Voice Phishing Goes Real-Time: Attackers Now Hijack Okta Logins During Live Calls
Custom vishing kits are being used to steal SSO credentials and bypass MFA in active enterprise attacks
What’s Happening
Okta has issued a warning about a new wave of voice-based social engineering (vishing) attacks powered by custom phishing kits built specifically for live phone interactions. These kits are already being used in real-world attacks to steal Okta SSO credentials, enabling large-scale data theft.
Unlike traditional phishing pages, these platforms operate as adversary-in-the-middle (AiTM) systems. They allow attackers to manipulate login pages in real time while speaking to victims on the phone, making the attack far more convincing and harder to detect.
How the Attack Works
Threat actors sell these phishing platforms using a “phishing-as-a-service” model and deploy them against identity providers and cloud platforms.
The attack typically unfolds as follows:
- Attackers perform reconnaissance on employees, identifying IT tools, applications, and internal support workflows
- Victims receive calls from spoofed corporate or helpdesk numbers
- During the call, victims are directed to a custom phishing page controlled in real time by the attacker
- Entered credentials are instantly relayed to the attacker’s backend
- When an MFA challenge appears, the phishing page dynamically updates to mirror the legitimate login flow
Because attackers remain on the call, they can guide victims step-by-step, even telling them which MFA number to approve, effectively bypassing push-based MFA protections.
Why MFA Is Failing
These attacks successfully defeat common MFA methods, including:
- Push notifications
- OTP codes
- Number-matching MFA
The reason is simple: humans are still in the loop. Attackers synchronize voice instructions with live authentication prompts, making fraudulent requests appear legitimate and urgent.
Why Okta Is a High-Value Target
Okta’s SSO platform acts as a single gateway to an organization’s cloud ecosystem. Once compromised, attackers can gain access to:
- Email and collaboration platforms
- Cloud storage and file sharing
- CRM and finance systems
- Development and DevOps tools
- Internal dashboards and analytics
A single successful vishing call can unlock company-wide access.
Impact and Use Cases
Okta confirmed that these attacks are being used primarily for data theft, with credentials often exfiltrated to attacker-controlled backends, including messaging platforms used for real-time coordination.
Because the compromise happens during a legitimate authentication flow, detection is delayed, and attackers can move quickly across cloud services.
Recommended Defenses
Okta strongly advises moving away from traditional MFA and adopting phishing-resistant authentication, including:
- Passkeys
- FIDO2 security keys
- Okta FastPass
- Strict verification for IT support calls
- Employee awareness around voice-based attacks
Key Takeaway
Phishing is no longer limited to emails or fake websites. Voice, real-time interaction, and dynamic authentication manipulation now define the next stage of identity attacks. Organizations relying on SSO must treat vishing as a critical initial access vector, not a secondary threat.