A cybercrime group known as ShinyHunters has claimed responsibility for a wave of voice-phishing attacks that target single sign-on (SSO) accounts used by enterprises on platforms such as Okta, Microsoft Entra, and Google. The goal is simple: steal employee login credentials, bypass multi-factor authentication (MFA), and use that access to extract corporate data for extortion.
Security teams and everyday users should understand how these attacks work, why they succeed, and what practical steps reduce risk.
SSO Platforms and Enterprise Apps Targeted by ShinyHunters
SSO systems allow employees to sign in once and access many connected business tools from a single dashboard. A compromised SSO account often unlocks access to platforms such as Salesforce, Microsoft 365, Google Workspace, Dropbox, Slack, Zendesk, Atlassian, SAP, and more.
See also: Cisco AsyncOS Zero-Day Patch Finally Fixes Active Attacks on Secure Email Gateway Systems
Attackers who gain SSO access can quickly browse connected applications and download sensitive data. Investigators confirmed that several organizations received extortion demands signed by ShinyHunters after attackers accessed their environments .
How the Voice-Phishing Attacks Work
These campaigns rely on vishing (voice phishing). Attackers impersonate internal IT support and call employees directly. They guide victims through a fake login flow that looks identical to a real company sign-in page.
The attack typically follows this pattern:
- The attacker calls the employee and claims to be from IT or security.
- The victim opens a phishing page that mimics Okta, Microsoft Entra, or Google login portals.
- The victim enters their username and password.
- The attacker captures the credentials in real time.
- If MFA appears, the attacker prompts the victim to approve it or enter a code.
- The attacker logs into the real service using the stolen data.
Okta reported that modern phishing kits include web-based control panels that let attackers dynamically change what the victim sees while staying on the phone. This synchronization allows attackers to guide victims through each MFA step as it appears .
Because the interaction happens live, victims often trust the process and comply.
Why MFA Alone Does Not Always Stop These Attacks
Many organizations rely on push notifications or one-time passcodes for MFA. These methods still depend on user approval. A convincing caller can simply instruct the user to approve the request.
Researchers warn that attackers can defeat any MFA method that is not phishing-resistant when social engineering is involved .
Phishing-resistant MFA includes:
- FIDO security keys
- Cryptographic passkeys
- Smartcards
- Okta FastPass
These methods bind authentication to a device or cryptographic challenge that attackers cannot replay remotely.
ShinyHunters Confirms Involvement
As reported by BleepingComputer, ShinyHunters confirmed that it participated in these campaigns and said Salesforce remains its primary target, while other platforms serve as entry points.
The group also confirmed that it targets Okta, Microsoft Entra, and Google SSO platforms .
Investigators reported that recent victims include Betterment, Crunchbase, and SoundCloud. Some leaked data appears to include personally identifiable information and internal corporate documents .
ShinyHunters also relaunched its Tor leak site to publish alleged victim data .
How Attackers Identify Their Targets
ShinyHunters reportedly uses data stolen from previous breaches to make their calls more convincing. This data may include:
- Employee names
- Job titles
- Phone numbers
- Company structures
This information helps attackers sound legitimate and tailor their scripts to the organization they target.
How to Protect Against Voice-Phishing SSO Attacks
You can significantly reduce risk with layered controls and user awareness.
1. Use Phishing-Resistant MFA
Enable authentication methods that cannot be socially engineered:
- FIDO security keys
- Passkeys
- Okta FastPass
Avoid relying only on push notifications or SMS codes when possible.
2. Verify All IT Calls
Never trust unsolicited calls asking for login actions.
If you receive an IT call:
- Hang up.
- Call your official internal IT number directly.
- Verify the request before taking action.
3. Never Enter Credentials from a Phone Instruction
IT departments do not ask users to log in during live calls. Treat any such request as suspicious.
4. Watch for Unexpected MFA Prompts
If you receive an MFA prompt that you did not initiate:
- Deny the request immediately.
- Report it to IT security.
- Change your password if prompted.
5. Restrict Network Access Where Possible
Organizations can limit access to authentication systems by:
- Blocking anonymizing networks.
- Allowlisting trusted geographic locations and IP ranges.
- Monitoring abnormal login behavior.
6. Enable Security Alerts and Logging
Ensure your identity platform logs and alerts on:
- MFA fatigue attempts
- Unusual login locations
- Repeated authentication failures
- New device enrollments
Early detection reduces breach impact.
What To Do If You Suspect You Were Targeted
If you believe you interacted with a suspicious caller or phishing site:
- Change your password immediately.
- Revoke active sessions from your account dashboard.
- Notify your IT or security team.
- Scan your system for malware if instructed by IT.
- Monitor connected accounts for unusual activity.
Act quickly to limit exposure.
See also: How Hackers Steal Microsoft 365 Login Credentials with Link-Wrapping Exploits
ShinyHunters’ claims highlight how voice-based social engineering continues to evolve. Attackers now combine real-time phishing platforms with convincing phone scripts to bypass traditional defenses and exploit SSO environments at scale.
Organizations should prioritize phishing-resistant authentication and employee verification training. Individual users should remain cautious of unexpected calls and login requests. Strong habits, layered controls, and fast response remain the best defense against this type of attack.
