The ShinyHunters cybercrime group has launched an active and escalating voice-phishing (vishing) campaign targeting more than 150 organizations worldwide, exploiting human trust to bypass multi-factor authentication (MFA) and compromise cloud identities protected by Okta single sign-on (SSO). The campaign highlights a growing shift in cyberattacks, where social engineering increasingly outperforms technical exploits.
According to threat intelligence reports, attackers are using sophisticated, real-time phishing kits built on Socket.IO relays to impersonate Okta, Microsoft, and Google SSO login flows. Victims receive urgent phone calls posing as IT or security teams, warning of account breaches or suspicious activity. Under pressure, employees are tricked into sharing credentials or approving MFA push requests, effectively neutralizing security controls.
Once access is gained, attackers rapidly exfiltrate data from platforms such as Microsoft 365, Salesforce, and Google Workspace, followed by near-immediate extortion demands. More than 150 domains have been targeted so far, including well-known enterprises such as Atlassian, Canva, Epic Games, HubSpot, Moderna, SoundCloud, WeWork, Crunchbase, and Betterment. Technology, finance, healthcare, and SaaS sectors are among the most exposed.
Okta SSO is a prime target because it acts as a master key to enterprise ecosystems, unlocking email, collaboration tools, CRM systems, and HR platforms. Even MFA mechanisms like number-matching are defeated through social manipulation and urgency. Okta has warned that these phishing kits are now sold “as a service,” enabling rapid scaling of attacks.
The threat carries particular urgency for India. Large IT services firms and BPOs, including TCS and Wipro, rely heavily on Okta and face strict penalties under India’s Digital Personal Data Protection (DPDP) Act in the event of breaches. The rise of deepfake-enabled vishing further amplifies the risk.
Security leaders are urged to respond with layered defenses: replacing push MFA with FIDO2 or passkeys, running regular vishing simulations, tightening Okta adaptive policies, monitoring known indicators of compromise, and enforcing zero-trust segmentation.
The ShinyHunters campaign underscores a stark reality—human trust is now the primary attack surface, and defending it is as critical as any technical control.
