Okta help‑desk vishing surge

Attackers are getting into Okta-protected environments with phone calls, not malware, by persuading help desks to reset multi-factor authentication for privileged users. (ic3.gov) A July 29, 2025 joint advisory from the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and partner agencies said Scattered Spider targets large companies and their contracted information technology help desks with social engineering. (ic3.gov) Google’s Mandiant said on May 6, 2025 that UNC3944, a cluster that overlaps with public reporting on Scattered Spider, has repeatedly hit large enterprises and favors organizations with large help desks or outsourced information technology functions. (cloud.google.com) The mechanics are simple: a help desk can reset a user’s second login check, and Okta’s own documentation says administrators can reset all enrolled factors so the user must enroll again at next sign-in. (help.okta.com) That workflow exists for legitimate lockouts, but it turns a service process into an entry point when a caller can sound convincing enough to pass identity checks. The Health Sector Cybersecurity Coordination Center warned on April 3, 2024 that attackers were already calling help desks from local area codes and posing as internal staff to gain initial access. (aha.org) Okta has also been warning customers about the phone piece. In a December 11, 2024 security note, the company said caller identification alone should not be treated as proof that a caller is really Okta or Okta Support. (sec.okta.com) By January 22, 2026, Okta Threat Intelligence said it was seeing custom phishing kits built specifically for voice-based social engineering, with pages that change in real time to match what the caller is telling the victim to do. (okta.com) Okta said those kits are being used against Google, Microsoft, Okta, and cryptocurrency providers, and that they can steer a victim through a login flow while the attacker waits for a push approval or one-time code. (okta.com) The broader pattern is not limited to Okta. Microsoft said on May 15, 2024 that Storm-1811 was using voice phishing over Microsoft Teams to impersonate help desk staff, abuse Quick Assist, and in some cases lead to Black Basta ransomware. (microsoft.com) The defensive shift is away from codes a caller can talk someone through and toward login methods tied to the real site and the real device. Okta says passkeys based on Fast Identity Online 2, or FIDO2, and Okta FastPass are phishing-resistant authenticators. (help.okta.com) Federal agencies made the same recommendation in the July 2025 Scattered Spider advisory: enable and enforce phishing-resistant multi-factor authentication, because the weak point in these intrusions is often the recovery desk, not the password prompt. (ic3.gov)