Custom vishing campaign stealing Okta SSO credentials
Campaign
Summary
Hide ▲
Show ▼
A custom vishing campaign is actively stealing Okta SSO credentials through live, adversary-in-the-middle phishing pages, creating immediate risk of account takeover and downstream data theft. Multiple hacking groups are using the service against identity providers such as Google, Microsoft, and Okta, as well as cryptocurrency platforms. The operation relies on spoofed helpdesk calls, real-time MFA relay, and attacker backends such as Telegram to intercept credentials and TOTP codes.
Related Happenings
Pink new extortion brand within The Com
Threat Actor Meta
H score30
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...
Pink new extortion brand within The Com
Threat Actor MetaAbout this happening: A new **Pink** extortion brand has emerged within **The Com**, signaling a more decentralized criminal ecosystem that can scale credential theft and data extortion across multiple...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
Campaign
H score37
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
O-UNC-066 / Pink Microsoft Entra passkey vishing campaign
CampaignAbout this happening: The **O-UNC-066 / Pink** operation is using **voice-based phishing** to push **Microsoft 365** users into enrolling attacker-controlled **Entra passkeys**, creating a direct path...
Paid brand-impersonation phishing kits Lucid and Lighthouse scale fake-domain operations
Threat Actor Meta
H score37
First: 01.07.2026 10:20
Last: 01.07.2026 10:20
Sources 1
About this happening:
Brand-impersonation phishing has become a **paid service**, with kits like **Lucid** and **Lighthouse** scaling fake-domain operations across **316 brands** in **74 countries**, i...
Paid brand-impersonation phishing kits Lucid and Lighthouse scale fake-domain operations
Threat Actor MetaAbout this happening: Brand-impersonation phishing has become a **paid service**, with kits like **Lucid** and **Lighthouse** scaling fake-domain operations across **316 brands** in **74 countries**, i...
DOJ seizes HuiOne cloud account
Law Enforcement
H score17
First: 24.06.2026 11:55
Last: 24.06.2026 11:55
Sources 1
About this happening:
The **U.S. Department of Justice** seized a **cloud computing account** used by **HuiOne Group** subsidiaries, disrupting backend infrastructure tied to **cyber scams** and crimin...
DOJ seizes HuiOne cloud account
Law EnforcementAbout this happening: The **U.S. Department of Justice** seized a **cloud computing account** used by **HuiOne Group** subsidiaries, disrupting backend infrastructure tied to **cyber scams** and crimin...
Icarus Salesforce data-theft extortion campaign
Campaign
H score42
First: 18.06.2026 17:19
Last: 18.06.2026 17:19
Sources 1
About this happening:
The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...
Icarus Salesforce data-theft extortion campaign
CampaignAbout this happening: The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...
Latest development: 23.06.2026 16:58
LastPass says an unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in its Salesforce environment, potentially exposing customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM data; LastPass says its products, services, infrastructure, and customer vaults were not affected, rotated the exposed API/OAuth tokens, disabled employee access to Klue, and notified law enforcement.
Timeline
-
22.01.2026 23:43 2 articles · 5mo ago
Okta warns of active vishing credential theft
Initial DisclosureOkta warns that custom phishing kits built for voice-based social engineering are being used in active attacks against employees at identity providers and cryptocurrency platforms, including Okta, Google, and Microsoft, to steal SSO credentials, relay TOTP codes through real-time adversary-in-the-middle pages, and bypass push-based MFA including number matching.
Show sources
- Okta SSO accounts targeted in vishing-based data theft attacks — www.bleepingcomputer.com — 22.01.2026 23:43
- Okta Flags Customised, Reactive Vishing Attacks Which Bypass MFA — www.infosecurity-magazine.com — 26.01.2026 14:12