The ShinyHunters extortion gang claims it is behind a wave of ongoing voice phishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft, and Google, enabling threat actors to breach corporate SaaS platforms and steal company data for extortion.
In these attacks, threat actors impersonate IT support and call employees, tricking them into entering their credentials and multi-factor authentication (MFA) codes on phishing sites that impersonate company login portals.
Once compromised, the attackers gain access to the victim's SSO account, which can provide access to other connected enterprise applications and services.
SSO services from Okta, Microsoft Entra, and Google enable companies to link third-party applications into a single authentication flow, giving employees access to cloud services, internal tools, and business platforms with a single login.
These SSO dashboards typically list all connected services, making a compromised account a gateway into corporate systems and data.
Platforms commonly connected through SSO include Salesforce, Microsoft 365, Google Workspace, Dropbox, Adobe, SAP, Slack, Zendesk, Atlassian, and many others.
Microsoft Entra single sign-on (SSO) dashboard
Source: Microsoft
Vishing attacks used for data theft
As first reported by BleepingComputer, threat actors have been carrying out these attacks by calling employees and posing as IT staff, using social engineering to convince them to log into phishing pages and complete MFA challenges in real time.
... continue reading