This active phishing campaign leverages adversary-in-the-middle (AITM) techniques to compromise Microsoft 365 and Okta users who rely on single sign-on (SSO) authentication. Attackers create lookalike domains mimicking legitimate Okta authentication pages and inject malicious JavaScript to intercept credentials and session tokens during the authentication process. This allows them to bypass multi-factor authentication (MFA), a critical security control. The campaign's initial vector involves phishing emails crafted with lures related to compensation and benefits, increasing the likelihood of user interaction. These emails are sent from compromised mailboxes and via Amazon Simple Email Service (SES), which helps evade traditional email security filters. The phishing infrastructure is hosted on Cloudflare, providing scalability and protection against takedown attempts. The attackers specifically target organizations using Okta as an identity provider for Microsoft 365, exploiting the trust relationship between these services to hijack sessions and steal credentials. The campaign employs multiple tactics from the MITRE ATT&CK framework, including command and scripting interpreter usage (T1059.007), credential dumping (T1552.001), and phishing (T1566). Although no known exploits in the wild have been reported beyond this campaign, the sophistication and targeted nature of the attack pose significant risks to affected organizations.

For European organizations, this campaign threatens the confidentiality and integrity of user credentials and session tokens, potentially leading to unauthorized access to corporate resources, data breaches, and lateral movement within networks. The bypass of MFA significantly increases the risk of account compromise despite existing security controls. Organizations relying heavily on Microsoft 365 and Okta for identity and access management are particularly vulnerable, as attackers can leverage stolen sessions to access sensitive emails, documents, and internal systems. The use of compromised mailboxes and reputable email services like Amazon SES complicates detection and response efforts. The campaign could disrupt business operations, damage reputations, and lead to regulatory penalties under GDPR if personal data is exposed. The medium severity rating reflects the complexity of the attack and the requirement for user interaction, but the potential for widespread impact remains high given the prevalence of these platforms in Europe.

European organizations should implement targeted user awareness training focusing on phishing tactics related to compensation and benefits lures. Deploy advanced email filtering solutions capable of detecting and blocking emails sent via compromised mailboxes and third-party services like Amazon SES. Monitor and register lookalike domains similar to corporate Okta and Microsoft 365 domains to preempt phishing infrastructure. Employ conditional access policies that restrict access based on device compliance and network location to reduce risk from stolen credentials. Enable continuous monitoring and anomaly detection for unusual authentication patterns, such as rapid token reuse or login attempts from unexpected geographies. Use browser isolation or script-blocking technologies to prevent malicious JavaScript execution on authentication pages. Regularly review and audit SSO configurations and session management policies to limit session duration and scope. Collaborate with identity providers like Okta to leverage their security features and threat intelligence feeds. Finally, establish incident response plans specifically addressing AITM phishing scenarios to enable rapid containment and remediation.