Threat Intel Content Update: 1/23/2026

Okta researchers reported a wave of voice-enabled phishing (vishing) attacks, which used phishing kits featuring real-time session orchestration to target users of Google, Microsoft, Okta, and cryptocurrency providers, aiming to bypass MFA and steal credentials. News outlets indicated that attackers sought to then exfiltrate data, targeting “sensitive” information.

Extortion demands received by some victims were "signed" by ShinyHunters, an extortion group tied to several high-profile attacks last year that targeted data stored in cloud & SaaS environments.

1/23/26: ShinyHunters Hybrid Vishing & Phishing Campaigns – Spotlight Procedures

• PS1034936: Real-time control of phishing site authentication flow
  • Adversaries use custom phishing kits with client-side scripts that allow them to control the authentication flow in the browser of a targeted user in real-time. This enables the attacker to synchronize the phishing site's displayed pages with their verbal instructions during a vishing (voice phishing) call. This orchestration is used to convince users to approve MFA challenges or provide credentials, and to bypass MFA controls that are not phishing-resistant.

Threat-Led Defense commentary: Enforce phishing-resistant authentication methods for access to resources, such as Okta FastPass or FIDO passkeys. Consider implementing/utilizing live caller checks, where users can sign into a mobile app to verify if they are on a call with an authorized representative.

• PS1034879: Access Okta SSO dashboard using stolen credentials to enumerate accessible applications
  • After obtaining valid Okta SSO credentials, attackers log in to the Okta SSO dashboard to view which platforms and applications the compromised user can access. In some cases, they exfiltrate data from available applications, with a focus on platforms like Salesforce due to ease of data extraction.

Threat-Led Defense commentary: Prevention or detection of the earlier social engineering phase (above) could mitigate this step of the attack chain. Detection of app-based exfiltration efforts provides important redundancy, though.