dashboard looking for high-value applications like Salesforce or financial management tools.

The Phishing Kit Behind the Campaign

The O-UNC-037 infrastructure shows signs of being a Phishing-as-a-Service platform or at minimum a highly configurable kit shared among multiple threat actors. The evidence is in the URL structure.

Phishing URLs contain a "ht" parameter with a Base64-encoded JSON object. When decoded, this reveals campaign tracking data including a campaign_id for unique identification, a hop_template that dynamically loads different lures like "benefits," timestamps for created and expires to enforce time-limited access, and usage counters like max_uses and uses for operational control.

This structure enables sophisticated campaign management. Attackers can track which email templates generate the highest click rates. They can swap out phishing pages instantly if one gets taken down, without redeploying the entire infrastructure. Different threat actors can use the same kit with custom branding and lures, which explains why similar campaigns target different industries using identical techniques but separate infrastructure.

The professionalization of cybercrime is on full display. You don't need to be a technical expert anymore. You rent a phishing kit, load your target list, pick a lure theme from a template library, and launch. The backend handles tracking, access control, and even the AiTM proxy setup. It's point-and-click crime at scale.

Why Your MFA Isn't Protecting You

Organizations often believe that multi-factor authentication solves the phishing problem. If someone steals a password, they still can't get in without the second factor, right?

That's true for static phishing pages. But AiTM attacks bypass this protection entirely. When the phishing site intercepts your authentication in real time, it captures the MFA code while it's still valid. SMS codes typically expire in 5-10 minutes. One-time passwords from authenticator apps last 30 seconds. The attackers aren't trying to use old codes later. They're using them immediately, within seconds of you entering them.

Push notifications with number matching fall to the vishing component. The caller tells you which number to select. You think you're confirming your own login attempt. Actually, you're confirming theirs.

Session cookies are even worse. Once the attackers steal an authenticated session token, they can replay that session without needing credentials at all. They import the cookie into their browser, and suddenly they're logged in as you. No password required. No MFA challenge. The system thinks they're you because they have the cryptographic proof of your authenticated session.

Post-compromise, the O-UNC-037 campaign shows authentication attempts from Cloudflare IP addresses (AS13335). Attackers don't even bother hiding their infrastructure because session replay is so effective.

The only defenses that work are phishing-resistant MFA methods. These include FIDO2 security keys, WebAuthn, smart cards, and platform-specific solutions like Okta FastPass. These methods bind authentication to the legitimate domain, making interception technically impossible. The cryptographic challenge-response happens directly between your device and the real server, with no way for a fake site to insert itself into the flow.

How to Defend Your Organization

Traditional defenses aren't enough. You need a layered approach that assumes attackers will reach your employees and focuses on making successful authentication theft as difficult as possible.

Deploy phishing-resistant authentication. This is non-negotiable. Enroll users in Okta FastPass, FIDO2 WebAuthn, or smart cards. Enforce phishing resistance in your authentication policies, especially for administrative accounts and access to sensitive applications. Yes, it requires hardware tokens or device registration. The friction is worth it compared to the alternative.

Restrict access based on device and network context. Use Okta app sign-on policies to require managed devices protected by endpoint security tools. If an attacker steals credentials but tries to log in from an unmanaged laptop, block them. Require registered devices using Okta FastPass that exhibit indicators of essential hygiene—updated operating systems, active antivirus, disk encryption enabled.

Configure Okta Network Zones to deny or step-up authentication for rarely-used networks, known anonymizing proxies, and suspicious Autonomous System Numbers. When attackers authenticate from Cloudflare hosting infrastructure, that's an indicator worth blocking or challenging with additional verification.

Enable behavioral detection and session controls. Use Okta Behavior and Risk evaluations to flag requests that deviate from established user patterns. If someone who normally logs in from New York between 9 AM and 6 PM suddenly authenticates from Romania at 3 AM, that should trigger a challenge or automatic denial.

Apply IP Session Binding to all administrative applications. This prevents stolen session cookies from being replayed from different IP addresses. If the session was created from one location, it can't be used from another. Enable Protected Actions to force re-authentication whenever an administrative user attempts sensitive operations like password resets or permission changes.

Establish verification protocols for IT support calls. Document and enforce a standardized process for validating the identity of remote users who contact IT support, and vice versa. Train employees to hang up and call back on an official, published IT support number rather than using a number provided by the caller. Create a "verify, then trust" culture where unusual requests are questioned regardless of how legitimate they sound.

Train employees to recognize vishing indicators. Configure End User Notifications and Suspicious Activity Reporting in Okta so employees can easily flag suspicious activity. Train users to identify unexpected calls from "IT" about login issues, urgency around benefits or payroll, and any requests to enter credentials while on a call with someone claiming to be from support.

Run vishing simulations to test employee awareness. Reading about vishing in a training module is one thing. Actually receiving a fake call that uses your company's internal terminology and references real systems is another. Simulations build muscle memory that translates to real attacks.

Top Rated Platforms for Vishing Attack Prevention and Employee Training

Vishing simulations have become essential following the 442% surge in voice phishing attacks. Training employees to recognize social engineering tactics reduces the 95% of breaches caused by human error. The following platforms offer dedicated vishing capabilities tested against real-world attack patterns like the O-UNC-037 campaign.

Keepnet Labs

Keepnet Labs delivers fast, flexible vishing campaigns with extensive customization for different business environments. Security teams can upload their own voice recordings or leverage AI text-to-speech, schedule calls over specific days and hours, and track employee behavior in real time through interactive steps that simulate real-life attack interactions. The platform includes human risk scoring and industry-wide benchmarking, allowing CISOs to compare their organization's vishing susceptibility against sector peers.

Pros:

• Rapid deployment with both pre-recorded and AI-generated voice options enables security teams to launch campaigns quickly in response to emerging threats like the O-UNC-037 campaign

• Granular scheduling controls let admins target specific departments during relevant timeframes, such as open enrollment periods when employee benefits lures are most effective

• Real-time behavioral tracking shows exactly how employees respond during calls, identifying who hangs up immediately versus who engages with suspicious requests

• Industry benchmarking provides context for vulnerability scores, helping CISOs demonstrate whether their organization is above or below sector averages for vishing resilience

• Cost-effective pricing makes enterprise-wide deployment accessible for mid-market organizations compared to premium alternatives

Cons:

• Initial learning curve for administrators unfamiliar with vishing simulation platforms, though comprehensive features justify the onboarding investment

• Documentation on advanced features may require additional vendor consultation for complex deployment scenarios

Best for: Mid-market and enterprise organizations needing fast, flexible vishing deployment with strong benchmarking capabilities. Ideal for security teams that want granular control over campaign scheduling and real-time visibility into employee responses during active attacks.

Mirage Security

Mirage Security specializes in AI-powered vishing with deep focus on conversational realism. The platform creates natural phone conversations where the AI caller dynamically reacts to target responses in real time, simulating the exact manipulation techniques used in campaigns like O-UNC-037 where attackers walk victims through fake login pages. Advanced AI voice technology maintains accents, speech patterns, and natural pauses across multiple languages while supporting complex pretexts including MFA reset requests, supplier fraud scenarios, and executive impersonation.

Pros:

• Highly realistic AI conversations adapt based on how targets respond rather than following predetermined scripts, mirroring the live manipulation where attackers control victims during active calls

• Red-team-style exercises at scale allow security teams to test complex multi-step attacks like the federated SSO interception used against Okta users

• Enterprise-grade voice technology integrates with specialist voice providers to maintain accents, speech patterns, and natural pauses across multiple languages for maximum realism

• Support for advanced pretexts including the exact scenarios seen in real attacks like IT helpdesk calls offering to "set up passkeys," urgent MFA resets, and supplier verification requests

• Enterprise scalability for organizations needing to test thousands of employees against coordinated vishing campaigns

Cons:

• Specialized focus on voice-based attacks; organizations needing comprehensive email phishing simulation may require additional platforms

Best for: Enterprises conducting red-team exercises and security teams that need technically sophisticated vishing simulations to prepare for state-level or APT-style social engineering campaigns. Ideal for organizations already compromised by vishing attacks and requiring advanced testing capabilities.

Brightside AI

Brightside AI combines OSINT-powered digital footprint scanning with AI-driven vishing, phishing, and deepfake simulations. The platform scans employees' exposed data across six categories—personal information, data leaks, online services, interests, social connections, and locations—and uses this intelligence to create hyper-realistic attack scenarios that mirror what threat actors like ShinyHunters would find during reconnaissance. Unlike generic template-based training, Brightside's vishing simulations leverage GenAI to adapt conversations in real time, complete with custom voice cloning from 1-2 minute recordings and multi-language support.

Pros:

• OSINT-driven personalization creates simulations using actual exposed employee data, making attacks feel as realistic as the O-UNC-037 campaign's reconnaissance-heavy approach, directly addressing the 66% of breaches caused by spear phishing

• Custom voice cloning (from 1-2 minute audio recordings) allows security teams to simulate executives or IT staff being impersonated, preparing employees for the exact scenarios ShinyHunters uses when calling victims

• GenAI real-time adaptation means the AI caller responds naturally to employee answers rather than following a fixed script, with the ability to test virtual calls before deployment to ensure quality

• Individual vulnerability scoring provides board-ready metrics based on digital footprint size, simulation results, and course completion, helping CISOs justify security investments with quantifiable risk data

• All-in-one platform includes vishing, email phishing, deepfake simulations, interactive courses with gamification, and automated data broker removal, starting at $3.90/user/month for the Ultimate plan

Cons:

• Reporting capabilities are currently limited compared to platforms like KnowBe4's 60+ report types, though core metrics address primary CISO needs

Best for: Organizations targeting the human element of breaches with OSINT-powered simulations that replicate real attacker tactics. Ideal for CISOs who need quantifiable risk metrics and want to address the 95% of breaches caused by human error through personalized, intelligence-driven training.

Hoxhunt

Hoxhunt combines adaptive learning with multi-channel attack simulations, including role-aware voice scenarios and deepfake training modules using cloned voices from the organization's own executives. The platform's agentic voice technology creates AI agents that adapt to each conversation rather than playing fixed recordings. Behavioral analytics track threat identification rates and response times, with adaptive difficulty that increases based on user performance. The platform builds employee understanding of social engineering psychology through realistic simulations and immediate feedback.

Pros:

• Voice cloning from actual executives prepares employees for the exact impersonation tactics used in campaigns targeting Okta SSO, where attackers spoof corporate or helpdesk numbers

• Multi-channel scenarios combine Teams calls with follow-up emails, replicating the integrated attack approach where voice and email tactics work in tandem

• Adaptive difficulty algorithms automatically increase challenge levels for employees who perform well, ensuring continuous skill development rather than one-time checkbox training

• AI feedback explains why messages and calls are suspicious, building critical thinking skills that transfer to novel attack patterns beyond the simulation scenarios

• Behavioral analytics dashboard tracks threat identification patterns and response behaviors across departments, enabling targeted intervention for employees and teams that need additional support

Cons:

• Premium pricing model makes it one of the more expensive options, potentially limiting deployment scale for budget-conscious organizations

Best for: Large enterprises and high-risk industries (financial services, healthcare, legal) that need sophisticated multi-channel training with behavioral analytics. Ideal for organizations willing to invest in premium platforms to prepare employees for advanced persistent threats and AI-driven social engineering.

Cofense PhishMe

Cofense offers a fully managed vishing service backed by real threat intelligence from millions of phishing reports across its global customer network. The service includes Interactive Voice Response in any language, customized Security Awareness Training content specific to each business, and professional services for fast implementation. The platform's strength lies in its intelligence-driven approach where simulations replicate actual attack patterns observed in the wild, including the employee benefits and HR lures used in the O-UNC-037 campaign.

Pros:

• Real threat intelligence integration from millions of crowdsourced phishing reports means simulations mirror current attacker tactics, including the exact lures used by ShinyHunters and similar groups

• Fully managed service removes operational burden from security teams, with Cofense handling campaign design, scheduling, and execution—ideal for understaffed teams

• IVR in any language supports global organizations with multilingual workforces, addressing the diverse targeting seen in campaigns like O-UNC-037

• One-click reporting integration feeds suspicious activity into Cofense's global intelligence network, creating a feedback loop that improves detection for all customers

• Predictable annual pricing model makes budgeting straightforward for organizations planning long-term security awareness investments

Cons:

• Managed service model reduces customization flexibility compared to self-service platforms like Brightside or Keepnet Labs

• Vishing pricing not separately disclosed from the main PhishMe platform, requiring custom quotes for organizations wanting vishing only

Best for: Enterprise organizations and managed security service providers that want threat intelligence-driven vishing training without building internal operational expertise. Ideal for teams responding to active breaches or those requiring multilingual support for global workforces.