A new report from LevelBlue’s SpiderLabs team warns that threat actors are increasingly using voice phishing, or vishing, to manipulate Okta authentication processes, including MFA resets and new-device enrollment. Rather than relying only on malicious links or stolen passwords, attackers are calling employees and help desks, posing as legitimate users or IT staff, and walking victims through account-recovery steps that can give them control of the authentication path.
The tactic reflects a broader shift in enterprise attacks. As organizations have adopted multifactor authentication and improved email defenses, attackers are looking for ways to bypass those controls by exploiting the people and processes that administer them.
“Attackers are thinking, why break into a single account when you can go after the systems that create and manage identity?” said Mika Aalto, co-founder and CEO of Hoxhunt. “Instead of breaking a window or stealing a spare key, they’re targeting the locksmith. If they gain control of an identity provider or help desk workflow, they can effectively generate a master key that unlocks many systems across the organization.”
How the Attack Works
Okta and similar platforms sit in front of large portions of the corporate software stack, connecting employees to email, file-sharing systems, collaboration tools, customer platforms, VPNs, and other business applications. That design is efficient, but it also concentrates risk.
“Centralized identity providers consolidate authentication into a single access point for convenience,” said Jason Soroko, senior fellow at Sectigo. “That same design transforms a localized compromise into a systemic breach.”
LevelBlue said these campaigns often begin with reconnaissance. Attackers collect employee names, titles, reporting lines, phone numbers, LinkedIn profiles, leaked credentials, and other breach data to make their calls sound credible. The pretext is usually urgent: a locked-out executive needs access before a meeting, a traveling employee has lost a phone, a contractor’s authenticator was wiped during a device upgrade, or an IT staffer is calling about a supposed account issue.
The manipulation itself can look procedural. A victim may be asked to reset MFA, approve a push notification, share a one-time passcode, click a password-reset link, or enroll a new authentication device. Each individual step may resemble a normal support interaction. Together, those steps can give the attacker the trusted access the workflow was supposed to protect.
That makes the help desk a particularly attractive target. Support teams are designed to restore access quickly, often under pressure from employees who need to get back to work. A delayed reset can disrupt sales calls, payroll tasks, customer responses, or executive meetings. Attackers exploit that pressure by creating urgency, invoking authority, or using enough internal detail to appear legitimate.
Remote and hybrid work have also made the pretexts easier to sell. Login problems, new phones, wiped authenticators, and travel-related access issues are now routine support requests. A call about a broken authenticator may not stand out, especially when help-desk staff are trying to clear ticket queues.
Once attackers control the authentication path, the intrusion may not resemble a traditional malware-driven breach. They can sign in with valid credentials and trusted sessions, then move through applications tied to the identity provider. That can put internal files, customer records, executive communications, password-reset messages, Slack discussions, and VPN access within reach — without the attacker having to drop malware on an endpoint.
LevelBlue said post-compromise activity may include bulk file downloads, mailbox exports, inbox rules that hide or forward messages, OAuth app registration, API-token generation, and secondary MFA enrollment. In some environments, that activity may look like ordinary cloud usage unless identity and SaaS logs are reviewed together.
Why Detection Is Difficult
Detection remains difficult because many security programs are still more mature around endpoint activity than identity behavior. If the sign-in is backed by a valid session, approved MFA prompt, or newly enrolled device, there may be no malicious file, suspicious executable, or command-and-control traffic to flag. The warning signs are more likely to appear across multiple systems: an MFA reset, a login from an unusual network, OAuth consent, a spike in SharePoint downloads, or a VPN session shortly after account recovery.
Those events may look minor in isolation. The pattern becomes clearer only when identity-provider logs are correlated with SaaS, VPN, cloud and endpoint telemetry.
How Companies Can Reduce the Risk
Defending against these attacks starts with treating identity changes as high-risk events. MFA resets, new-device enrollment, password recovery, and changes to authentication factors should require stronger verification than a caller’s name, title, employee ID, or other details that can be gathered online. For sensitive users and privileged accounts, organizations should consider manager approval, callbacks to known numbers, ticket validation, or second-person signoff before changes are made.
Access to identity-reset functions should also be limited. Not every support role needs the ability to approve MFA changes or modify authentication settings. Reducing the number of people who can alter the identity path also reduces the number of people attackers can pressure.
LevelBlue also recommends stronger authentication methods, including phishing-resistant options such as FIDO2 security keys and passkeys, where possible. Push approvals and one-time codes remain vulnerable to real-time manipulation over the phone.
Training needs to become more specific as well. Generic phishing awareness is not enough for help-desk staff and identity administrators likely to face these calls. They need realistic vishing scenarios built around the tactics they are likely to hear on the phone.
Okta vishing shows how attackers are adapting to stronger email and MFA defenses. The new target is the recovery process itself.
The phone call may sound routine. The access it grants may be anything but.
