Full Report
Cybercrime groups, including one that identifies as ShinyHunters, are targeting single sign-on services to gain access to victim networks and steal data. The post A new wave of ‘vishing’ attacks is breaking into SSO accounts in real time appeared first on CyberScoop.
Analysis Summary
# Incident Report: Real-Time Vishing Attacks Targeting SSO Credentials
## Executive Summary
Cybercrime groups, notably ShinyHunters, are engaging in a sophisticated, ongoing campaign utilizing voice-phishing (vishing) combined with tailored phishing kits to compromise Single Sign-On (SSO) accounts in real-time. Attackers are successfully tricking users into approving or entering MFA prompts, leading to unauthorized access, data exfiltration from SaaS environments, and subsequent extortion attempts. The primary vector is a social engineering attack exploiting the human element rather than a technical vulnerability in the SSO infrastructure itself.
## Incident Details
- **Discovery Date:** Ongoing, with threat intelligence released by vendors like Okta around January 25/26, 2026.
- **Incident Date:** Active and ongoing during the time of reporting (January 2026).
- **Affected Organization:** Multiple victim organizations targeted; at least two companies confirmed impact, and a ShinyHunters data leak site listed at least three victims (including SoundCloud, which reported data on ~20% of its users).
- **Sector:** Multiple sectors targeted, as SSO solutions like Okta, Microsoft, and Google are widely used across industries.
- **Geography:** Not specified, but likely global due to the nature of cloud-based SSO targets.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing during the reported period.
- **Vector:** Voice Phishing (Vishing) combined with domain spoofing and remote browser control.
- **Details:** Attackers register custom domains mirroring legitimate SSO portals. They initiate real-time voice calls, synchronizing their spoken prompts with the targeted victim’s session on the spoofed login page to elicit real-time MFA approval or credential entry.
### Lateral Movement
- **Date/Time:** Post-SSO Compromise.
- **Details:** After gaining SSO credentials, actors pivot into victim SaaS environments to navigate and locate sensitive data for exfiltration.
### Data Exfiltration/Impact
- **Date/Time:** Post-lateral movement.
- **Details:** Sensitive data is stolen from compromised SaaS environments. Threat actors allied with ShinyHunters have reportedly approached some victims with extortion demands.
### Detection & Response
- **Date/Time:** Detection by security researchers/vendors (e.g., Mandiant, Okta).
- **Details:** Threat hunters and researchers began tracking the "new, ongoing ShinyHunters-branded campaign." Response efforts involved threat intelligence sharing (e.g., Okta releasing details on observed phishing kits).
## Attack Methodology
- **Initial Access:** Voice Phishing (Vishing) coordinated with tailored phishing kits that mimic SSO sign-in flows (Okta, Microsoft, Google).
- **Persistence:** Not explicitly detailed, but likely relies on maintaining active sessions or enrolling actor-controlled devices in victim MFA solutions.
- **Privilege Escalation:** Not explicitly detailed, but gaining SSO access effectively grants high-level access to connected SaaS applications.
- **Defense Evasion:** Relies on social engineering realism—the real-time, personalized voice call overcomes standard user caution against generic phishing emails/sites.
- **Credential Access:** Direct harvesting of credentials and MFA codes/tokens from the user during the coordinated voice call.
- **Discovery:** Likely involves reconnaissance of targeted users or initial access brokers providing target information.
- **Lateral Movement:** Pivoting from the compromised SSO identity into linked SaaS environments.
- **Collection:** Exfiltration of sensitive data from these SaaS applications.
- **Exfiltration:** Data theft leading to extortion attempts.
- **Impact:** Data theft and financial extortion attempts.
## Impact Assessment
- **Financial:** Extortion demands are being made against victim organizations.
- **Data Breach:** Sensitive data was exfiltrated from SaaS environments. For SoundCloud, PII on approximately 20% of its users was compromised.
- **Operational:** Potential disruption while organizations address compromises and secure identities.
- **Reputational:** Public naming of targets by affiliated groups (ShinyHunters) can cause reputational damage.
## Indicators of Compromise
*(Note: Specific IoCs like IPs/URLs are omitted/defanged per instructions, focusing on behavioral indicators derived from the text.)*
- **Network Indicators:** Use of custom, recently registered domains mimicking legitimate SSO portals.
- **File Indicators:** N/A (Primarily a credential theft/social engineering campaign).
- **Behavioral Indicators:** Real-time synchronization of user prompts with malicious remote browser sessions via voice communication; successful MFA prompt approval during an unexpected, personalized phone call.
## Response Actions
- **Containment measures:** Mandiant is tracking the campaign actively. Okta provided threat intelligence on the observed phishing kits.
- **Eradication steps:** Organizations must revoke potentially compromised credentials and clean sessions associated with the actor-enrolled MFA devices.
- **Recovery actions:** Restoring access for legitimate users and focusing on identity remediation.
## Lessons Learned
- **Key takeaways:** Advanced, real-time vishing synchronized with live phishing kits is highly effective at bypassing MFA, representing an evolution in social engineering attacks. The primary weakness exploited is the user trust in SSO providers, not infrastructure flaws.
- **What could have been done better:** Organizations need to improve user training specifically addressing sophisticated, synchronized voice-phishing attacks, as traditional phishing skepticism might not apply.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement strong **phishing-resistant MFA** (e.g., FIDO2/security keys) that cannot be easily bypassed by one-time codes or approval prompts solicited via voice call.
2. Enhance **Contextual Access Policies** within SSO providers to flag login attempts originating from unusual geographies or suspicious network patterns, even if MFA is passed.
3. Conduct **targeted user awareness training** on real-time vishing scams, emphasizing verifying identity through independent channels rather than synchronous interaction during a session.
4. Audit existing MFA enrollment processes to detect rapid, suspicious device registrations following a login event.