Wide-scale, opportunistic SMS pumping attacks target customer sign-up pages

Executive Summary

Okta Threat Intelligence has identified a cluster of shared disposable email infrastructure and commodity proxy services, internally designated as O-UNC-036, that is being used to launch high-volume, automated attempts against public API endpoints.

This infrastructure has been observed in multiple persistent, large scale and financially motivated SMS pumping campaigns starting at least as early as July 2025.

To execute this attack, threat actors undertake the following sequence of actions:

1. Create a new account using a disposable email address, often tied to a set of domains
   
2. Add an actor-controlled phone number as an authentication factor
   
3. Send as many messages to the number as possible in order to achieve their monetary objectives

These attacks generate significant financial costs for the target organizations by running up bills with their telephony providers. We have been able to track historical activity from this cluster of disposable email domains back to at least March 2024, indicating a sustained, adaptive effort. Due to the high financial risk and potential for service degradation, we strongly recommend the immediate implementation of the protective controls, monitoring and aggressive response outlined in this report.

Threat Analysis

The primary objective of this campaign is opportunistic, large-scale account creation in order to carry out SMS pumping campaigns. In these attacks, threat actors profit by collaborating with high-cost international or premium-rate SMS providers. By exploiting the SMS delivery system of the target identity platform, the attacker triggers messages to phone numbers they control in high-cost regions. The victim organization is then billed for the exorbitant volume and cost of these international or premium SMS messages, with the cost of attacks potentially costing hundreds of thousands of dollars in telephony bills.

The attack follows a high-volume pattern:

• Reconnaissance and Enumeration: Attackers identify multi-factor authentication (MFA) or user registration endpoints that trigger an SMS code.
• Infrastructure Setup: Actors use commodity proxy services (VPNs, anonymizing proxies, residential botnets etc.) to distribute the source IP addresses of the traffic, reducing the efficacy of rate-limiting based solely on IP.
• High-Volume Requests: Automated scripts submit requests using known, high-cost phone country codes and rapidly generated, disposable email addresses.
• Cluster Activity: The O-UNC-036 infrastructure is a key enabler. This cluster utilizes a revolving pool of shared disposable email domains to bypass email-based rate limits and tenant-level velocity checks, allowing them to rapidly cycle through accounts for message requests. Okta Threat Intelligence has tracked activity in this cluster back to at least March 2024.
• Target Scope: We observed this activity in multiple tenants and organizations of both Auth0 and OCI, indicating a widespread, indiscriminate search for vulnerable endpoints that trigger SMS delivery. The same shared infrastructure is likely also used to attack organizations building their own customer sign-in pages or using alternative services.

For technical details of how to identify these attacks in your logs, see the Detection and Indicators sections of this report.

Detection

Our research has not uncovered any legitimate use of emails under domains listed in the indicators section of this report. Thus the existence of users with such emails is sufficient to detect attacks. Given the potential duration of this attack, it is critical that administrators look back as far as possible in their logs to determine the scope of past and future impact.

Okta Customer Identity

• High numbers of messages being sent to countries outside of your company’s normal operating regions.
• A spike in the following event types:

        system.sms.send_okta_push_verify_message

            or

        system.sms.send_factor_verify_message where result=DENY

            and

        reason=Toll Fraud Suspected

• A spike in the following event type:

        system.email.new_device_notification.sent_message

            as malicious account’s alternative proxy providers or ASNs every login.

See the “Monitoring of your Okta org” section of our support article “How to Mitigate Toll Fraud when Using Okta for Voice Authentication” for a comprehensive overview of detection strategies.

Auth0

• ss events from the domains listed in the Indicators of Compromise section. Administrators should refer to detection rules provided in the FOSS Auth0 Security Detection Catalog and modify them as needed.
• Spikes in Guardian events, especially gd_enrollment_complete and gd_send_sms events. We advise administrators to use the risk_of_signup_fraud_by_volume.yml and sms_bombarding.yml detection rules in the Auth0 Security Detection Catalog.
• A spike in “MFA bypass” events in Security Center.
• High numbers of messages being sent to countries outside of your company’s normal operating regions.

Protective controls and response

Okta Threat Intelligence has observed these attackers abandon a target when frustrated by the introduction of controls. This makes aggressive response and implementation of proper controls effective in stopping these attacks.

• While ever sending SMS messages costs money, attackers will find a way to skim off the top. This risk can only be fully mitigated by migrating to another authentication factor. We strongly recommend the adoption of FIDO Authentication (passkeys).
• Our research has not uncovered legitimate use of the domains provided in the Identicators section of this document. Deactivate users that provided these emails after making your own assessment.
• Accounts created from the ASNs in the Indicators section of this document are seldom legitimate. Administrators are advised to deactivate these accounts unless friction is a major concern.
• Disable sending messages to untrusted countries in your telephony provider.

Okta Customer Identity

• Implement FIDO Authentication with WebAuthn and migrate users’ factors away from SMS.
• Use passkeys instead of SMS or voice factors.
• Block anonymizers and proxies at edge by leveraging enhanced dynamic network zones.
• Utilizing workflows to manage self-service registration users from malicious domains. An Okta Identity Defense generated workflow exists that can be utilized or expanded upon and can be found here.
• Utilize the Okta API to quickly deactivate large batches of identified users.
• Leverage identity proofing integrations.
• See our support article “How to Mitigate Toll Fraud when Using Okta for Voice Authentication” for a comprehensive overview of responses and preventative controls.
• Block suspicious activity using the tooling provided by your telephony provider.

Contact Okta Support to provide a list of allowed telephony countries if you’re confident in the specific list of countries servicing your customers. You can also request to modify the rate limits on your organization.

Auth0

• Implement FIDO Authentication with Webauthn and migrate users’ factors away from SMS or voice factors.
• Use passkeys instead of SMS or voice factors.
• Block requests from the ASes and TLS client fingerprints in the Indicators of Compromise section at edge with Auth0’s Tenant Access Control List feature.
• Since these attackers are especially sensitive to friction, enabling bot detection and enforcing CAPTCHA can be an effective control.
• Block users from registering using the email domains listed in the
• Indicators of Compromise section with Signup and Login triggers.
• Disable sending messages to untrusted countries in your telephony provider.
• Lower your rate limits to lower the number of accounts attackers can create using the same IP address.
• Consider identity proofing integrations like those available in the Auth0 marketplace.
• If you identify a large number of fraudulent users, engage Auth0 support for assistance.

Appendix A: Indicators

This is an ongoing investigation, and additional Indicators may be identified as the campaign evolves. Organizations are advised to remain vigilant and implement the recommended mitigation strategies.