Sophisticated Phishing Campaign Bypasses MFA to Target Microsoft 365 and Okta Users
In December 2025, cybersecurity experts identified a highly sophisticated phishing campaign that effectively circumvents multi-factor authentication (MFA) protections, posing a significant threat to organizations utilizing Microsoft 365 and Okta for identity management. This campaign demonstrates an advanced understanding of authentication processes, enabling attackers to intercept legitimate single sign-on (SSO) workflows and capture user credentials and session tokens before MFA can prevent unauthorized access.
Tactics and Techniques
The attackers employ a two-stage phishing process that leverages JavaScript-based credential harvesting. Initially, they proxy legitimate Okta pages while injecting malicious code to capture usernames and monitor session cookies. The injected script continuously checks for critical cookies, such as idx, JSESSIONID, proximity_, DT, and sid, which are essential for maintaining authenticated sessions. Every second, the script examines these cookies and exfiltrates them to the attacker’s server via a POST request to the /log_cookie endpoint, allowing the attacker to impersonate the victim’s session in their own browser.
Understanding the JavaScript-Based Credential Capture Mechanism
The technical sophistication lies in how the JavaScript interception operates during the authentication process. The malicious code hooks the window.fetch method, redirecting all legitimate requests from Okta back to the attacker’s phishing domain. When a victim enters their username, the script captures it through DOM event listeners and stores it in multiple locations, including localStorage, sessionStorage, and cookies. This ensures the credential is captured even if the user navigates between pages or clears browser storage.
For victims using Okta as their identity provider with Microsoft 365, the attack becomes even more dangerous. When the victim begins Microsoft 365 authentication, a second injected script monitors responses from Microsoft’s authentication endpoint for a field called FederationRedirectUrl. The script detects when this URL points to an Okta domain and dynamically modifies it to redirect to the attacker’s second-stage Okta phishing page instead. The attacker’s domain then proxies all traffic to the legitimate Okta tenant, creating a seamless experience that tricks users into completing authentication on the malicious site.
Mitigation Strategies
To defend against such sophisticated phishing campaigns, organizations should implement the following measures:
1. User Education and Awareness: Regularly train employees to recognize phishing attempts, emphasizing the importance of verifying email sources and scrutinizing links before clicking.
2. Advanced Email Filtering: Deploy email security solutions capable of detecting and blocking phishing emails, especially those originating from compromised legitimate services.
3. Domain Monitoring: Monitor for the registration of lookalike domains and take swift action to report and block them.
4. Enhanced Authentication Methods: Consider implementing phishing-resistant authentication methods, such as hardware security keys, which are less susceptible to interception.
5. Regular Security Audits: Conduct periodic reviews of authentication logs to identify unusual patterns or unauthorized access attempts.
By adopting these strategies, organizations can bolster their defenses against advanced phishing campaigns that seek to exploit authentication processes and compromise sensitive information.
