- Attackers now call help desks instead of sending phishing emails to breach networks
- Fraudsters pose as managers to manipulate support teams into resetting MFA settings
- Personal information scraped from LinkedIn makes the deception more convincing to callers
Attackers are no longer trying to break into corporate networks through email phishing or malware, and are now targeting IT help desks through direct and bizarre phone calls.
These calls come from fraudsters posing as managers or employees trying to manipulate support teams into resetting multifactor authentication settings or enrolling new authentication devices.
To make the scam more convincing, callers rely on personal information scraped from platforms like LinkedIn, company websites and past breach data.
The article continues below
The deception behind seemingly legitimate requests
They often invent urgent situations, claim to travel internationally and demand immediate access to locked accounts, including multi-factor authentication resets.
In some cases, the same attacker makes repeated bizarre calls, changing their voice or identity each time to improve their chances of success.
Meanwhile, the real manager remains at their desk, completely unaware that someone is actively impersonating them.
This isn’t just account takeover – it’s real-time identity theft, done over the phone.
This technique, known as Okta vishing, is a form of voice phishing, and once the identity provider is compromised, attackers gain immediate access.
They take over downstream applications connected via single sign-on, including Microsoft 365, SharePoint, Salesforce and Slack.
As the attack progresses, common excuses include “I got a new phone and can’t access Okta” or “My MFA keeps failing and I have a client meeting in ten minutes.”
The attacker encourages pressure on support staff to bypass standard verification procedures.
Several factors contribute to the increasing success of Okta vishing attacks as it exploits the nature of the help desk.
Helpdesks are encouraged to resolve access issues quickly, remote work environments normalize authentication troubleshooting, and employee information can be easily obtained online.
Attackers can convincingly impersonate managers because organizational charts and reporting structures are often publicly available.
As identity providers become the central control plane for access to software as a service, they have become a primary target.
Once the attackers are authenticated to Okta, they inherit trust relationships across all connected applications without exploiting each one individually.
Post-compromise behavior often includes downloading SharePoint data, exporting emails, creating inbox rules, registering OAuth applications, and generating API tokens.
In many cases, an Okta compromise quickly becomes a cloud data theft event rather than a traditional account takeover.
Technically, MFA works against Okta, but fails when humans are socially engineered to weaken authentication protections themselves.
Unfortunately, regular antivirus software can’t detect a phone call, and a firewall won’t block a convincing voice on the line.
Security teams should monitor for MFA reset events without clear reasoning or new device enrollment followed by suspicious activity.
Any login attempts from unknown ASNs immediately after MFA changes should also be treated as a red flag.
Via Level blue
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
