The ShinyHunters extortion group has claimed responsibility for a series of voice phishing attacks targeting employees at major organizations using Okta, Microsoft, and Google for single sign-on services. By impersonating IT support staff, the attackers trick victims into surrendering their credentials and authentication codes to gain unauthorized access to corporate platforms for data theft and extortion.

The campaign begins with a deceptive phone call where threat actors pose as internal technical support representatives to build trust with unsuspecting employees. During these conversations, the attackers direct staff members to fraudulent login portals that mimic legitimate company pages, convincing them to enter their usernames, passwords, and multi-factor authentication codes in real-time.

Once the attackers capture these credentials, they immediately log in to the victim’s single sign-on account to bypass security perimeters. Because many modern enterprises centralize their digital identity management through services like Microsoft Entra or Okta, a single successful compromise provides the attackers with a broad foothold into the company’s entire cloud architecture.

Access to these dashboards allows the threat actors to see every application and internal tool connected to the employee’s profile. These portals serve as a centralized directory of corporate resources, effectively turning a single compromised account into a wide-reaching gateway that exposes various internal platforms and sensitive business databases to the intruders.

The scope of potential data exposure is significant because businesses typically link high-value services such as Salesforce, Slack, and Microsoft 365 to their authentication flows. By leveraging this interconnected ecosystem, the ShinyHunters group can move laterally through different software environments to harvest proprietary information and hold the stolen data for ransom.

Source: ShinyHunters Claim Okta And Microsoft SSO Account Hacks For Data Theft