Attackers now target identity providers (IdPs) like Okta to bypass MFA through social engineering rather than technical exploits. Once compromised, attackers gain immediate SSO-based access to multiple SaaS applications, enabling rapid cloud data exfiltration (e.g., SharePoint, OneDrive). This transforms account compromise into a full-scale data breach scenario.
Severity: High
Attack Chain
| Stage | Action | Details |
| 1. | Reconnaissance | Harvest employee names, titles, phone numbers, help desk contacts, internal terminology via LinkedIn, ZoomInfo, company websites, breach data |
| 2. | Social Engineering Call | Impersonate locked-out employee, traveling exec, or contractor; create urgency (“client meeting in 10 mins”) |
| 3. | MFA Manipulation | Convince help desk to reset MFA, enroll attacker device, approve push notifications, or disable FIDO2 controls |
| 4. | SSO Pivot into SaaS apps | Leverage inherited trust to access M365, SharePoint, OneDrive, Salesforce, Slack, VPN portals, HR systems |
| 5. | Data Theft / Persistence | Bulk download SharePoint/OneDrive, register OAuth apps, create inbox rules, add secondary MFA methods |
Why This Vector Is Escalating
- MFA effectiveness: MFA is technically effective, so attackers route around it via humans
- Help desk pressure: Incentivized for fast resolution, creating exploitable urgency
- Remote work normalization: Auth troubleshooting requests are routine and less suspicious
- Rich OSINT availability: LinkedIn and org charts enable convincing impersonation
- SSO as single point of failure: One identity provider controls the entire SaaS estate
Indicators Of Attack
Identity Layer
- MFA reset without clear justification
- New device enrollment preceding suspicious activity
- Login from unfamiliar ASN following MFA reset
- Help desk ticket activity correlating with compromise
M365 / SaaS Layer
- Abnormal SharePoint access volume or large OneDrive downloads
- Multiple SaaS logins within minutes of MFA reset
- OAuth application consent shortly after login
- Unfamiliar IPs accessing multiple SaaS platforms simultaneously
Recommendations
- Enforce strict identity verification for all MFA/password resets
- Require manager approval or ticket validation for authentication changes
- Mandate phishing-resistant MFA (FIDO2, passkeys, Windows Hello)
- Train help desk staff specifically on vishing pretexts
- Disable legacy auth protocols that bypass modern MFA
- Enforce conditional access based on device posture, geo, and IP reputation
- Ingest Okta/IdP logs into SIEM. Correlate with SaaS, VPN, and endpoint telemetry
- Alert on MFA reset followed by rapid multi-SaaS access sequences
- Restrict OAuth application consent and monitor for newly authorized apps
- Periodically review existing MFA methods and remove unused or high-risk factors (SMS, voice)
- Audit administrative roles and remove standing Global Admin privileges where possible
Source:
- https://www.levelblue.com/blogs/spiderlabs-blog/why-attackers-are-bypassing-phishing-emails-and-targeting-identity-instead
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.