Threat Intelligence | Blog | Okta

????????TeamPCP????????????????????

Jeremy Kirk, George Wang, ???? — Sun, 17 May 2026 15:00:00 +0000

?????????????????2026?5?18??????????????????????

??

2025???????TeamPCP?????????????????????????????????????????????????????????????

?????????????????????????????????????CI/CD????????GitHub?????????????

????????????????????????????????????????????????????????????????????????????????SSH???Git???????????????????CI/CD????????????????????????

??????????????????????

GitHub Actions ? pull_request_target ????????????????
OSS???????????????????????
?????????????????????

????????????????????

???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

pull_request_target????????

GitHub Actions?????????pull_request_target???????????????????????????????????????????pull_request_target???????????Pwn Request????????GiHub?2021??2025????????????????????

pull_request_target??????????
???????????????????????????????????????????????????????????????????
pull_request_target?????????????????????????????????????GitHub?????????????????????????????????????????????
?????????
????????????????????????????????????????????????GitHub Actions??????????????????????????????????????????????????

TeamPCP????DeadCatx3?PCPcat??????

TeamPCP?2025?????????????????????????????GitHub??????????????????????????????????????????????????????????????????????????????????????????????API??????????????????????

OSS?????????????????

???????????????????????OSS??????????????????????????????????????

2025?9? (npm):

???npm??????????2FA????????????????????????????????????????????????18?????????????????????????????????

2025?7? (PyPi):

PyPi????????????AitM?????????????4??????????????????API?????????? num2words ??????????????????????PyPi?????????????????????????????????????????????

????

OSS????????????????????????????????????????????????????????????URL???????

???? (Cooldown period) ????:

????????????????????n-1?????????????????pnpm 11.0 ??????????????24????????????????????????????????????????????????

????????? (SBOMs) ???:

???????????????????????????????????????????????????????????????????????????????????????????????????????????

??????? (SCA??????):

npm audit ??...Snyk?Socket.dev???????????????????SCA???????????????????????????????

GitHub Actions ?????:

?????? pull_request_target????????????????????????????????????????????????????**????????????????????SHA???????????SHA pinning?**??????????

?????????????????:

?????????????????FIDO2/WebAuthn??????????????????????????????????????????????????????????????????????????????????????????????????????????

??URL

TeamPCP????????TTP??????????????Okta????????????????????Security Trust Center?????????

https://security.okta.com/product/oktathreatintelligence/defending-against-teampcp-software-supply-chain-attacks

????????????????????? - ????????????????????????????CISA??

https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508.pdf

???????????????????????? - ??????????? (NIST)

https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains

??????????????????????? - ???????????????????NCSC??

https://www.ncsc.gov.uk/collection/supply-chain-security

?????????????????????????? - ????????????????????????????????OWASP??

https://cheatsheetseries.owasp.org/cheatsheets/Software_Supply_Chain_Security_Cheat_Sheet.h

???????????ShieldGuard?????????????????????????????????

Grayson Schermerhorn, Yang Wang, Simon Conant, Adam Smallhorn — Mon, 16 Mar 2026 07:00:00 +0000

Okta????????????????ShieldGuard??????????????????????????????????????????????????????

ShieldGuard????????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????????????????????????????????????????????????????????????????????????????????????

??????????????????????????????????????ShieldGuard??Binance?Coinbase?MetaMask?OpenSea?Phantom?Uniswap?????????????????????Google????????????????????????????????????????????????????????????????????????Binance?Coinbase?OpenSea?Uniswap??????????????????HTML????????????????

????

ShieldGuard??Web3????????????????????????????????????????????????????????ShieldGuard???????????????????????

Google Chrome???????
X.com????????????????
Telegram?????

ShieldGuard????????????SNS?????????????????????????????????????????????????????????????

???????????????????????????????????????

??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????????????????????????????????????????????????????

ShieldGuard??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

????????????????????????????????????????????????????????????

????????????? EIP-6963????????????????????????????????????????????????????????
??????????????????????? ????????DeFi?????????????????????????????????????????????????
????????? ??????????????????????????????????????????????????????????????????????????????????

??????? ????UUID?????????????????????????????????????????

???????

????

???????????????ShieldGuard??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

????????????

ShieldGuard??Chrome?Manifest V3????????????????????????????????????????????????????????????????JavaScript???????vendor.js?????????????

??????????RCE??????? ??????? eval() ??????????????????????????????????C2?????????????????????????????????????????JS????????????????????????????????????????????????????????????Chrome??????????????????????????????????????????????

????????? ????????????????????????????????????????????????????????????????????????????????

????????????????

?????????????????????????

????????????????????????????
?????C2?????shieldguards[.]net/scripts?????
?????EIP-6963????????????????
??????????????????????????????
??????????????????????????
?????????????????????
?????Binance?Coinbase?OpenSea?Uniswap??????????????????????????????????HTML???????
HTML????????????????

?????????shieldguards[.]net ?C2????????2????????????????????????????

?????1???????????????????????????

???????????????????????????????????EIP-6963??????????????????????????????????????MetaMask?Phantom?Coinbase Wallet????????????????????????????????C2????????https://shieldguards[.]net/notifications????????

????????????????????????????????????????????

?????2????????????????????????????????
????????????????2??????????????????????????????????5?????????????????????????HTML?document.documentElement.outerHTML?????????https://shieldguards[.]net/snapshots ?????????????????DOM???????????????????????????????????????????

C2?????????????????

??????????Cloudflare?????????? shieldguards[.]net ??C2???????????

????????C2????????????????

???????	????	??
/scripts	POST	???JavaScript????????
/snapshots	POST	?????????HTML???
/notifications	POST	?????????????????????
/check/{domain}	GET	???????????????????????????
/uninstall	GET	UUID???????????????????????????

??????????????????

????JavaScript?????????????????????????"??????: ?? ??????? ?????????? ?????"???????????????????????????????????????

?????????Radex??????????????????????????????????????Auth0?????????????????????????radex4me@proton.me???Radex????????Chrome????ID?fkogigpebmhlbldifmjngmlooifljnif???????????????????????????????????????????????????????????????????

????

Okta???????????????????????????????????????

????????????????
CDN?????? shieldguards[.]net ?????????????????????????????????????????????????Partner Hosting LTD?????????
Google Chrome?????ShieldGuard????????????

?????????? shieldguards[.]net ??????????????????????C2?????????????????

??????????????

?????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????

????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????

??????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????????????

??????????? ??????Chrome????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
?????? ???????????????????????????????????????????????????????
??????? ??????????????????????????????????????????
??????????????? ??????????????????????????????????????????????????????????????/???????????????????????

??????????????

??????????????????????????????????????????????????????????????MFA????????????????????????????????????

Okta???????????

???????????????????????????????????????????????????????????????????Allowlist???????????

???2??????????????

????Chrome????
- ????????????????????????????
- Okta??????????????????????????????????????
- ????Chrome????????????????
- ???????????????????Allowlist??????????????????????????????????????
- ????????????????????????????????
??????????????????
- Okta??????????????????????????????????????
- ?????????Okta Verify??????Okta????????????????????????????
- ????????????Okta??????????????????????????????????????????????????????????????????????????????????????????????????????????
- ??????????????????????????????????????????????????Custom remediation messages?????????????
- ????????????????????????????????

???? (IoC)

???	???????	??
AS??	AS215826	?????????????????????????????
Chrome????ID	olnppmocapoaecjhkiilemmnkjbmabfj	ShieldGuard????????ID
Chrome????ID	fkogigpebmhlbldifmjngmlooifljnif	Radex?????ID

??????????????????????????????????????

Wed, 21 Jan 2026 15:00:00 +0000

Okta??????????????????????????vishing?????????????????????????????????????????????????????????????????????????????

???????????????????????????Google?Microsoft?Okta???????????????????????????????????????????????

??????????????????????????????????????????MFA??????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????MFA??????????????????????????????????

Okta????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????MFA????????????????

Okta????????????????????????????????2????????????????????????????????????????????????????????????????????????????????????????

????????????

???????????????????????????????????????????????????????????????????????????????????????

????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????OTP????????MFA???????????????????????????????????????????

?1?????????????????????????????

??????????????????

??????????????????????????????????????IT??????????????????????
????????????????????????????????????????????????????????????
IT?????????????????????????????????????????????????????
????????????????????????????????????Telegram?????????????
?????????????????????????????????????MFA???????????????????
??????????????OTP?????????????????MFA???????????????????????????????????

????????????????????????????????????????????????????????????????????????????????????????????????????????C2?????????????????????????????????????????????????????????????????????????????????????????????????

?2?Okta??????????????????C2????Microsoft?????????????????????????????????

????????????????????????????????????????????????????????????

???????????????????????????????????????????????????????????????????????????????????

????Okta FastPass?FIDO????????????????????????????????????????????????????

?????????????

???????????????????????????????????????????????????????????????????????????

?Vishing?????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????

?????Google?Microsoft Entra?Okta????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

????

???????????????????????????

??????????????????????????????????????????????????????????????

Okta???????????????????Okta FastPass?????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????

???????????????????????????????????????????????????????????????????????????????????????????

Jobseekers exploited in fake recruiter phishing campaigns

Thu, 18 Dec 2025 16:00:00 +0000

???????????

Okta ????????????400?????????????????????????????????????????????????????????????????????????

??????????O-UNC-038???????????

????????????????????????

Telegram???????????????????????Facebook????????????????Browser in the Browser??BitB???????????????
Socket.IO?????Google Workspace?????????????????????????????????????
???????????????????????????

?????????????????????????????

????????????????????MFA??????????????????????????Adversary-in-the-Middle?AitM???????????????????????????????????????????????????????????????????????

????

????????????????????

????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????Salesforce ExactTarget ?????????????????????????

cl.s12[.]exct[.]net/?qs=<UniqueIdentifierString>

?????????????E?????????????????????????????E????????????????????????????????????E????????????????????????????????????????????????????????????????????????????????????E ??????????????

Okta ???????????????? Salesforce ?????????? ????????? Salesforce ?????????????????????????????????

????2???????????????????????????????

???? - ??????1

Browser in the Browser?BitB?Facebook??????????????????1??

???????????????????? in the ???? (BitB)???????????????????????????????????????????????Facebook????????????

BitB?Browser in the Browser?????????????????HTML?CSS?JavaScript?????????????????????????????????????????????????????????????????????????????????????Facebook??????????????????????????????????????????????????????????????????????????????

?????????Facebook/BitB????????????????143??????????????????????????????????????????????????????????????????????????????????????????

?????????????Vercel????????????????????????registrar.eu???????????Amazon Web Services????????????????????????????????????????????????Telegram????????????

????Meta?????

???????????????Meta???????3????????????????????????????????????Facebook?????????????????

????Puma??

???3???????????????????Puma??????????????

?????????????? - ??????1

BitB???????????????????????????????????????????????????????????????????????????????????????????????????????????????

???? - ?????? 2

????????Campaign 1?????BitB????????????????????????????Google???????????????????????????????????

???????????????????????????????????????????E ?????????????????

????????????????84?????????????????Cloudflare????????????IP??????????Socket.IO???????????????????????

???????Playstation??????

????????? Google ?????????????????????????????????????????????

????????????????????????1?????????????????????????????????????????????????

???????????????????????????

???2???????????????????????200?????????????????????????????????????????????????????????

???????????????????????????Group ??????????????????????????????????????????????????????????????

??????????????????????????????????????????????????????

Adecco
Adidas
Aquent
Calendly
?????????
Cisco
CocaCola
Genpact
Givenchy
Google
Hays
Ikea
Inditex
Meta
??????????????
???
Randstand
Robert Half
Robert Walters
Salesforce
???????
youtube
Zara

??????????????????????????www???????????????????????????????????

apply.
hire.
careers.
calendly.
????
hr.
jobs.
join.
kvn.
recruit.
???
schedule.
?????
start.
threads.
xds.

???????????????????URL????????????????????????????????????????????????????????????????????

????

??????????

???????????????????????????????????

?????????????????????????????????????????????????????
???Okta????????????????????????????????????????????????????????????????????

????

???????????MFA?FastPass/webauthn/???????????????????????SMS/???????????????
???????????????????????????????????????????????????????????????????????????????????????????????Web?????????????????????????????????????
DMARC/DKIM/SPF???????????????/????????????????????????
???????????????????????????????????????????
BitB ??????????????????????:
- ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
- ????????????????????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????
IoC??????Telegram???API?????t.me/, bot*getUpdates, sendMessage; BitB CSS/JS??????

????????

???????????????????????
???????????????????????????????????????????????????
???????????SSO????????????
?????????????????Browser-in-the-browser???????????????????????????

????

Okta????????????????security.okta.com????????????????????????????????????????

https://security.okta.com/product/okta/jobseekers-exploited-in-fake-recruiter-phishing-campaigns

??????????

Okta?????????????????????????????????????203??????????????????????????????????????????

???	?? ???	??? ???????	???????	?? ???????	?????	?????????	?? ??(?)
??	????	??? ???????	???????	?? ??	??????	?????????	?? ??
???????	1?5?	5?20?	20?45?	45?55?	55?80?	80?95?	95?99?

Phishing campaigns use 'Employee Benefits' lure to intercept Microsoft and Okta logins

Houssem Eddine Bordjiba — Tue, 21 Oct 2025 07:00:00 +0000

???????????

Okta????????????Microsoft?????????????????????????????????????????????????????????????????? Okta ????????????????IdP???????????

???O-UNC-037????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O-UNC-037???????????????????????????????????????

O-UNC-037?????????????2025?10???????????????????????????????????????????????????HR??????????????????????E ??????????Microsoft???????????????????????????????

????????????????????????????????????????????????????????MFA????????????????????????????????Adversary-in-the-Middle?AitM????????????????SMS???????????????????????OTP?????????????MFA?????????????

Okta???????????SSO??????????????????2????????????????????????????????????????2???????????????Okta ????????????Okta?????????????????????Cookie??????????????????????

????

?????????????????????????????????????Microsoft???????????Okta SSO?????????????????????????????????????AitM????????????????????????????????????????

?????????????????TTP??

??????????????????
- ??????E ?????????????????????????????????????????????????????????????????????????????????????
- ?????????????????????????????????????????????????E ?????????????????????
- ???????????????????????????????Cloudflare CAPTCHA??????????????
?????????????
- Adversary-in-the-Middle (AiTM)????????????????????????????MFA??????????????????????????
- ????????????????????Microsoft???????????federation?????????Okta SSO?????????
??????????????
- ???????????????????????URL????????Phishing-as-a-Service (PhaaS)?????????????????????????????????????????????
- ?????????????????????????????????????????

E ????????

????????????????????? E ????????????????????????????????????E ??? ????????????? (LLM) ?????????????????????E ???????????????????????????????????????????????????????????????

?????E ??????????

????ADP BENEFITS <notifications[@]duobenefits[.]com>???[?????]??????????? - ??????????????

????Secure Mail <noreply[@]mailsafe365[.]com>???[?????]???????????????????????

????????????????????????????????E ??????????????????????????????????????

???: ADP Benefits <notifications_adp_com[@]emails[.]t??????s[.]org>??: Confidential: [???? Name]????????????????

E ????????????????

?????????E ??????????????????????????????????????????????????????E ??????????????????????????????????????????????????????????

benefits-alerts[.]com
benefitsapp001[.]com
qrcodelnk[.]com
302lnk[.]com
goto365[.]link
fastlink247[.]link
link24x7[.]link
fast2url[.]link
url247[.]link

?????????????????????E ?????????????????????????????????????????????????????

t??????s[.]msg???[.]com

?????? ???? 1 ????????????????????????????????

Marketing.s??????y[.].com

?????E ???????????????????????????????Web??????????????????????????????????????????????????

????????????????????????????????????????????????????????????????????

???????????

??????????????????????????????????????????????????????????????Cloudflare CAPTCHA???????????????????????????????????????????????????????????????????????????????

?????????

CAPTCHA????????????????????????????????????????????????

???????

????????????????????????Microsoft?????????AitM?????????????????????????????????????????????????????????????????????????????

Okta???????2??????????

????????????????????????????????Okta????????????????????????????????????????????????????Okta??????URL??????????????SSO[.]oktacloud[.]io????????????????????Okta?????????????????AitM?????SSO???????????????????????Cookie?????????????????????????????????????????

????????????

O-UNC-037????????????????????Microsoft???????????????????????????????????????????

benefitsemployeeaccess[.]com
benefitsquickaccess[.]com
benefitsworkspace[.]com
benefitscentralportal[.]com
benefitsselfservice[.]com
benefitsmemberportal[.]com
benefitsgatewayportal[.]com
benefitshubportal[.]com
benefitsadminportal[.]com
benefitsaccessportal[.]com
benefitsviewportal[.]com

?????? ??????????????????????????????????URL???????????

/benefits/????/
/compensation/auth/
rewards/verify/
employee/access/

???????????Microsoft??????????????????????????????????????????????????????

sso[.]oktacloud[.]io
sso[.]okta-access[.]com
Internal-networks[.]com

Okta?????????????????????????????Cloudflare Workers????????????????????????Cloudflare Workers???????????????????????????????????????????????????????

sso[.]okta-proxy[.]workers[.]dev
okta[.]undermine[.]workers[.]dev
oktapage[.]oktamain[.]workers[.]dev
okta[.]eventspecial[.]workers[.]dev

???????????????????

O-UNC-037????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????O-UNC-037?????????????

????????????

????????????????????????Microsoft 365???Okta???????????????????????AitM?????????????????????????????????URL???????????????Phishing-as-a-Service?PhaaS????????????????????????????????????????

??????URL?????????????????????Base64?????????JSON??????????ht????????????????????????????????????

https://benefitsemployeeaccess[.]com/rewards/verify/d582500e?s=3&ht=eyJpZCI6IjY2ZmI2OWMwNjA2N2RjOTM5Yzc5OTM1NWE0ODNjNzM3IiwidHlwZSI6ImhvcCIsImNhbXBhaWduX2lkIjoiY2FtcF82OGYyNjQ3YTlmYjE0IiwiaG9wX3RlbXBsYXRlIjoiYmVuZWZpdHMiLCJzdWNjZXNzX3RlbXBsYXRlIjoiYmVuZWZpdHNfZXJyb3IiLCJjcmVhdGVkIjoxNzYwOTM3NDcyLCJleHBpcmVzIjoxNzYwOTQ0NjcyLCJpcCI6IjExMy4yOS4yNDMuMSIsIm1heF91c2VzIjoxMDAwMDAwMCwidXNlcyI6MCwiaG9wX2NvdW50IjozLCJzZXNzaW9uIjoiZG9oNnBhbnE0Y3RhZTVsMjhvNWoyaTdoa3YifQ%3D%3D.bb0c9db57db67ff678edafb64f3cdc4fccfa93d4a8952e05ca2a3176e8134db5

??????????????????????????????????????????????????????????????????????????????????campaign_id???????ip???????????????????ID?????????????????????????????????????????????created???expires??????????????uses???max_uses????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

  "id": "66fb69c06067dc939c799355a483c737",

"type": "hop",

"campaign_id": "camp_68f2647a9fb14",

  "hop_template": "benefits",

"success_template": "benefits_error",

  "created": 1760973582,

  "expires": 1760980782,

  "ip": "?????",

  "max_uses": 10000000,

  "uses": 0,

"hop_count": 3,

  "?????": "qa061c1uiht26gmtqcj49fsgci"

???Microsoft???????????????Okta????????????????????????????????????E ????????????????O365?????????????Okta???????FederationRedirectUrl???JSON????????

?????????????????????JavaScript???????????????????????????????????????

????????????????????
FederationRedirectUrl?AuthURL?RedirectUrl?????????JSON???????????
URL????Okta?????.okta.com??????????????????.oktapreview.com????????????????????????
???Okta URL???????????????????????????????????????????????????URL?????????: sso[.]oktacloud[.].io?
???????????????????????????????????Okta?????????????????????????
??????????????????Cookie??????????????/api???????????????
????????URL??????????????????????????????????????????????????????????????????????????????????????????????????

??AitM???????????????????????????????Okta???????????????????????SSO???????????????Cookie???????????

var _wd = "https://sso.oktacloud.io";

var _iO = function (u) {

            if (typeof u !== "string") return false;

if (u.includes("sso.oktacloud.io"))return false;

            if (u.includes("/app/office365")) return true;

            if (u.match(/\.(okta|oktapreview|okta-emea)\.com/i)) return true;

if (u.match(/\/sso\/saml|\/sso\/wsfed|\/???\/[^\/]+\/sso/i)) return true;

return false;

};

????????????????

????????????????????????????CloudFlare IP?AS13335????????????????????????????

????

??????????

???????????????????????????????

?????????????????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????
???Okta????????????????????????????????????????????????????????????????????

????

?????????

Okta FastPass?FIDO2 webauthn????????????????????????????????????????????????
Okta????????????????????????????????????????????????????????????????????????????????????????????????Endpoint Management?????????????????????????????????????????????Application ???????????????????????????????????????????????????????????????????Okta FastPass????????????????????????????
?????????????????????????????????????????????????Okta Network Zones???????????????ASN???????????IP????IP????????????????????????????????
Okta Behavior and Risk evaluations??????????????????????????????????????????????????????????????????????????????????????????????????????????
?????????E ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
IT??????????????????????????????????????????????????????????????????????
??????????????????????????????Zero Standing Privileges??????????????????????????????????????????????????????????????????JIT????????????????????????????
?????????????????????????????????IP???????????????????
????????????????????????????????????????????????????????????

???????????????????????

????????????Okta???Web?????E ?????????DNS?????????????????????????????????????????????
????????????????????????????????????????

??????????????????????????????????????????????????????????Web?????????????????????????????????????

?????

Okta????????????????security.okta.com????????CSV?????????????????????????????????????:

https://security.okta.com/product/okta/phishing-campaigns-use-employee-benefits-lure-to-intercept-microsoft-and-okta-logins

??????????

Okta?????????????????????????????????????203??????????????????????????????????????????

???	?? ???	??? ???????	???????	?? ???????	??????	?????????	?? ??(?)
??	????	??? ???????	???????	?? ??	??????	?????????	?? ??
???????	1?5?	5?20?	20?45?	45?55?	55?80?	80?95?	95?99?

Wide-scale, opportunistic SMS pumping attacks target customer sign-up pages

Grayson Schermerhorn, Mathew Woodyard — Tue, 14 Oct 2025 07:00:00 +0000

Executive Summary

Okta Threat Intelligence has identified a cluster of shared disposable email infrastructure and commodity proxy services, internally designated as O-UNC-036, that is being used to launch high-volume, automated attempts against public API endpoints.

This infrastructure has been observed in multiple persistent, large scale and financially motivated SMS pumping campaigns starting at least as early as July 2025.

To execute this attack, threat actors undertake the following sequence of actions:

Create a new account using a disposable email address, often tied to a set of domains
Add an actor-controlled phone number as an authentication factor
Send as many messages to the number as possible in order to achieve their monetary objectives

These attacks generate significant financial costs for the target organizations by running up bills with their telephony providers. We have been able to track historical activity from this cluster of disposable email domains back to at least March 2024, indicating a sustained, adaptive effort. Due to the high financial risk and potential for service degradation, we strongly recommend the immediate implementation of the protective controls, monitoring and aggressive response outlined in this report.

Threat Analysis

The primary objective of this campaign is opportunistic, large-scale account creation in order to carry out SMS pumping campaigns. In these attacks, threat actors profit by collaborating with high-cost international or premium-rate SMS providers. By exploiting the SMS delivery system of the target identity platform, the attacker triggers messages to phone numbers they control in high-cost regions. The victim organization is then billed for the exorbitant volume and cost of these international or premium SMS messages, with the cost of attacks potentially costing hundreds of thousands of dollars in telephony bills.

The attack follows a high-volume pattern:

Reconnaissance and Enumeration: Attackers identify multi-factor authentication (MFA) or user registration endpoints that trigger an SMS code.
Infrastructure Setup: Actors use commodity proxy services (VPNs, anonymizing proxies, residential botnets etc.) to distribute the source IP addresses of the traffic, reducing the efficacy of rate-limiting based solely on IP.
High-Volume Requests: Automated scripts submit requests using known, high-cost phone country codes and rapidly generated, disposable email addresses.
Cluster Activity: The O-UNC-036 infrastructure is a key enabler. This cluster utilizes a revolving pool of shared disposable email domains to bypass email-based rate limits and tenant-level velocity checks, allowing them to rapidly cycle through accounts for message requests. Okta Threat Intelligence has tracked activity in this cluster back to at least March 2024.
Target Scope: We observed this activity in multiple tenants and organizations of both Auth0 and OCI, indicating a widespread, indiscriminate search for vulnerable endpoints that trigger SMS delivery. The same shared infrastructure is likely also used to attack organizations building their own customer sign-in pages or using alternative services.

For technical details of how to identify these attacks in your logs, see the Detection and Indicators sections of this report.

Detection

Our research has not uncovered any legitimate use of emails under domains listed in the indicators section of this report. Thus the existence of users with such emails is sufficient to detect attacks. Given the potential duration of this attack, it is critical that administrators look back as far as possible in their logs to determine the scope of past and future impact.

Okta Customer Identity

High numbers of messages being sent to countries outside of your company's normal operating regions.
A spike in the following event types:

        system.sms.send_okta_push_verify_message

        system.sms.send_factor_verify_message where result=DENY

and

        reason=Toll Fraud Suspected

A spike in the following event type:

        system.email.new_device_notification.sent_message

as malicious account's alternative proxy providers or ASNs every login.

See the "Monitoring of your Okta org" section of our support article "How to Mitigate Toll Fraud when Using Okta for Voice Authentication" for a comprehensive overview of detection strategies.

Auth0

ss events from the domains listed in the Indicators of Compromise section. Administrators should refer to detection rules provided in the FOSS Auth0 Security Detection Catalog and modify them as needed.
Spikes in Guardian events, especially gd_enrollment_complete and gd_send_sms events. We advise administrators to use the risk_of_signup_fraud_by_volume.yml and sms_bombarding.yml detection rules in the Auth0 Security Detection Catalog.
A spike in "MFA bypass" events in Security Center.
High numbers of messages being sent to countries outside of your company's normal operating regions.

Protective controls and response

Okta Threat Intelligence has observed these attackers abandon a target when frustrated by the introduction of controls. This makes aggressive response and implementation of proper controls effective in stopping these attacks.

While ever sending SMS messages costs money, attackers will find a way to skim off the top. This risk can only be fully mitigated by migrating to another authentication factor. We strongly recommend the adoption of FIDO Authentication (passkeys).
Our research has not uncovered legitimate use of the domains provided in the Identicators section of this document. Deactivate users that provided these emails after making your own assessment.
Accounts created from the ASNs in the Indicators section of this document are seldom legitimate. Administrators are advised to deactivate these accounts unless friction is a major concern.
Disable sending messages to untrusted countries in your telephony provider.

Okta Customer Identity

Implement FIDO Authentication with WebAuthn and migrate users' factors away from SMS.
Use passkeys instead of SMS or voice factors.
Enable bot protection for enforcement. We recommend setting a Bot Likeliness threshold of Low and above or Always on Sign-up and Sign-in flows when you are under attack.
Block anonymizers and proxies at edge by leveraging enhanced dynamic network zones.
Utilizing workflows to manage self-service registration users from malicious domains. An Okta Identity Defense generated workflow exists that can be utilized or expanded upon and can be found here.
Utilize the Okta API to quickly deactivate large batches of identified users.
Leverage identity proofing integrations.
See our support article "How to Mitigate Toll Fraud when Using Okta for Voice Authentication" for a comprehensive overview of responses and preventative controls.
Block suspicious activity using the tooling provided by your telephony provider.

Contact Okta Support to provide a list of allowed telephony countries if you're confident in the specific list of countries servicing your customers. You can also request to modify the rate limits on your organization.

Auth0

Implement FIDO Authentication with Webauthn and migrate users' factors away from SMS or voice factors.
Use passkeys instead of SMS or voice factors.
Block requests from the ASes and TLS client fingerprints in the Indicators of Compromise section at edge with Auth0's Tenant Access Control List feature.
Since these attackers are especially sensitive to friction, enabling bot detection and enforcing CAPTCHA can be an effective control.
Block users from registering using the email domains listed in the
Indicators of Compromise section with Signup and Login triggers.
Disable sending messages to untrusted countries in your telephony provider.
Lower your rate limits to lower the number of accounts attackers can create using the same IP address.
Consider identity proofing integrations like those available in the Auth0 marketplace.
If you identify a large number of fraudulent users, engage Auth0 support for assistance.

Grayson Schermerhorn and Mathew Woodyard contributed to this research.

Appendix A: Indicators

This is an ongoing investigation, and additional Indicators may be identified as the campaign evolves. Organizations are advised to remain vigilant and implement the recommended mitigation strategies.

Domain
2mails1box.com 300bucks.net blueink.top desumail.com e-boss.xyz e-mail.lol echat.rest electroletter.space emailclub.net energymail.org gogomail.ink gopostal.top guesswho.click homingpigeon.org kakdela.net letters.monster lostspaceship.net	message.rest myhyperspace.org mypost.lol postalbro.com protonbox.pro rocketpost.org sendme.digital shroudedhills.com specialmail.online ultramail.pro whyusoserious.org wirelicker.com writeme.live writemeplz.net

Domain

2mails1box.com
300bucks.net
blueink.top
desumail.com
e-boss.xyz
e-mail.lol
echat.rest
electroletter.space
emailclub.net
energymail.org
gogomail.ink
gopostal.top
guesswho.click
homingpigeon.org
kakdela.net
letters.monster
lostspaceship.net

message.rest
myhyperspace.org
mypost.lol
postalbro.com
protonbox.pro
rocketpost.org
sendme.digital
shroudedhills.com
specialmail.online
ultramail.pro
whyusoserious.org
wirelicker.com
writeme.live
writemeplz.net

Autonomous Systems Number (ASN)
212238 16276 44477 26548 200373 137409 214483 13213 397368

TLS Client JA4 Fingerprints are also available from an unredacted advisory that Okta customers can download at security.okta.com.

The s1ngularity attack: When attackers prompt your AI agents to do their bidding

Brett Winterford — Mon, 06 Oct 2025 16:00:00 +0000

9?????s1ngularity?????????????????????????????????????????????????????????????

??????????????????npm??????????????????????????????????????????????????????????AI??????????????????????????????????1????

????????????????????????????????????????????????????????????????????AI?????????????????????????

?????Safety Cybersecurity????????????Paul McCarty?????????????????????????????????????????????????????????????????AI???????????????????????????????????????????????????????????????????????????

?????????????

????????????nx????????npm???????????????????????????????????????????????????????????telemetry.js??????????????????????

???????????????????????????????????????????????????????????????????????????????????????????????????????????????LLM????Claude?Gemini?AWS Q?????CLI???????????????????

McCarty???????????????????????????????????????????????????????????????????????????????????????????????CLI?????????????????????????????????????????????????????????

??????????????

????? telemetry.js ??????????????????????????????? AI ??????????????????????

??????: ???????????????? AI ?????? (CLI ???) ????????????????????????????????????????? (???????? Linux ??? macOS ????????????????)?
?????: ?????????????????????????????????????????????????????????????????????AI ????????????????????????????????????????????????????????????
?????????????????????????????????????.env????????????????????????????.config?????????????????????????????????
- GitHub ??? npm ????
- ????????????????????AWS?????
- SSH?

AI ???????????LLM ?????????? ??????????????????????????????????????????????AI ??????????????????????????????????? ???????????????

AI??????????????????????????????????

McCarty??????????????????????????????????????????????????????????????????????4???????????AI????????????????

??????????????AI???????????????????????????????????????????????????????????????????????????????????

???????????? ????????????????????????????????????????????????????????????????
????????????????????????????????????
?????????????????????????????????????????????????????????

????????????AI???????1??????????????????????????????????????????????????????????????????????????????????????????????AI??????????????????????????????McCarty??????????????AI????????????????????YOLO???????????????

????????????????AI???????????????????????????developer???????????????????????????????????????????????????????????????

???????

4 ??????? AI ?????????????Claude ? Gemini ????????????????????????????Paul McCarty ? Safety ?????????????????????????: Analysing the AI used in the NX Attack?

North Korea's IT Workers expand beyond US big tech

Simon Conant, Alex Tilley — Tue, 30 Sep 2025 07:00:00 +0000

Okta ?????????????????????????DPRK??IT??????????????????????????????????????????????????????????

??????????DPRK??????????????????????????????????????????????? focus ?????????????????????????????????????????????????????????IT????ITW???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

??????????????????DPRK ITW???????????????????????????????????????????????????????????????????????????4??1???27????????????????????????????

Okta ????????????DPRK?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????DPRK?????????????????????????????????????????

DPRK?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

??????130???????????????????

Okta Threat Intelligence????????????????????????????DPRK ITW????????????????????????????????????130??????????????????????????????2025??????5,000??????????6,500????????????????????

????????????????????????????????????Okta ????????????????????????????????????????????????????????????????????????????????????????????

?????????DPRK IT????????????????????????????????????????DPRK???????????????????????????????Okta???????????????????????????????????????????????????????DPRK????????????????????Okta Threat Intelligence ??????? 130 ?????????????? DPRK ITW ???????????????????????????

??????

??5???????????????DPRK???????????????????????????????????????????????????DPRK?IT???????????????????????????????????????????????

Okta???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Application ????????????????????????????????????????????????????????????????????????????????????????????

ITW?????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????????????????????????????DPRK????????????????????????????????DPRK??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

DPRK?ITW??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????????????????????????IT????????????????????????????????????????

DPRK????????????????????????????????????????

ITW???????????????????????????????????????????????????

DPRK?IT??????????????????????????????????????????DPRK???????????????????????????????????????????????????????????????????????????????????????????????????????????Application ???????????????????????????????????????DPRK?????????????????????????

??????????????????????????????????????????????????4????ITW??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????

??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
??????????????????DPRK??????????????/??????????????????????????????????????????
???????????????????????????????????????????????????????????????????

????????????????????????????????????React????????Java?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

DPRK???????????

Okta Threat Intelligence???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????IT????????

????IT????????????????????????IT??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Okta?????????????????????????????????????????????????????????HR??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????IT??????????????????????????????Okta ??????????????????????????????????????????????????? ???????????? ????????????? ????????

????

2023??????Okta??AI???????????????AI?????????????????????AI????????????????????DPRK????????????????????????????AI?????????????????????????????????????????????????????????????????????????????????????????

????????AI????????????????????????????????????????????????????????????????????????????????????????????????????????Okta??DPRK?IT????????????????????????????????AI???????????????????????????????????????AI?????????????????????????????????????????????????????????????

????????????????

?????????????????????????????????DPRK????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????PII??????????????????????????????????????????????

???????????????????????????????????????????????????????????????????????????????????????????????????IT?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

??????????????????????????????????????????????????HIPAA????????????????

Okta????????????DPRK?????IT?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????PII??????????????????????????????

??????

DPRK?IT???????????????????????????????????????????????????????????????????????????FinTech???????????????????

??????DPRK?????????????????????????????????????????????????????????????????

????????????????????????????????????????????????????????????????????????????????????????????????????????????DPRK???????????????????????????????????????????????DPRK????????????????????????????????????????????

????????????????????????????????????????????????????????????????????????????????????????????????DeFi????????????????????????????????????????????????????????????????????????????????????????????????????????

???????

Okta??2023???2025?????DPRK?????IT??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????DPRK????????????????????????????????????????????Okta???????????????????????????????????????????????????????????????????????????????

????????? IT ??????????

???????????????IT????????????Okta???????????????????????????DPRK?????IT????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Okta?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

????????????

Okta ???????????????????????????????????????73?????????????????????????????????????DPRK IT Worker???????????????????????????????????????????????????????????????????????????????????????????

?????????????????ITW???????????27?/?????????????????????????????????????????????????????DPRK?????????????????????????????????2????????????????150?250????????????

????????????????

Okta??DPRK IT Worker???????????????????????????????????????????????????????????????????????????DPRK??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????ITW??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Okta ??????????????????DPRK???IT????????????????????????????????????????Application ?????????????????????????????????????????????????????????????????????10???????????????????????????????

????????????????????????????Okta ??DPRK IT Worker ???????????????????????????????????????????????2 ????? 3 ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 1 ???????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????AI?????????????

????????????

ITW??????????DPRK???????????????????????????????????????????????????????????????????DPRK?ITW????????????????????????????????????????????????????????????????????????????????????????????????

????ITW???????????????????????????????????????????????DPRK ITW????????????????????????????????????????????????????????

?????????????????????DPRK?????ITW?????????????????????????????????????????????????????????????????ITW????????????????????????????????????

??????????????????????????????????????????????????????????????????????????????????????????????????????????

????????????????

Okta????????DPRK?IT???????????????????????????????????????????????????????????????????????????????????????????????????????????????????IT??????????????????????????????????????????????????

?????????????????????????????????????????????????????????DPRK???????????

??????????????????????????
?????????????????????????????????
????????????????????????????????????????
?????????????????
??????????????????????????????

???????????DPRK??????????????????????????????????????????????

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

????????????????????

Okta ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????Okta??????????

1. ???????????????????

??????????????????????????????ID??????????
??????????IP?????VPN??????????????????????????????????????????
???????????????????????????????????????????????????????

2. ??????????????????????

HR?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????CV???PDF??????????????
??????????????????????? (?????????????????? ???????????????)?
????Web??????????E ??????????????????????????????????????

3. ?????????????????????????????

?????????????????????????????????????????????????????????????????

????????????????????????????????????????????????????????

????????????????????????????/ VPN?????????????????????????????

4. ????????????????????????????????

???????????ID??????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????

5. ???????????????????????????????

????????????????IT????????????????????????????????? Group ?????????????
ITW???????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????
????????????????????????????????????????

6. ????????????????????

?????????????????????????????????ISAC/ISAO???????????
???????????Group ??????????E ????????IP?????VPN???????????????????????????????????????????????????????????????
????ITW????????????????????????????????????

7. ?????????????????????

??????????????????????????????????????????????????
?????????DPRK?Application ??????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????

????

Okta?????DPRK IT Worker??????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????DPRK???????????????????????????????????????????????????????????????????????????????????????????????????????

??????????????????????????????????????????????ITW????????????????????????????????????????????????????????????????????????????????

?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

??????????????????????????????????????????????????????????????????????

EvilProxy phishing campaign leverages convincing impersonations of enterprise applications

Daniel L�pez — Mon, 29 Sep 2025 07:00:00 +0000

???????????

Okta?????????????2025?3?????????????????????????????????????????????????????EvilProxy phishing-as-a-service?PhaaS??????????????????????????????????????????????????????????????????????????????????O-UNC-035???????????

????????????????????????????????????????????????SAP Concur????????????????Adobe?DocuSign?????????????????????????????????????????

????

EvilProxy??????????????

EvilProxy?O-TA-041???????????/????AitM??????????????????????????????????????????????????????MFA????????????????????????PaaS?????????

2022?????????????Web????????????????????EvilProxy???????????????????????????????????E ??????BEC???????????????????????????????MFA???????????????????Cookie????????????????????????EvilProxy???????????????????????????????????????????????????????????????????????????????????????

?????????

?????????????????????????????????????????????????????????????????????????????

?????????Docusign?Adobe Acrobat?Adobe Sign?EchoSign???????????????????????????????????????????????????????????????????????????????????????????
??????????????? (SAP Concur?Coupa ??): ??????????????????????????????????????????????????????????????????????????????????????????????expense?expensereport???? expensesolutions ?????????????
Microsoft SharePoint: ???????????????????????????????????????????Microsoft 365?????????????????????
??????????????????????????????????????????meeting?????????????????????????
KnowBe4: ???????????????????????????????????????????????????????????????????????????????????

?????

????????????????????URL ???????? E ?????????????????????????????????????????????????????????????????????????????????????? Microsoft ??????????????????????????????? JavaScript ?????? E ???????????????????????????????????????????????????????? URL ???????

HTTP??????1

???????

hxxps[://]expensereport[.]ch/[coded_string]

????????

hxxps[://][company][.]sapconcur[.]sa[.]com/expense/?uid=[uid]&hid=[hid]&document=[document]&token=[token]&t=[t]

??URL??????????????????Web????????

hxxps[://][32_characters_string][.]laurimarierefling[.]com/?uid=[uid]&hid=[hid]
&document=[document]&token=[token]&t=[token]&[string_7_characters]=[string_32_characters]

HTTP??????2

???????

hxxps[://]sapconcursolutions[.]pl/[coded_string]

????????

hxxps[://][company][.]sapconcur[.]sa[.]com/expense/?uid=[uid]&hid=[hid]&document=[document]&token=[token]&t=[t]

??URL?????????????????????????????

hxxps[://][32_characters_string][.]concurmgt[.]pl//?uid=[uid]&hid=[hid]&document=[document]&token=[????]&t=[????]&[string_7_characters]=[string_32_characters]

??????????????????????????????????

??????????????????????????????@????????????????????????????????16???Base32????Base64????????????????????????????????????????????????????????????E ?????????

let encodedValue = window.location.pathname.split('/').pop();...
E ??? = decodeEmail(encodedValue); // ???? tri-gram map
...
if (!decodingSuccessful && isHexadecimal(encodedValue)) E ??? = hexToString(encodedValue);
if (!decodingSuccessful && isBase32(encodedValue)) E ??? = base32ToString(encodedValue);
if (!decodingSuccessful && isBase64(encodedValue)) E ??? = base64ToString(encodedValue);

???????????????????????????3????????????????

const encodingMap = {
    "@":"MN3",".":"OP4","a":"QR5","e":"ST6","i":"UV7",
    "o":"WX8","u":"YZ9","s":"ABO","n":"CD1","r":"EF2",
    "d":"GH3","I":"JK4"
};

?????????

?????????????????????????????????????????

function isBot() {
    const botPatterns = ['???','spider','crawl','slurp','baidu','yandex',
        'wget','curl','lighthouse','pagespeed','prerender','screaming frog',
        'semrush','ahrefs','duckduckgo'];
if (navigator.webdriver || navigator.?????.length === 0 ||
    navigator.languages === "" || navigator.languages === undefined)
return true;
...
}

?????????????????????????????????????????????????????????Microsoft???????????????????????????????????????????????????????????API.ipify.?????????????????IP????????IP?????????????????????????

?????????????????

????????2??????????????????????????E ???????????????????????????????????????????????Microsoft??????????????

const blockedDomains = ['belfius', 'baringa'];
const E ???Domain = E ???.split('@')[1].toLowerCase();for (const blocked of blockedDomains) {
				if (emailDomain.startsWith(blocked)){
				window.location.href = "https://login.microsoftonline.com/common/login";return;
				}
}

???2?????????????????????belfius?????????????????????????baringa???????????????????????????????

????????

????????????????????????????????URL???????????????????????2?????????????????????E ???????????????????????

uid ? Base64(E ???)
- CyberChef?????????????????
hid ? hex(Base64(E ???))
- CyberChef?????????????????
document, ???? ? ????ID???????????
t ? Unix ??????? (ms)
- CyberChef??????????????????????????

?????

???????????????????????????????URL???????????????????????????????????????????E ???????????????????????????????????????

???????

hxxps[://]expensereport[.]ch/616c6578616e6465722e652e6261754073662e6672622e6f7267

???????

hxxps[://]sf[.]sapconcur[.]sa[.]com/expense/?uid=...&hid=...&document=...&token=...&t=...

??URL

hxxps[://]299afcb76fac4238a0facad80c326230[.]concursolutions[.]asia/?uid=...&hid=...
&document=...&token=...&t=...&u9pPUdqL=...

???????

hxxps[://]concursecure[.]pl/AB0ST6QR5CD1OP4kUV7CD1CD1MN3cST6CD1AB0YZ9AB0OP4gWX8v

???????

{"en-US":"hxxps[://]census[.]concursystem[.]cv/auth/?uid=...&hid=...&document=...\r\n&token=...&t=...","ja-JP":"hxxps[://]census[.]concursystem[.]cv/auth/?uid=...&hid=...&document=...\r\n&token=...&t=..."}

??URL

{"en-US":"hxxps[://]6b81e59848ba4a9d8cc3b4570b303a24[.]reports[.]sa[.]com/adfs/ls/?login_hint=","ja-JP":"hxxps[://]6b81e59848ba4a9d8cc3b4570b303a24[.]reports[.]sa[.]com/adfs/ls/?login_hint="}{"en-US":"...&wa=wsignin1[.]0&wtrealm=...&wctx=...","ja-JP":"...&wa=wsignin1[.]0&wtrealm=...&wctx=..."}

???????

hxxps[://]expensereport[.]ch/phUV7JK4UV7ppQR5mQR5CD1CD1UV7xMN3tfJK4OP4gWX8vOP4YZ9k

???????

hxxps[://]tfl[.]sapconcur[.]sa[.]com/expense/uid=...&hid=...&document=...&token=...&t=...

??URL

hxxps[://]b4f1341373f341d98f11caea1052d878[.]laurimarierefling[.]com/?uid=...&hid=
...&document=...&token=...&t=...&...

???????

hxxps[://]concursolution[.]de/UV7JK4QR5CD1_CD1ST6tzST6EF2MN3mcQR5fST6ST6OP4cWX8m

???????

hxxps[://]mcafee[.]concursystem[.]cv/auth/?uid=...&hid=...&document=...&token=...&t=...

??URL

hxxps[://]3b2c66787c6349369fc9f90ecf789899[.]echosign[.]uk[.]com/app/office365/.../wsfed/passive?login_hint=...&wa=wsignin1[.]0&...

?????????

????????????????????? Microsoft ???????????????????????????????????????????????????????????????E ??????????????????????????????????????????????????????????????????????????? (uid/hid/document/????/t) ??????????????????? URL ???????????????????????????????????????????????????? Office ???????????????????????????????????????????????

??????????????

?????????????????????????????????????????????????????????????????????????????????????????????MFA????????????????????????????????????????????????????????????

??????????

???????????????????????????????????????????????????????????????????
???????IT????? ???????????????????IT??????????????????????????????????????????????????????????
??????????????????: ???????????????????????????????????????
?????????????: ??????????????????????????????????????????????????????????????????
????????????????????????????????????????
?????????????????????????????????
???????????: ???????????????????????????????

??????

?????????????????????????????????????????????????????Artistic One Page?????Archery Master???????1??????????????????????????????????????????????urlscan.io??????????????????????????????????????????

page.title:("ArtisticOne Page" OR "Archery Master")

????????????????????????????????????????????????????????????????test?????????????????????????????????????????????????????????????????????????

????

????????????

???????????????????????????????????

?????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????
???Okta???????????????????????????????????????????????????????????????????????????

????

?????????

Okta FastPass?FIDO2 webauthn????????????????????????????????????????????????
Okta???????????????????????????????????????????????????????????????????????????????????????Endpoint Management???????????????????????????????????????????????????Application ?????????????????????????????????????????????????????????????????????????????Okta FastPass???????????
?????????????????????????????????????????????????Okta Network Zones???????????????ASN???????????IP????IP????????????????????????????????
Okta Behavior and Risk evaluations??????????????????????????????????????????????????????????????????????????????????????????????????????????
????E ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
IT??????????????????????????????????????????????????????????????????????
??????????????????????????????Zero Standing Privileges???????????????????????????????????????????????????????????????????JIT????????????????????????????
?????????????????????????????????IP???????????????????
???????????????????????????????????????Protected Actions????????

???????????????????????

????????????Okta???Web?????E ?????????DNS?????????????????????????????????????????????
????????????????????????????????????????

??????????????????????????????????????????????????????????Web?????????????????????????????????????

??A?????

????????????????????????????????IOC??????????????????????????????????????????????????????????IOC???

???	??	????
????	acrobatsign[.]es	????????????
????	adobeacrobat[.]sa[.]com	????????????
????	adobesign[.]ceelegal[.]com	????????????
????	adobesign[.]pl	????????????
????	adobesign[.]us[.]com	????????????
????	asir[.]co[.]com	????????????
????	blue-styles[.]cz	????????????
????	ceelegal[.]com	????????????
????	codemonkey[.]cc	????????????
????	comcursolutions[.]de	????????????
????	comcursolutions[.]eu	????????????
????	comcursolutions[.]pl	????????????
????	comcursolutions[.]us	????????????
????	concur[.]cv	????????????
????	concur[.]pages[.]dev	????????????
????	concurexpense[.]pl	????????????
????	concurmgt[.]pl	????????????
????	concursap[.]netlify[.]???	????????????
????	concursecure[.]pl	????????????
????	concursolution[.]de	????????????
????	concursolution[.]pl	????????????
????	concursolutions[.]asia	????????????
????	concursolutions[.]at	????????????
????	concursolutions[.]ceelegal[.]com	????????????
????	concursolutions[.]ch	????????????
????	concursolutions[.]com	????????????
????	concursolutions[.]com[.]tr	????????????
????	concursolutions[.]cv	????????????
????	concursolutions[.]cz	????????????
????	concursolutions[.]de[.]com	????????????
????	concursolutions[.]es	????????????
????	concursolutions[.]in	????????????
????	concursolutions[.]mex[.]com	????????????
????	concursolutions[.]my	????????????
????	concursolutions[.]nl	????????????
????	concursolutions[.]pl	????????????
????	concursolutions[.]pt	????????????
????	concursolutions[.]re	????????????
????	concursystem[.]cv	????????????
????	concursystem[.]netlify[.]???	????????????
????	coupahost[.]pl	????????????
????	crsign[.]com	????????????
????	cruisesaudi[.]sa[.]com	????????????
????	dfwcom[.]com	????????????
????	dnglobal[.]ca	????????????
????	echosign[.]cv	????????????
????	echosign[.]de[.]com	????????????
????	echosign[.]eu02-safelink[.]com	????????????
????	echosign[.]nl	????????????
????	echosign[.]pl	????????????
????	echosign[.]ru[.]com	????????????
????	echosign[.]uk	????????????
????	echosign[.]za[.]com	????????????
????	esign[.]sa[.]com	????????????
????	{"en-US":"eu02-safelink[.]com","ja-JP":"eu02-safelink[.]com"}	????????????
????	eumai1-docusign[.]com	????????????
????	excelpediatric[.]us[.]com	????????????
????	expense[.]pl	????????????
????	expense[.]sa[.]com	????????????
????	expensereport[.]ch	????????????
????	expensereports[.]pages[.]dev	????????????
????	expensereports[.]pl	????????????
????	expensereports[.]pl	????????????
????	getadobesign[.]eu02-safelink[.]com	????????????
????	getconcur[.]pl	????????????
????	khs[.]co[.]com	????????????
????	knowbe4[.]es	????????????
????	meeting[.]sa[.]com	????????????
????	myapps[.]sa[.]com	????????????
????	na4-6l9[.]pages[.]dev	????????????
????	na4[.]it[.]com	????????????
????	saferedirect[.]pages[.]dev	????????????
????	sapconcur[.]cv	????????????
????	sapconcur[.]pages[.]dev	????????????
????	sapconcur[.]sa[.]com	????????????
????	sapconcursolutions[.]pl	????????????
????	scality[.]us[.]com	????????????
????	secure[.]za[.]com	????????????
????	sharepoint[.]za[.]com	????????????
????	supancasign[.]netlify[.]app	????????????
????	{"en-US":"sutheha[.]za[.]com","ja-JP":"sutheha[.]za[.]com"}	????????????
????	team[.]sa[.]com	????????????
????	ug4t5w[.]cfd	????????????
????	wepp[.]website	????????????

??????????

Okta Threat Intelligence??????????????????????????????203 - ?????????????????????????????????????????

???	?? ???	??? ???????	???????	???? ???????	??????	?????????	?? ??(?)
??	????	??? ???????	???????	?? ??	??????	?????????	?? ??
Percentage	1?5?	5?20?	20?45?	45-55%	55?80?	80?95?	95?99?

Help desks targeted in social engineering campaign targeting HR applications

Mon, 29 Sep 2025 07:00:00 +0000

???????????

Okta Threat Intelligence??2025?8????O-UNC-034???????????????????????????????????????????????????????????????????????????????????????????

O-UNC-034?????????????????????????????????????????????????????????????????????????????????????????????????Okta??????????????????????????????????????????????????????????????????????1?????????????????????????O-TA-54????AitM???????STORM-2657???????????

O?UNC?034???????HR??????????????????????????????????????????????????

????????????????????????????TTP????????????????????????????????????IOC????????

??????????????????????????????????????????????????????????????????????

????

???????????????????????????????????????????

???????????????????IT???????????????????????????????????????????????????????????????????????????

????????????????????????????MFA????????????????????????????????????????Okta Verify??????????SMS?????????????????????????????????MFA?????????????????????????????????????????????

???????????????????????????????????????????????????????

Workday?Dayforce HCM?ADPsuite????????????????????????????????????????????????????????????
Customer Relationship Management?CRM????Salesforce?ServiceNow???IT ???????ITSM??????????????????????????????????????????IT?????????????????????????
???????????????????Office 365???Google Workspace????????????????????????????????????????????????????????????????

?????????????????????IP??????????????????????????????

IPVANISH VPN
CYBERGHOST VPN
ZENMATE VPN
EXPRESS VPN
WINDSCRIBE VPN
STRONG VPN
ZENLAYER
????????????????IP????

????????????????????????????????????????????????????????????

Mac OS 14.5.0?Sonoma?
Mac OS 15.5.0 (Sequoia)
macOS 13.1.0?Ventura?
Windows 11
iOS?iPhone?

????

???????????

?????????????????????????????????????

????????????????
???Okta????????????????????????????????????????????????????????????????????

????

Okta FastPass?FIDO2 webauthn????????????????????????????????????????????????
?????????IT?????????????????????????????????????????????????????????????????????????????????????????????????ID???????????????????
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Group ??????????????????????????????????????????????????????????????????????????????????????????????????
Okta???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ????? ? ???? ?????Okta FastPass???????????
?????????????????????????????????????????????????Okta Network Zones???????????????ASN???????????IP????IP????????????????????????????????
Okta Behavior and Risk evaluations??????????????????????????????????????????????????????????????????????????????????????????????????????????
??????????E ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????????Zero Standing Privileges???????????????????????????????????????????????????????????????? JIT (?????????) ?????????????????
?????????????????????????????????IP???????????????????
???????????????????????????????????????Protected Actions????????

????

Okta????????????????security.okta.com????????????????????????????????????????

https://security.okta.com/product/okta/help-desks-targeted-in-social-engineering-campaign-targeting-hr-applications

??????????

Okta?????????????????????????????????????203??????????????????????????????????????????

???	?? ???	??? ???????	???????	?? ???????	??????	?????????	?? ??(?)
??	????	??? ???????	???????	?? ??	??????	?????????	?? ??
Percentage	1?5?	5?20%	20?45?	45-55%	55?80?	80?95?	95?99?

Uncloaking VoidProxy: a novel and evasive Phishing-as-a-Service framework

Houssem Eddine Bordjiba — Mon, 25 Aug 2025 07:00:00 +0000

??

Okta ????????????Microsoft 365???Google Workspace???????????????????????????????????-as-a-Service?PhaaS????????????????????VoidProxy???O-TA-083???????????

VoidProxy PhaaS?????????????????2025?1??????????????????????????????????????????????????????????????????????????????????????

VoidProxy??Adversary-in-the-Middle?AitM?????????????????????????????????????MFA?????????????????Cookie?????????MFA?????????

????????SMS???????????????????????OTP????????MFA?????????????????Okta?????????????????????????????????Okta FastPass???????Okta FastPass?????????????????VoidProxy???????????????????????????

VoidProxy ?????????? ????????????????????E ????? (BEC)?????????????????????????????????????????????????????

PhaaS??????VoidProxy?????????AitM?????????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????????????????????????????

VoidProxy - ??????

????

?????: VoidProxy ???????

VoidProxy???????????????????????????????????????????????????????????????????????????????????????????????????????????????

????1???

VoidProxy????????????Microsoft 365?Google Workspace?????????????????????????????????????

?????????????????????????????????E??????????????ESP????????Constant Contact?Active Campaign?Postmarkapp??NotifyVisitors?????????????????????????????????????????????????????????????????IP?????????E?????E?????????????????????????????????????????????????

????E ??????????????????????? TinyURL ??????? URL ???????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????????Okta??????????????????????????????????????????????????

VoidProxy????????????????????Zoom Docs????????????????????DocuSign??????????????????????????????????????????????

????2?Cloudflare Workers????????????????

????????????????????????????????????????????????????????????Cloudflare CAPTCHA??????????????????????????????????????????????????????????????

???????????Cloudflare Worker?*.workers.dev??????????Worker??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????????????????????????

Microsoft 365?????????????????<phishing_domain>.<tld>
Google Workspace????????????<phishing_domain>.<tld>

???????????????????????????????????????????????????????"Welcome!" ????????????????????????

???? 3?SSO??????????????????????

???????VoidProxy???????????????Okta????????????????????????????????????????????????

??????????????Microsoft???Google????????????????????????AiTM?????????sslip.io/nip.io???????????????????????????

???????????Okta?????????????????????????????Okta?????????????2??????????????????????????????

??2??????????????????????????????????????

Okta?Microsoft?????: newnewdom<random>.<phishing_domain>?<tld>
Okta?Google??????securedauthxx<random>.<phishing_domain>?<tld>

securedauthxxccbgchgfj.xhfwez[.]icu

securedauthxxdcigbjdddj.losozr[.]icu

securedauthxxeafihgjdhb.dcohcv[.]icu

newnewdomnewcgbdhghjhi.prophfrot[.]top

newnewdomnewebjjfjegfd.eeocl[.]com

newnewdomnewdihbddahf.access-point[.]icu

?9. SSO???????????????????????????????

???? 4?AitM???????????????

????????????????sslip.io???nip.io???????????????????????????????Adversary-in-the-Middle?AitM??????????

??????????????????MFA?????????Microsoft?Google?Okta??????????????????????????????????????????????????????????????????????????

VoidProxy???????????

VoidProxy???????????????????????????????????????????

VoidProxy????????????????????????????????????????????????????????????????????????????????????????????????

????????????????

VoidProxy???????????????????????????????????????????

??????????? ?????????????.icu????????????TLD?????????????????????.sbs?.cfd?xyztop????.home?????????????????????????????????????????????????????????????????????????????????????Cloudflare??????????????????????????????IP???????????????????????????????????????????????????????
??????????????????VoidProxy URL???????????????????????securedauthxx?newnewdom?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Cloudflare Workers??????????????????

???????PhaaS????????????????????????????Cloudflare Workers (*.workers.dev)?????????????????????????????????Cloudflare CAPTCHA?????????????????????????

VoidProxy PhaaS??????????????????Cloudflare Worker??????????????????????????????????????????????????????????Cloudflare Worker???????????????????????????????????????????aidenveliz?kelvingomez?sammybruce?????????????????????????

<alphanumeric><firstnamelastname>..workers.dev.

????????PhaaS???????????????????????????????????????????????????????????????????????????Cloudflare??????????????????????????????????????????VoidProxy???????????????????API?????????????????????????????????????????????????????<firstnamelastname>??????????????????????????????????????????????????????<alphanumeric>????????????????????????????????????????????????????????????????????????????????????????????????VoidProxy?????????????????????????????????????

??????? C2 ??????????

AiTM ???????????????????????? VoidProxy ??????????? DNS ??????????? sslip.io ??? nip.io ??????????????????????????????????????? IP ???????????????? IP ??????????????????? IP ????????????????????????????????????

?????????????????????????

AitM???????????????????????????????????????Cookie?????????????????????????????????
??????????????URL??PhaaS???????????????????????????????????????????????????????????????????

?voidproxy???????????????C2???????????????????????????????????????URL????????????????????????*.sslip.io????????????????????????????????????????????????

???????????????????????????

Okta Threat Intelligence??VoidProxy?????????????????????????????????????????????

???????????MFA???OTP??????????????????????????????????????????????VoidProxy?AitM??????????????????????????????????????????????MFA??????????????

?????Okta FastPass????????????????????????????????FastPass??????????????????????????AitM?????????????????????????????????

????VoidProxy???????PaaS?????????????????????????????????????MFA??????????????????????????

???????????????????????? ASN ??????????? IP ????????????????????

AS36352 - HostPapa
AS149440 - Evoxt ????????
AS210558 - 1337 Services GmbH
AS401120 - cheapy.host LLC
AS23470 - ReliableSite.Net LLC

VoidProxy??????

????????????????PaaS???????????????????????????????????????????????????????????????????????????????????????????????

??????Web????????????????PaaS??????????????????????????

???????????/dashboard?

??????????????????????????????????????????????????????????????????????????????????

?????????
???????????
????????
??????????????????
??????

????????? (/dashboard/campaigns)

?????????????????????????????????????????????????????????????????????????

????????????????????????????????????????????????
???????????????????????????????Microsoft 365?Google???????????????????????????????????
????: ????????????????????????????????????????????
??????????????????????????????????????????????

?????????????/dashboard/campaigns/[campaign_id]?

????????????????????????????????????????????????????????????

???????????????????????????????
???????????: ????????????????????????IP????????????????????????????????????????
??????????????????????????????????????????

??????/???????/settings?

????????????????????????????????????????????????????????

??????????????????????API??????????????????
??????????????????????????????????????????????Telegram ??? ??????????????????? URL?????????

VoidProxy???????????????????

???????????Okta?????????????????PaaS???????????????????????????????????????????????????

???????BIGFATCHAT???????????????????????????????2024?8????Telegram????????????????????????VOID????????????????2FA??????????????????????

?????????? $ 250 ??AOL?Yahoo?iCloud?Live?Google???? Office 365?ADFS?GODADDY?OKTA???? 2 ?????2FA???????????????????????????????AWS ??????????????????voidproxy?????????????????????????????????????????????????????????????????????????????????????????MITMSERVER??Man-in-the-Middle Server?????????Google?Office 365????????????????????????????????????????

??????????????????????????????????????????????????????????Telegram????????????????AitM????????????????????????????????????????????????????????????????????????PhaaS??????????????????

??????????????????????? 2022 ???????????????????????????????????? Telegram ????????????????????????????????????????

VOID???GODLESS666????????????BEC?????????????????SMS???????????????????????????????????????

2023??VOID??????????????????????????????Okta?Duo Security??????????????Okta ???????????????VOID???????????????????????????????????Breached???????????????godlessvoid666????????

?????????????????????????????????????VoidProxy PhaaS???????????????????????????????????????????????????????????????????????????????????

????

???????????
????????????????????????????????????

?????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????
?????????????????????????? Okta AI ????? Okta Identity Threat Protection ???????
???Okta????????????????????????????????????????????????????????????????????

Protective Controls

?????????

Okta FastPass?FIDO2 webauthn??????????????????????????????????????????????????Okta Verify??????????????????????????????????????????????????????????????????????????
Okta????????????????????????????????????????????????????????????Endpoint Management??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Okta FastPass???????????
?????????????????????????????????????????????????Okta Network Zones???????????????ASN???????????IP????IP????????????????????????????????
Okta Behavior and Risk evaluations??????????????????????????????????????????????????????????????????????????????????????????????????????????
????E ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
IT??????????????????????????????????????????????????????????????????????
??????????????????????????????Zero Standing Privileges???????????????????????????????????????????????????????????????????JIT????????????????????????????
??????????IP?????????????????????????????????????????
???????????????????????????????????????Protected Actions????????

???????????????????????

????????????Okta???Web?????E ?????????DNS?????????????????????????????????????????????
????????????????????????????????????????
??????????????????????????????????????????????????????????Web?????????????????????????????????????

??A??????

????????????????????????????????IOC??????????????????????????????????????????????????????????IOC??????

???	??	????	????
????	????.<phishing.page>.<tld>	??????????????? Microsoft	08.2024 - 08.2025
????	accounts.<phishing_domain>.<tld>	Google????????????????	08.2024 - 08.2025
????	newnewdom<random>. <phishing_domain.tld>	????????????????? ??Microsoft???Okta?	01.2025 - 08.2025
????	securedauthxx<random>. <phishing_domain>.tld	??????????????????? ??Okta??Google???	01.2025 - 08.2025
????	<alphanumeric>. <firstnamelastname>.workers.dev.	Cloudflare Workers ????	01.2025 - 08.2025
AS??	AS36352 - HostPapa	Proxy????? ??????????	01.2025 - 08.2025
AS??	AS149440 - Evoxt ????????	Proxy????? ??????????	01.2025 - 08.2025
AS??	AS210558 - 1337 Services GmbH	Proxy????? ??????????	01.2025 - 08.2025
AS??	AS401120- cheapy.host LLC	Proxy????? ??????????	01.2025 - 08.2025
AS??	AS23470 - ReliableSite.Net LLC	Proxy????? ??????????	01.2025 - 08.2025

???????Okta?????security.okta.com???????????????????????????????????

??????????

Okta?????????????????????????????????????203??????????????????????????????????????????

???	?? ???	??? ???????	???????	?? ???????	??????	?????????	?? ??(?)
??	????	??? ???????	???????	?? ??	??????	?????????	?? ??
???????	1?5?	5?20?	20?45?	45-55%	55?80?	80?95?	95?99?

Threat actors: "Please do not use Okta FastPass"

Brett Winterford — Mon, 04 Aug 2025 16:00:00 +0000

?????????????????Okta FastPass???????????????

Okta???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????CEO????????????????????????????????????????????????????????????????????????????????????????Slack???????????????????????

Okta????????????????security.okta.com??????????????????????????????????????????????

????????????????????????????????????

???????????????????????????????????

???????????????????????????Evilginx?????AitM????????????????????????????????

??????????????????????????????????????????????????????????????????????????????????????????????SMS?TOTP????????????????????????????????????????????????????????????????????????????????????????????????????

AitM????????????????????????????????????????????????????????????????????

?????????????????????????????????Okta FastPass?FIDO2??????????PIV?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

????????????????????FIDO2?????????????????????????????????????????????????????????????????????????????????????????????????????FIDO????????????????????????????????????????????????????????????????????????????????????MFA????????????????????????????????????????????????????????????????????

?????????FIDO2 ?????????????????????????????????????????????????FastPass ?????????????????????Okta ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ?????????FastPass ??????Universal Logout????????????????????????????????????????????????????????????????????????

??????????????????????????????????

??????????????????????????????????????????????????

???????????????????????????????????????????????????????????????????????????????????????????

Okta Identity Engine??????????????????????????????????????????????????

Okta FastPass ???????????????????????????????????????????????????Okta FastPass Technical ???????? ??????????

????????????????????SMS?????????????????????????????????????????????????????????????????????

??????????????????????????????????????????????????Okta ??????????????Okta Security Trust Center???????????

Instant messaging services abused for phishing redirection

Mon, 14 Jul 2025 07:00:00 +0000

??

Okta ????????????????????????????????????????Slack?????????????????????????????AitM???????????????????????????????

2025?7????
O-UNC-031 ????????????????????????????????????? ???? ? ?????? ???? ???????CRM? ?????????????????

???????????????????????Evilginx AitM??????????????????????????????

???????????????????????????????

????

Slack????????????????

??????????????????Slack??????????O-UNC-031????Slack????????????????????????????????????????????????????????????

?????????????????????????????????????????????????

?????????????????Slack????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

?????Slack???????????????????????????????????????????????????????E ???????????????????????????

????????????????????????????????????????Slack???????????????????????????????????????????????????

????????????????????Slack??????E ????????????????????????????????????????????

?????????????????????????????????????@channel????????????????????????????????????????????Slack?????????????????????????????????????????????????????????????????????

??????????????????????????????????

okta-integrations.com
<target>-onelogin.com
<target>admin.io
<target>-okta.com
slack-<target>.com
<target>employees.com
<target>okta.com

????????????????????????????????????????????

???????"????????"???????????"[???] Okta??????????????????"???????????
???????????????????????Slack?????????????????Okta??????????????????
??????????????????????URL???
- https://<phishing domain> /slack/connection/2138-4f92-acb7-bk51?
- https://<phishing domain>/integration/slack/<target>/,
- https://<phishing domain>/integration/payroll/<target>/

????????????????????????????????????????????????????????????????????????????????

Slack?????????????????????????????????????????????????????????DM??????????
Slack???????????????????????????????????????????DM?????????????????E ?????????????
Markdown?Slack???Markup?????????????????????????????????????????????URI????????????????????????????????????????????

Slack????????????????????????????????????

Adversary-in-the-Middle ??????

???MFA???????????????AitM?????????????Evilginx???????????????????????????MFA???????????????????????????????Okta FastPass??????????????????????????????????????????????????????Evilginx?Okta???????????????

Okta Threat Intelligence??Evilginx?Okta Sign-In???????????????????????????????????????????????????????????????????????????????????????????????????????????

???????????????????????????????????

Okta Threat Intelligence????????????????Okta FastPass??????????????????????????????????????

????????Okta FastPass?AitM???????????????????????????????????????Okta??????????????????????????????????????????????????????????????????????????????????????OTP?SMS???????????????????????????????????????

??????????????????????????????????????????????????????????????????????

????????????

??????????????????????BitLaunch???????????????????????????VPS?????????????????????BitLaunch?????????????????????????????????????????????????VPS????????????????????????????????????NICENIC INTERNATIONAL????????????????????????????????????????????????????????????????????????????????????????????????

?????????WHOIS????????????????????????????????

?????/????: kond
???: AW

O-UNC-031??????????????????????????????????Mullvad VPN????IP???????????????????

????

?????????

???????????????????????????????

???????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????
???Okta????????????????????????????????????????????????????????????????????

Protective Controls

?????????

Okta FastPass?FIDO2 webauthn?????????????????????????????
????????????????????????????????????????
Okta????????????????????????????????????????????????????????????Endpoint Management????????????????????????????????????????????????????????????????????????????????????????????????????????????????Okta FastPass?????????????????????????????????
?????????????????????????????????????????????????Okta Network Zones???????????????ASN???????????IP????IP????????????????????????????????
Okta Behavior and Risk evaluations??????????????????????????????????????????????????????????????????????????????????????????????????????????
?????????E ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
?????????IT?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????JIT????????????????????????????
?????????????????????????????????IP???????????????????
???????????????????????????????????????Protected Actions????????

???????????????????????

????????????Okta???Web?????E ?????????DNS?????????????????????????????????????????????
????????????????????????????????????????
??????????????????????????????????????????????????????????Web?????????????????????????????????????

??A???/?????

????????????????????????????????IOC??????????????????????????????????????????????????????????IOC??????

???	??	????	????
IP Address ?IP ?????	157.245.242[.]172	??????????	2025?7?11?
IP Address ?IP ?????	157.245.227[.]25	??????????	2025?7?9?
IP Address ?IP ?????	157.245.129[.]184	??????????	2025?7?9?
IP Address ?IP ?????	64.190.113[.]119	??????????	2025?7?4?
IP Address ?IP ?????	157.245.134[.]111	??????????	2025?7?4?
IP Address ?IP ?????	167.99.236[.]196	??????????	2025?7?3?
IP Address ?IP ?????	206.188.197[.]224	??????????	2025?7?2?
IP Address ?IP ?????	50.189.65[.]60	??????????	2025?7?8?
VPN??????	Mullvad VPN	VPN??????	2025-07
Whois	kond	?????/????	2025-07
Whois	AW	????2025-07	2025-07

???????Okta ????? security.okta.com ???????????????????????????????????

???????????
Okta??????????????????????????????????????203 - ?????????????????????????????????????????

???	?? ???	??? ???????	???????	?? ???????	??????	?????????	?? ??(?)
??	????	??? ???????	???????	?? ??	??????	?????????	?? ??
???????	1?5?	5?20?	20?45?	45-55%	55?80?	80?95?	95?99?

Okta observes v0 AI tool used to build phishing sites

Houssem Eddine Bordjiba, Paula De la Hoz — Mon, 30 Jun 2025 16:00:00 +0000

Okta Threat Intelligence??Vercel?????????Generative Artificial Intelligence?GenAI???????v0??????????????Web????????????????????????????????

??????????????????????????????????????????????????????AI?????????????????????Okta?????????????????????????

Vercel?v0.dev????????????????Web??????????????AI????????Okta???????????Okta???????????????????????????????????????????????????????

??????????Vercel??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????CDN??????????????????????????????????????????????????????????????????????

Vercel ????????????????????????????????????????????????????????? Okta ????????

????????????????????????????????????????????GenAI??????????????????????????????Vercel?v0.dev????????????????????????????????????????????????????????????????????????

Vercel?v0.dev???????????????????????GitHub???????v0.dev Application ??????????????????????????????????????????????Do-It-Yourself?DIY??????????????????????????????????????????????????????????????????????????????????????????????

Okta ?????????? ???????? Vercel ???????? ??????Microsoft 365 ????????????????????????? ?????? ?????????????????????Okta ??????????????????????????????????????????????

?????????

???????????????????????????????????????????????AI???????????????????????????????????????????AI??????????????????????????????????????????

??????????????????????????????????????????????????????????????????????????????????????????????????????

????Okta FastPass???????????Okta Verify????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Okta Threat Intelligence????????????????

??????????????????: Okta FastPass??????????????????????????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????????????????????????????????????Application ??????????????????????Okta????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
??????????????????????????Okta Network Zones?????????ASN???????????IP????IP???????????????????????????????????????????Okta ?????????????????????????????????????????????????????????????????????????????????????????????
????????????AI???????????????????????????????????????

????????????????????????????????????????? (Okta ??????) ????????????????????????????????????????????????????????Access Granted LinkedIn ?????????????????

The Secrets Agentic AI Leaves Behind

Sun, 29 Jun 2025 16:00:00 +0000

Executive Summary

At the current pace of acceleration in agentic AI, it no longer seems prophetic to say that before too long, there will be more AI agents connecting to production applications and data than human users.

There will be profound implications for the workplace - with some estimates that half of the white collar workforce may not be employed within five years. There are also profound implications for cybersecurity.

Agentic AI presents novel risks, such as prompt injection attacks, in which AI agents are effectively "social engineered" into taking action on behalf of an attacker after being exposed to untrusted input.

As an identity company, Okta's larger and more immediate concern is how agentic AI adds to the attack surface of every organization from an authentication and authorization perspective. We can reliably expect that attackers will discover and abuse the innumerable service account passwords and static API keys developers are generating in order to grant AI agents access to corporate resources. We can also reliably expect that the broad authorization granted to AI agents will exacerbate the potential data loss from the compromise of any given account.

This document is intended as a guide to service providers, organizations and developers experimenting with agentic AI with a view to building production applications.

The role AI plays in identity debt

Identity debt accumulates when shared, static secrets are allowed to accumulate over time in a system. A secret is shared when it's known or stored by more than one user or in more than one place. A secret is static when it is long-lived, and goes for long periods of time without being rotated.

Agentic AI, our research found, is contributing to an acceleration in this buildup of identity debt. Organizations should rely on enterprise-grade methods of authorizing a client (AI application) to act on a user's behalf in a protected resource (apps and data).

Our research found the opposite. The most commonly used methods of authorizing an AI agent's access to functions and data in SaaS apps, code repositories, databases and other resources result in the exposure of highly privileged secrets.

The table on the following page assesses the security properties of various approaches to authorization.

Agentic plugins: the forerunners to MCP

A study of Copilot plugins

Our research found that the majority of the machine-to-machine authentication methods used to connect Al agents to protected resources (enterprise apps and data) use forms of authentication that aren't fit for purpose in production environments, with little to no control over authorization.

To illustrate, we assessed the available authentication methods made available for allowing Microsoft Copilot Al agents to access some of the most sensitive data in the enterprise: security applications.

Copilot is among the world's dominant general-purpose Al assistants. Microsoft offers the ability to create "plugins" for Microsoft Copilot to expose the features of third-party security apps to Microsoft applications (under the brand "Microsoft Security Copilot"). Each Microsoft Security Copilot plugin is configured in a YAML or JSON file (a plugin manifest) that describes what tools in the external service are available to the Copilot agent.

Using these services:

Microsoft Copilot acts as the host application
The tools and data of security apps, such as Splunk, SentinelOne, Forescout or Cyberark, are protected resources.

A mutual customer (of both services) must first authorize Copilot to access protected resources on their behalf. This requires the customer to provide Copilot with credentials (passwords, API keys or the Client ID and Client Secret in an OAuth flow), which are stored at-rest on Microsoft servers. The available schemes are listed in the table below.

Security Copilot supports several schemes for authenticating plugins:

When a user prompts Copilot to use a protected resource, the Copilot Al analyzes the request and determines which plugin advertises the relevant "skill" (as defined in the plugin manifest) to draw from. Copilot then uses the stored credentials to make an authenticated API call to the third-party application, which retrieves the data or performs an action and returns a result back to Copilot. We sought to understand what authentication methods were used to connect these protected resources (security applications) to Microsoft Copilot. 5

From our analysis of the third-party plugin manifests published on GitHub, we found:

20% support Basic Authentication
75% support the ApiKey method
5% support an OAuth2 flow

The risks associated with using a Copilot AI plugin hinge largely on (a) thischoice of authentication method and (b) the scope of access provided to the agent.

Basic Authentication

Using Basic Authentication, administrators must create a service account in the third-party application and upload the username and password to Microsoft servers. Copilot then sends the username and password in the header of every request to the security app (whenever Copilot selects that tool based on a user prompt.)

By definition, user or service accounts configured to allow an Al agent to access resources using the http:basic scheme (basic authentication) cannot support multifactor authentication.

Customers using this scheme must by consequence expose user or service accounts - which are often scoped for broad access to sensitive data - to credential stuffing and password spray attacks.

APIKey

Three in four Microsoft Security Copilot plugins can be authorized using the APIKey method.

During configuration, administrators create a long-lived API token in the protected resource, which is typically created in the context of a user or service account, and manually upload the API token to Microsoft servers. Copilot sends the API token in the header of every HTTP request it makes to the protected resource (that is, whenever Copilot selects that security tool based on a user prompt.)

Static API keys offers several benefits over basic authentication:

API keys are better suited to machine-to-machine flows. Each unique API token can often be configured to expire after inactivity or a set duration. Revocation of the key doesn't have any impact on the user or service account that created it.
Access to the service account used to create the API token can now be protected using Multifactor Authentication.
Administrators are more likely to limit the "scope" of what an API token can be used to read or modify, as compared with the permissions of a service account used for basic authentication.

The residual risks are that these API tokens are typically long-lived. API keys are routinely checked into source control systems. API keys are routinely stored in logs when set as query parameters. Occasionally API keys are saved in text files on developer workstation, ready for collection by the next generic infostealer that infects the device.

Static API tokens are highly valued by attackers, and the first thing many attackers search for after compromising a system. Once intercepted, these tokens are typically valid for long periods of time, making them ideal candidates for resale in online markets.

Static API tokens also present availability risks, at least when compared to temporary tokens created in OAuth flows, as static tokens tend to be created in the context of a user rather than an application.

In many cases, if the user or service account that created the token is deleted or deprovisioned, the token is deleted with it, and breaks whatever M2M integration it glued together.

OAuth2

The small remainder of Microsoft Security Copilot plugins appear to use enterprise-grade OAuth2 flows.

In these schemes, a client ID and client secret (shared with Microsoft) are exchanged with an authorization server to obtain a short-lived access token, which is independently validated by the resource server.

If these flows were created in Okta, the resulting access tokens can be IP- constrained (only valid from a configured IP range) and client-constrained (only valid from the client that requested it). Scopes are set at the service application level, not at the user level, which means that administrators do not accidentally disable machine-to-machine integrations when an administrative account or service account is deprovisioned.

While it is disappointing to observe that so few Copilot agents are designed for enterprise-grade authentication, in many respects these choices are a reflection of the existing authentication methods made available by the security apps. In the context of integrating with a single proprietary Al tool, these security vendors were evidently not prepared to invest in updating their available authentication methods.

But what if, instead of writing plugin manifests for every Al application, developers could build a single server to an industry standard supported by all flavours of Al application?

Enter Model Context Protocol.

Modelling threats to Model Context Protocol

If you're a developer of enterprise apps, the economics of having to write a new custom connector (such as a Microsoft Copilot plugin) for every other flavour of Al model is far from desirable.

Service providers would prefer to declare from the outset what data and tools the company is willing to share with any Al model, define the conditions under these resources are exposed, define how customers should authorize the access, and allowlist the Al applications that can access these resources.

For this reason, the momentum in agentic Al is now building around Model Context Protocol (MCP). MCP is a standardized interface for connecting Al applications (hosts) to enterprise services as diverse as cloud platforms, SaaS applications, code repositories, databases and even payment services. MCP's client-server architecture allows for the "plug and play" of Al applications to the data sources and tools that provide them context.

In the enterprise, MCP promises an ability to:

Determine what enterprise-owned data sources and tools are available,
Allow agentic Al applications to access data sources and tools from multiple applications, without cross-contamination of data,
Lower the cost of experimenting with different Al applications that access those data sources and tools.

MCP servers can be deployed locally or remotely. This choice of deployment model for any given use case has a significant bearing on the resulting threat model.

The scope of our research was constrained to understanding how Al applications (hosts), MCP clients and MCP servers handle credentials. The core components we assessed were:

MCP hosts: Al applications, including Integrated Development Environments (IDEs) like Cursor, VS Code or Claude, which require access to the tools advertised by MCP servers.
MCP clients: The multiple clients an MCP host uses to communicate with a paired MCP server.
MCP servers: MCP servers advertise the tools and resources available in an external service and make API calls to these services.

Local MCP servers

The MCP model is especially attractive for software development use cases.

Software engineers using Al-enabled IDEs like Cursor and VS Code can build code locally, while drawing on the assistance of remote Al models to make suggestions as the developer writes code.

Anthropic makes its Claude Al agent available for local deployment as "Claude Desktop". Claude Desktop is a locally-deployed MacOS and Windows client and an alternative to accessing Anthropic's Al models via the browser. One advantage to local MCP servers is that clients can interact with both a remote Al model and local files (docs, images etc).

These desktop applications often need to authenticate to both the LLM (this typically requires an API key) and to remote data sources (such as code repositories, which require a Personal Access Token).

When a user launches the host application, such as Claude or Cursor, the MCP client spawns an MCP server and passes the server any credentials (API keys, database credentials, passwords, OAuth client secrets etc) required for operation from a local configuration file, including those credentials the MCP server requires for access to remote services.

If the MCP server is designed for access to Github resources, for example, the host requires a Github Personal Access Token (PAT) to be available in the local configuration file. The server will error out if the Github PAT is not provided.

The location of configuration files for three of the most popular development applications that use Al are provided below:

App	Local Configuration File	Default Locations
Claude Desktop	claude_desktop_config.json	Default location on MacOS: ~/Library/Application Support/Claude/ Default location on Windows: ~/AppData/Roaming/Claude
Cursor	mcp.json	Default location when used globally (all OS): ~/.cursor/mcp.json If an MCP server is only available to a specific project, the configuration file is placed in the project directory.
VS Code	settings.json	Default location on MacOS: ~/Library/Application Support/Code/User/ Default location on Windows: ~/AppData/Roaming/Code/User

Research by Keith Hoodlet at Trail of Bits noted the risks of storing static API keys in plaintext in these files, and cited examples of where these files were world-readable (i.e. able to be accessed by any user of the system).

Extending this research, we assessed the default configuration files for Claude Desktop, Cursor and VS Code, and observed the same permissions.

[1] Insecure credential storage plagues MCP

The same permissions appear to apply to configuration files included in numerous official MCP server implementations that are described as "production-ready", and for just about all the community integrations developed by third parties, which are not endorsed by the service providers in question.

Any threat modelling should anticipate that the vast majority of MCP servers shared to date are not endorsed, which leads to heightened risks around developer use of rogue MCP servers.

A preliminary VirusTotal analysis of MCP servers uploaded to GitHub [2] discovered that 8% of them were suspicious. An undisclosed number of those included code that attempts to identify secrets (keys, passwords etc) in prompts and posts them to external endpoints.

The insecure storage of API keys presents a range of risks, each of which are explored below.

[2] What 17,845 GitHub Repos Taught Us About Malicious MCP Servers

Risks associated with insecure storage of API keysKeys uploaded to software repositories

Keys uploaded to software repositories

Most documentation for local MCP server implementations do not warn developers or other users about the risks of storing plaintext credentials for production resources in configuration files. It is assumed that developers will securely vault the credentials, such that the configuration file only references a credential stored in a secure location.

We observed some scenarios in which the MCP configuration was not able to fetch the credential at runtime unless it was stored in plaintext in the configuration file.

Research by Gaetan Ferry at GitGuardian of repositories cloned from the unofficial Smithery.ai MCP server registry found 202 examples that contained at least one secret (5.2% of all repositories scanned). Static API tokens (see "x-api-key") featured prominently[3].

[3] A Look Into the Secrets of MCP: The New Secret Leak Source

Keys are exposed in container metadata

Running MCP servers in containers shifts rather than mitigates the issue. The secret must be passed to the container in a format that the MCP server supports.

Reviewing container configuration provides a direct reference to a cleartext secret - whether that's in the form of a file on the host, or from being able to identify the relevant environment variables in a container which can be exposed by running docker inspect, a command line tool that allows for inspection of docker resources.

Keys accessed by malware

Commodity infostealer malware is designed to locate specific paths and file types where credentials are stored.

For example:

Windows infostealers, such as Vidar Stealer, will search for secrets stored at ~\AppData\Roaming
MacOS infostealers, such as Atomic Stealer, search for secrets stored at ~/Library/Application Support

It is highly likely that the insecure storage of static API tokens in these locations will result in impactful events. Where a session token stored in this location provides a brief window of time in which an attacker can gain user- level access to a resource, a static API Token provides persistent access to organization-wide resources.

Keys backed up to external systems

Keys are exposed in backup volumes if administrators fail to exclude sensitive folders (such as ~\AppData\Roaming on Windows or ~/Library/Application Support on MacOS).

Workstations shared between multiple users

Given configuration files were found to be world-readable, keys stored by one user on a shared device are also accessible to other users that log-in to the same device.

Secure alternatives for local credential storage

The recommendations section of this document outlines tactical solutions that minimize these credential storage risks.

Alternatively, organizations experimenting with MCP can take a "secure by design" approach and use solutions developed with these threats in mind.

Take the Auth0 MCP server, for example [4]. The Autho MCP server offers administrators the ability to authorize access to Autho resources from local Claude Desktop, Cursor or Windsurf applications using the OAuth 2.0 Device Code Authorization flow.

By default, credentials are stored in the MacOS Keychain after authentication and are removed from the keychain whenever the administrator signs out of the MCP server.

Further, no scopes are selected by default: an administrative user is asked to select them.

[4] The Auth0 MCP Server is here

Remote MCP servers

A remote MCP server operates as a web service. If the MCP specification is implemented faithfully, an MCP client establishes a long-lived HTTP connection with the server, with session management handled by token- based authentication.

The March 26, 2025 release of the Model Context Protocol specification stipulated that where authorization is required, OAuth 2.1 is the appropriate method:

MCP auth implementations MUST implement OAuth 2.1 with appropriate security measures for both confidential and public clients.

Atlassian was among the first enterprise software vendors to offer a remote MCP server for customers. This offers a simple, OAuth-capable alternative to a community server that preceded it by several months.

A comparison between the official remote MCP server and the local "community" developed local server is instructive.

When the community server discovers authentication methods available in a local .env (configuration) file, any passwords configured for basic authentication takes precedence over any configured Personal Access Tokens, which in turn take precedence over OAuth credentials.

The authors of this plugin plainly state that they have optimized for developer convenience over security.

Atlassian's official remote MCP server, by contrast, includes localhost support in order to deliver OAuth-based log-in and consent for all users, including those connecting from local IDEs like Cursor.

This effectively removes the need for developers to copy and paste secrets into local configuration files. The configuration file simply references the remote service, and the user is asked to complete an OAuth Consent after successful authentication.

And unlike Microsoft Copilot, which optimised for choice of authentication methods rather than a specific security outcome, OAuth is the only available authentication method in Atlassian's remote MCP server. Atlassian is also allowlisting which hosts (Al applications) are able to connect to this remote MCP server.

Securing agentic Al

The only question is which OAuth flow to use!

While remote MCP servers based in OAuth provide a more secure and standardized approach than proprietary plugins, the path ahead is far from settled. 20 Some of the remaining security challenges are:

How can we authorize Al agents to access protected resources, while always keeping the interactive (human) user in the loop?
How can we reduce the management burden of writing authorization rules for each individual resource at the service provider level?
How can we provide centralized policies and auditing of authorization grants?

In the remote MCP servers we assessed, Al agents were authorized with the same level of access to services as the user that authorized them. They are acting "on behalf of" a user to the fullest extent of what the user is authorized to do.

This may not meet the bar for CISOs concerned about the risks of connecting Al agents to data they are duty-bound to protect. Enterprise administrators will not be content to let service providers be the final authority on what tools the MCP server provides.

A centralized administrator can't, in the Atlassian example, write policies that allow users to authorize Al agents to read and write Confluence wiki pages, but deny the ability to modify Jira tickets. Administrators can't choose specific projects that they don't want Al agents to access. If the user can access it, so can the agent.

The IETF draft OAuth Identity Assertion Grant, authored by current and former Okta architects, aims to solve this problem. This grant combines two existing standards - the OAuth 2.0 Token Exchange and JWT Profile for OAuth 2.0 Authorization Grants into a grant that provides enterprise control and visibility.

Using this approach, administrators are able to configure centralized policies that ensure an SSO-protected user can authorize an Al agent to access data in multiple applications where a trust relationship has already been established.

The CISO would again be able to limit the scope of what clients (in this case, Al agents) can access in a protected resource. Okta is working with Independent Software Vendors (ISVs) to bring these capabilities to customers under the newly-announced Cross App Access.

Concluding remarks

As an industry we now have some important decisions to make in order to safely enjoy the benefits of connecting protected resources to agentic Al.

We must resist the temptation to repurpose authentication methods that were already unsuited to connecting systems over the public internet, let alone systems that can act with autonomy. As Al agents seek and are granted broader sets of permissions, the "blast radius" of any single compromise will be greatly amplified. A single breach could expose significantly more data and critical systems than before.

We must instead adopt flows that are built for the Al era - narrowly scoped, user-delegated access flows that use ephemeral, auditable tokens, providing the CISO with some long overdue control and visibility.

Appendix: Protective Controls

Recommendations for Service Providers

Embrace OAuth 2.1 as the minimum viable authorization model for Model Context Protocol (MCP) servers.
Subscribe to updates on MCP to keep abreast of new developments.

Recommendations for Developers

Restrict the use of static API tokens to development and test environments only (no production data) and apply the minimum scopes required.
When developing locally, use OS-level secret vaults (MacOS keychain, Windows Credential Manager) to dynamically fetch secrets at runtime.
Modify the permissions of .env and other configuration files as well as the local log files of Al applications such that only your user account can read or modify them.
List all configuration and log files in .gitignore to guard against accidentally committing them to version control systems.

Recommendations for Security Teams

Restrict development activities to corporate-issued, hardened workstations.
Require phishing resistant authentication for access to corporate resources.
Use dedicated secrets management solutions for production credentials.
Manage and govern membership of groups with access to container resources, and ensure the docker daemon (process) is configured to avoid exposure.
Require OAuth 2.1 flows to authorize client access to corporate resources.
For use cases where the risks of using static API tokens are accepted:
- Educate developers about the risks of using with long-lived tokens.
- Allowlist requests using the token to the known IP range of the corresponding MCP server.
- Deny interactive access to applications using the service account linked to the API token, or in the very least require high-assurance multifactor authentication challenges to access it.
- Proactively hunt for tokens stored in plaintext on servers, in files, in code repositories, in logs and in messaging and collaboration apps.
- Monitor for abuse of tokens.