A growing number of businesses are on high alert as cybercriminal groups intensify sophisticated voice-phishing attacks—commonly known as “vishing”—to compromise single sign-on (SSO) services. Attackers are focusing on exploiting human error, leveraging personalized voice calls in tandem with tailored phishing kits to trick users into handing over credentials and multifactor authentication codes. This operation has led to stolen data and extortion threats in various sectors, sparking concern among cybersecurity experts and organizations like Okta, SoundCloud, and Betterment, all of which have been linked to these breaches in recent months. The recent wave of attacks has prompted organizations to reevaluate their approaches to credential and identity management, knowing that a single successful deception can grant the keys to highly sensitive environments.
Earlier incidents linked to the ShinyHunters cybercrime group also featured data theft and vendor exploitation, but prior events didn’t exhibit such a high degree of real-time interaction or the tailored use of vishing kits. Recent reports clarify that vishing threats are now more challenging to thwart, as attackers dynamically control authentication page content while directly manipulating victims via phone. The current campaigns mimic real sign-in flows for major platforms and generate higher success rates than previous phishing efforts, as indicated by new threat intelligence and security expert commentary. While some organizations detected early breaches, others only recognized the impact after extortion attempts surfaced.
What Techniques Are Attackers Using?
Threat actors register bogus domains mimicking official SSO portals and employ phishing kits that allow them to remotely display manipulated login screens to victims. By combining these technical tools with real-time voice prompts, attackers increase the chances of synchronizing their instructions with multifactor authentication requests, thereby making fraudulent requests more convincing. According to Mandiant’s Charles Carmakal, the campaign enables the attackers to enroll their own devices into multifactor authentication systems, facilitating deeper infiltration into cloud environments.
“Mandiant is tracking a new, ongoing ShinyHunters-branded campaign using evolved voice phishing techniques to successfully compromise SSO credentials from victim organizations, and enroll threat actor controlled devices into victim multifactor authentication solutions,” said Carmakal.
Okta, one of the affected SSO providers, notes that at least two phishing kits have been detected with capabilities to mirror Google, Microsoft, and Okta authentication flows in real-time.
How Are Organizations and Users Affected?
Entities impacted range from technology to financial services. SoundCloud reported exposure of some personally identifiable information concerning about 36 million users, though sensitive data remained secure. Financial company Betterment disclosed that its breach, instigated through social engineering, led to client contact with fraudulent cryptocurrency offers, but not direct account compromise. Other companies, including those in the education, real estate, and retail sectors, have been approached by attackers with ransom demands, as reported by multiple cybersecurity units. Researchers emphasize that, so far, the attacks do not rely on vulnerabilities in SSO vendor infrastructure but instead target weaknesses in user behavior and organizational processes.
“Our security team — supported by leading third-party cybersecurity experts — is actively reviewing the claim and published data,” explained Sade Ayodele, senior director of communications at SoundCloud.
Can Security Teams Identify the Attackers Unambiguously?
Attribution remains difficult, with researchers cautioning against automatically linking attacks to groups based solely on self-identification in leak sites. Experts like Cynthia Kaiser of Halcyon and Ian Gray of Flashpoint advise evaluating tactics, techniques, and procedures—rather than group names—which may be reused, exaggerated, or appropriated by different threat actors. The current campaigns echo earlier activities but stand out due to the prevalence and effectiveness of live, voice-based manipulation. Ongoing analysis continues as security teams monitor domain registrations and synthesized attack vectors.
As attackers blur the lines between technical compromise and social manipulation, organizations are urged to strengthen authentication monitoring, provide regular training on advanced phishing tactics, and reconsider processes for verifying multifactor requests. Phishing kits available for purchase lower the barrier for threat actors, now enabling less-technical criminals to orchestrate convincing, high-pressure attacks. Vigilant, well-informed users remain among the strongest defenses, as these threats increasingly bypass software safeguards by exploiting human trust and procedural loopholes. Clear internal communication, multi-layered verification, and ongoing cyber hygiene education will help businesses mitigate these risks, especially when integrating tools from providers such as Okta, Google, and Microsoft.
