VERY IMPORTANT

An active phishing campaign has been identified targeting organizations using Microsoft 365 and Okta for single sign-on. The campaign employs modern techniques to bypass multi-factor authentication and hijack legitimate SSO flows. It uses lookalike domains to impersonate Okta authentication pages and injects malicious JavaScript to steal credentials and session tokens. The attackers have also developed a sophisticated method to phish users who use Okta as an identity provider for Microsoft 365. The campaign's initial access vector involves phishing emails with lures related to compensation and benefits. The attackers use compromised mailboxes and Amazon SES to send these emails, and host their phishing infrastructure on Cloudflare.