Fraud Management & Cybercrime
,
Identity & Access Management
,
Security Operations

ShinyHunters Campaign Uses Voice Phishing to Bypass MFA and Steal Corporate Data

Mathew J. Schwartz (euroinfosec) •
January 28, 2026    

Social Engineering Hackers Target Okta Single Sign On
Image: Oleksandr Yashchuk/Shutterstock

Single sign-on customers of identity provider Okta should be on alert against attackers seeking to gain access to their corporate network, steal data and hold it to ransom, security experts warn.

See Also: Proof of Concept: Automating Security Safely With Agentic AI

A surge in social engineering attacks has targeted users of Okta’s SSO tools, leading the company to directly warn customers last week about this campaign. Many of these attacks, if not all, are being conducted under the banner of the cybercrime group ShinyHunters (see: Voice Phishing Okta Customers: ShinyHunters Claims Credit).

“This is an active and ongoing campaign” that has led to the theft of data from multiple victims, after which “an actor that identifies as ShinyHunters has approached some of the victim organizations with an extortion demand,” said Charles Carmakal, CTO of Google’s Mandiant Consulting group.

What makes these attacks unusual is how criminals engage in real-time conversations as part of their trickery, using the latest generation of highly automated phishing toolkits, which enable them to redirect users to real-looking log-in screens as part of a highly orchestrated attack.

“This isn’t a standard automated spray-and-pray attack; it is a human-led, high-interaction voice phishing – ‘vishing’ – operation designed to bypass even hardened multifactor authentication setups,” said threat intelligence firm Silent Push.

The “live phishing panel” tools being used enable “a human attacker to sit in the middle of a login session, intercepting credentials and MFA tokens in real time to gain immediate, persistent access to corporate dashboards,” it said. Callers appear to be using scripts designed to walk victims through an attacker-designated list of desired actions.

If the attacker succeeds and gains access, they often move laterally, using access “to social-engineer higher-privilege admins” using internal communications tools such as Slack and Teams. They attempt to enroll themselves in the company’s MFA program under different IDs, as well as “prioritize rapid data exfiltration for public extortion,” Silent Push said.

Up to 150 organizations are either being actively targeted or appear to be in attackers’ sights, based in part on malicious infrastructure created starting in December 2025, said Rafe Pilling, director of threat intelligence at Sophos.

“Scammers are registering custom domains, one per target, to steal credentials and help them bypass multifactor authentication,” he said.

Targets exist across numerous sectors, including major financial services, healthcare, logistics and transportation, manufacturing, biotech and pharma, technology and software and real estate firms, researchers report.

At least so far, the campaign appears to center only on Okta-using organizations. ShinyHunters and similar groups have previously targeted a variety of SSO providers, meaning hackers’ focus may well expand, Pilling said.

The single best defense against live phishing attacks that don’t exploit any flaws or vulnerabilities in vendors’ software, is strong MFA.

“We strongly recommend moving toward phishing-resistant MFA, such as FIDO2 security keys or passkeys where possible, as these protections are resistant to social engineering attacks in ways that push-based or SMS authentication are not,” Mandiant’s Carmakal said.

“Administrators should also implement strict app authorization policies and monitor logs for anomalous API activity or unauthorized device enrollments,” he said.

Companies should alert employees that this active campaign may be directly targeting them, give them examples of how that might work and provide them with an out-of-band way to confirm they’re really communicating with their organization’s actual IT department, Silent Push said.

“If someone receives any suspicious messages, calls or emails during this time, they should be immediately escalated to managers and security teams for review,” it said.

ShinyHunters emerged from the Western, largely adolescent cybercrime community that calls itself The Com. Members of the collective, many of whom are native English speakers, often run phone-based vishing campaigns in which they impersonate IT support staff. Members of the group freely adopt various banners, lately including Scattered Lapsus$ ShinyHunters (see: Madman Theory Spurs Crazy Scattered Lapsus$ Hunters Playbook).

Based on previous ShinyHunters and Scattered Lapsus$ ShinyHunters hits, any organization that does fall victim to this campaign should expect to experience repeat shakedowns, fake-out attempts using recycled breach data, and if they pay, getting re-extorted multiple times, said Allison Nixon, chief research officer at threat intelligence group Unit 221B.

“Categorically, paying Com ransomware groups is pointless. They fundamentally don’t understand what made the Russian ransom business model work, and victims don’t get what they are promised, so Com extorters don’t deserve a dime of your money,” she said.

“Whether or not you pay them, both choices have the same outcome. Save that money, and just focus on the IR and lawyer paperwork you have to do anyway,” Nixon said.