A classy phishing marketing campaign has emerged that efficiently bypasses multi-factor authentication, defending Microsoft 365 and Okta customers, representing a severe risk to organizations counting on these platforms for identification administration.
The marketing campaign, found in early December 2025, demonstrates superior data of authentication flows.
This marketing campaign targets firms throughout a number of industries via rigorously crafted phishing emails disguised as HR and advantages notifications.
Datadog Safety Labs safety analysts recognized this energetic phishing marketing campaign that particularly targets organizations utilizing Microsoft 365 and Okta for single sign-on providers.
The marketing campaign employs trendy phishing methods designed to intercept respectable SSO workflows, permitting attackers to seize each person credentials and session tokens earlier than MFA can block unauthorized entry.
The attackers have registered a number of lookalike domains, together with sso.okta-secure.io, sso.okta-cloud.com, and sso.okta-access.com, creating convincing replicas of genuine authentication pages.
Phishing marketing campaign (Supply – Datadog)
The phishing emails, despatched from compromised mailboxes linked to Salesforce Advertising and marketing Cloud, use compensation-focused lures equivalent to year-end wage evaluations and bonus info.
These messages embody shortened hyperlinks that redirect victims to first-stage phishing domains hosted on Cloudflare infrastructure.
Organizations have noticed a whole bunch of customers throughout a number of firms receiving these emails in current weeks, with the marketing campaign remaining energetic as of December 2025.
The assault succeeds via a two-stage phishing course of that leverages JavaScript-based credential harvesting. On the primary stage, attackers proxy respectable Okta pages whereas injecting malicious code that captures usernames and displays for session cookies.
Phishing web page (Supply – Datadog)
The injected inject.js script regularly displays particular crucial cookies together with idx, JSESSIONID, proximity_, DT, and sid, that are important for sustaining authenticated classes.
Each second, the script checks for brand new or modified cookies and exfiltrates them to the attacker’s server via a POST request to the /log_cookie endpoint, permitting the attacker to impersonate the sufferer’s session in their very own browser.
Understanding the JavaScript-Primarily based Credential Seize Mechanism
The technical sophistication lies in how the JavaScript interception operates in the course of the authentication course of.
The malicious code hooks the window.fetch technique, redirecting all respectable requests from Okta again to the attacker’s phishing area.
When a sufferer enters their username, the script captures it via DOM occasion listeners and shops it in a number of areas together with localStorage, sessionStorage, and cookies.
This ensures the credential is captured even when the person navigates between pages or clears browser storage.
Stream of the Microsoft 365 phishing pages (Supply – Datadog)
For victims utilizing Okta as their identification supplier with Microsoft 365, the assault turns into much more harmful.
When the sufferer begins Microsoft 365 authentication, a second injected script displays responses from Microsoft’s authentication endpoint for a subject known as FederationRedirectUrl.
The script detects when this URL factors to an Okta area and dynamically modifies it to redirect to the attacker’s second-stage Okta phishing web page as a substitute.
The attacker’s area then proxies all site visitors to the respectable Okta tenant, making a seamless expertise that tips customers into finishing authentication on the phishing web site.
Session cookies captured throughout this course of give attackers rapid entry to sufferer accounts with out requiring MFA circumvention—they merely replay the stolen session credentials.
Organizations ought to monitor their Okta logs for auth_via_mfa occasions with mismatched request origins from Cloudflare IP addresses and implement phishing-resistant MFA strategies like FIDO2 safety keys to stop such assaults.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
