- Attackers now call helpdesks instead of sending phishing emails to breach networks
- Impostors pose as executives to manipulate support teams into resetting MFA settings
- Personal details scraped from LinkedIn make the deception more convincing for callers
Attackers are no longer trying to break into corporate networks through email phishing or malware, and are now targeting IT helpdesks through direct and bizarre phone calls.
These calls come from impostors posing as executives or staff, attempting to manipulate support teams into resetting multi-factor authentication settings or enrolling new authenticator devices.
To make the deception more convincing, the callers rely on personal details scraped from platforms like LinkedIn, company websites, and prior breach data.
Article continues below
The deception behind seemingly legitimate requests
They often invent urgent situations, claiming to be traveling internationally and demanding immediate access to locked accounts, including multi-factor authentication resets.
In some cases, the same attacker places repeated bizarre calls, changing their voice or identity each time to improve their chances of success.
Meanwhile, the real executive remains at their desk, completely unaware that someone is actively impersonating them.
This is not just account takeover — it is identity theft in real time, executed over the phone.
This technique, known as Okta vishing, is a form of voice phishing, and once the identity provider is compromised, attackers gain immediate access.
They take over downstream applications connected through single sign-on, including Microsoft 365, SharePoint, Salesforce, and Slack.
As the attack proceeds, common pretexts include “I got a new phone and cannot access Okta” or “My MFA keeps failing, and I have a client meeting in ten minutes.”
The attacker creates urgency to pressure support staff into bypassing standard verification procedures.
Several factors contribute to the rising success of Okta vishing attacks, as it takes advantage of the nature of helpdesks.
Helpdesks are incentivized to resolve access issues quickly, remote work environments normalize authentication troubleshooting, and employee details are easily obtained online.
Attackers can convincingly impersonate executives because organizational charts and reporting structures are often publicly available.
As identity providers become the central control plane for software as a service access, they have become a primary target.
Once authenticated to Okta, attackers inherit trust relationships across all connected applications without exploiting each one individually.
Post-compromise behaviors frequently include downloading SharePoint data, exporting emails, creating inbox rules, registering OAuth applications, and generating API tokens.
In many cases, an Okta compromise quickly becomes a cloud data theft event rather than a traditional account takeover.
Technically, MFA works against Okta, but fails when humans are socially engineered into weakening authentication protections themselves.
Unfortunately, regular antivirus software cannot detect a phone call, and a firewall does not block a convincing voice on the line.
Security teams should monitor for MFA reset events without clear justification, or new device enrollment followed by suspicious activity.
Any login attempts from unfamiliar ASNs immediately after MFA changes should also be treated as a red flag.
Via Level Blue
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/pHaURQZZne5GbLMKxidGTM-1920-80.jpg
Source link
