Help desks targeted in social engineering campaign targeting HR applications

Executive Summary

Okta Threat Intelligence has actively tracked a financially-motivated cluster of activity known as O-UNC-034 since August 2025 that leverages social engineering of help desk staff to takeover accounts and manipulate data in payroll systems. 

O-UNC-034 has been observed targeting employees of organizations operating in different industries, including but not limited to Education, Manufacturing and Industrials, Retail and Consumer Services, and Pharmaceuticals and Healthcare. It is one of several clusters of activity tracked by Okta Threat Intelligence and other threat researchers that target HR and payroll applications. Variations on this theme include the use of malvertising (O-TA-54) and AitM phishing (STORM-2657). 

The primary objective of O-UNC-034 is to manipulate the banking details associated with targeted users in HR systems and payroll-related services.

This advisory details the observed Tactics, Techniques, and Procedures (TTPs) and provides relevant Indicators of Compromise (IOCs) associated with this active threat. 

This information is provided for informational and intelligence purposes to enable organizations to understand and mitigate the risks posed by this campaign.

Threat Analysis

The threat actor is leveraging social engineering techniques by impersonating legitimate employees.

For Initial Access, the threat actor has been observed initiating contact with the target company's IT help desk, masquerading as an employee. They use this impersonation to request password resets for the employee's account.

Following a successful password reset event, the threat actor establishes persistence by enrolling their own MFA authenticator to the compromised account. The threat actor has been observed enrolling in Okta Verify, Voice Call Authentication, SMS or manipulating security questions, allowing the threat actor to bypass multi-factor authentication (MFA) or other security controls.

After a successful account compromise, the actor pivots to internal applications, specifically targeting:

• Payroll applications such as Workday, Dayforce HCM, and ADPsuite. Access to these systems are used to manipulate the banking details for the compromised account. 

• Customer Relationship Management (CRM) and IT Service Management (ITSM) such as Salesforce and ServiceNow. Access to these platforms could lead to theft of proprietary customer data, intellectual property, or manipulation of IT support processes.

• Collaboration and Productivity Suites: Office 365 and Google Workspace. Access to these environments provides a wealth of information, including internal communications, documents and credentials, facilitating further attacks.

The threat actor has been observed attempting, and successfully authenticating, from a mix of anonymizer services and residential IP addresses such as:

• IPVANISH VPN

• CYBERGHOST VPN

• ZENMATE VPN

• EXPRESS VPN

• WINDSCRIBE VPN

• STRONG VPN

• ZENLAYER

• IP addresses geolocated in Nigeria

Several operating systems are also associated with this activity including but not limited to:

• Mac OS 14.5.0 (Sonoma)

• Mac OS 15.5.0 (Sequoia)

• Mac OS 13.1.0 (Ventura)

• Windows 11

• iOS (iPhone)

Threat Response

What we're doing

We’re actively engaged in the following activities to mitigate this threat:

• Continuously monitoring the threat actor activity.

• Providing guidance and assistance to organizations to enhance the security of their Okta environments and investigate any suspicious activity related to potentially compromised accounts.

Protective Controls

Recommendations

• Enroll users in strong authenticators such as Okta FastPass, FIDO2 WebAuthn and smart cards and enforce phishing resistance in policy.

• Document, evangelize and adhere to a standardized process for validating the identity of remote users that contact IT support personnel, and vice versa. Consider the use of identity verification services when users are locked out of accounts.

• We recommend creating custom admin roles for front-line service desk professionals. This custom role should not have the permissions required to modify factors (reset user passwords, set temporary passwords, or reset or enrol factors). These service desk professionals should instead be granted in their custom role the permission to issue Temporary Access Codes after a caller to the help desk has successfully verified their identity. Unlike a password reset token, a temporary access code can be time-bound (subject to expiration), assigned to specific groups of users (NB: exclude administrators and other high-value targets), chained to other authenticators and subject to app sign-on policies that constrain its use by device or location.

• Okta authentication policies can also be used to restrict access to user accounts based on a range of customer-configurable prerequisites. We recommend administrators restrict access to sensitive applications to devices that are managed by Endpoint Management tools and protected by endpoint security tools. For access to less sensitive applications, require registered devices (using Okta FastPass) that exhibit indicators of basic hygiene. 

• Deny or require higher assurance for requests from rarely-used networks. With Okta Network Zones, access can be controlled by location, ASN (Autonomous System Number), IP, and IP-Type (which can identify known anonymizing proxies).

• Okta Behavior and Risk evaluations can be used to identify requests for access to applications that deviate from previously established patterns of user activity. Policies can be configured to step-up or deny requests using this context.

• Train users to identify indicators of suspicious emails, phishing sites and common social engineering techniques used by attackers. Make it easy for users to report potential issues by configuring End User Notifications and Suspicious Activity Reporting.

• Take a "Zero Standing Privileges" approach to administrative access. Assign administrators Custom Admin Roles with the least permissions required for daily tasks, and require dual authorization for JIT (just-in-time) access to more privileged roles. 

• Apply IP Session Binding to all administrative apps to prevent the replay of stolen administrative sessions.

• Enable Protected Actions to force re-authentication whenever an administrative user attempts to perform sensitive actions.

Indicators of Compromise

The security contacts of Okta customers can sign-in and download Indicators of Compromise from security.okta.com at the following link:

https://security.okta.com/product/okta/help-desks-targeted-in-social-engineering-campaign-targeting-hr-applications