216.73.217.22

Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users

· Published 10/12/2025 18:35 · Modified 21/12/2025 18:57

Export JSON

Essential information

Published
10/12/2025 18:35
Modified
21/12/2025 18:57
Tags
2025-12-10 adversary-in-the-middle credential-theft microsoft 365 okta phishing session hijacking sso
Related entities
1 observables, 12 techniques (mitre), 39 others

Description

An active campaign has been identified targeting organizations using and for single sign-on. The campaign employs modern techniques to bypass multi-factor authentication and hijack legitimate flows. It uses lookalike domains to impersonate authentication pages and injects malicious JavaScript to steal credentials and session tokens. The attackers have also developed a sophisticated method to phish users who use as an identity provider for . The campaign's initial access vector involves emails with lures related to compensation and benefits. The attackers use compromised mailboxes and Amazon SES to send these emails, and host their infrastructure on Cloudflare.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (1)

  • https://sso.okta-secure.io

Techniques (MITRE) (12)

Others (39)

  • sso.okta-cloud.com
  • benefitsselfservice.com
  • benefitsgatewayportal.com
  • okta-secure.cloud
  • oktasecure.io
  • businessemailportal.com
  • sso.okta-access.com
  • benefitsdigitalportal.com
  • okta-secure.io
  • sso.oktasecure.io
  • okta-cloud.com
  • benefitsaccessportal.com
  • oktasecured.com
  • okta-panel.com
  • corporate-hr-portal.com
  • oktacloud.io
  • sso.okta-secure.io
  • benefitsworkspace.com
  • benefitsquickaccess.com
  • benefitsapp01.com
  • employee-hr-portal.com
  • benefitsglobalportal.com
  • benefitsnews.io
  • benefitsapp001.com
  • benefitssecureportal.com
  • benefitsadminportal.com
  • securemailboxaccess.com
  • benefitsviewportal.com
  • office365mailsecurity.com
  • okta-access.com
  • benefitsmemberportal.com
  • secure-hr-portal.com
  • hrbenefitsportal.com
  • benefitshubportal.com
  • securemail-portal.com
  • mybenefits-portal.com
  • benefitscentralportal.com
  • benefitsemployeeaccess.com
  • benefitsfactor.com

External references