- Attackers now call helpdesks instead of sending phishing emails to breach networks
- Impostors pose as executives to manipulate support teams and reset MFA settings.
- Personal data scraped from LinkedIn makes hoax more convincing to callers
Attackers no longer try to break into corporate networks through email phishing or malware, and now target IT helpdesks through direct, awkward phone calls.
These calls come from impostors posing as executives or staff, attempting to manipulate support teams into resetting multi-factor authentication settings or enrolling new authentication devices.
To make the scam more convincing, callers rely on personal data pulled from platforms such as LinkedIn, company websites, and data from previous breaches.
Article continues below.
The deception behind seemingly legitimate requests
They often invent urgent situations, claim to be traveling internationally, and demand immediate access to locked accounts, including multi-factor authentication resets.
In some cases, the same attacker makes repeated strange calls, changing their voice or identity each time to improve their chances of success.
Meanwhile, the real executive remains at his desk, unaware that someone is impersonating him.
This isn’t just account takeover: it’s real-time identity theft, executed over the phone.
This technique, known as Okta vishing, is a form of voice phishing, and once the identity provider is compromised, attackers gain immediate access.
They take over downstream applications connected through single sign-on, including Microsoft 365, SharePoint, Salesforce, and Slack.
As the attack progresses, common pretexts include “I have a new phone and I can’t access Okta” or “My MFA keeps crashing and I have a client meeting in ten minutes.”
The attacker creates urgency to pressure support staff to bypass standard verification procedures.
Several factors contribute to the growing success of Okta’s vishing attacks as it takes advantage of the nature of helpdesk services.
Helpdesks are incentivized to resolve access issues quickly, remote work environments normalize resolution of authentication issues, and employee details are easily obtained online.
Attackers can convincingly impersonate executives because organizational charts and reporting structures are often publicly available.
As identity providers become the central control plane for software-as-a-service access, they have become a primary target.
Once authenticated to Okta, attackers inherit trust relationships between all connected applications without exploiting each one individually.
Post-commitment behaviors frequently include downloading data from SharePoint, exporting emails, creating inbox rules, registering OAuth applications, and generating API tokens.
In many cases, an Okta compromise quickly turns into a cloud data theft event rather than a traditional account takeover.
Technically, MFA works against Okta, but it fails when humans are socially engineered to weaken authentication protections.
Unfortunately, regular antivirus software can’t detect a phone call, and a firewall doesn’t block a compelling voice on the line.
Security teams should monitor MFA reboot events without clear justification or new device enrollment followed by suspicious activity.
Any login attempts from unknown ASNs immediately after MFA changes should also be treated as a red flag.
Through Blue level
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
