The call that opens the door: phishing adaptive that steals the SSO access and exposes the cloud of your company

In recent days, a tactic has reappeared that shows how social engineering can continue to violate even the most sophisticated security barriers: criminal groups are taking advantage of false phone calls to fool employees and get access to corporate single-start accounts (SSO). These accounts act as master keys to an organization's cloud applications, so their commitment can result in information theft, subsequent intrusions and extortion demands.

The mechanics is perturbed simple and effective: an attacker poses as a technical support, contacts a worker and guides him to enter his credentials on a page that imitates the company's portal. Meanwhile, a phishing kit control panel allows the attacker to adapt in real time what the user sees, also requesting MFA codes or passing push notifications when necessary. The result: access to SSO and the applications linked from that panel, from mail and CRM solutions to collaboration and storage platforms.

Companies that offer SSO, such as Okta, Microsoft (Enter) and Google, make it easier for organizations to connect many applications to a single authentication flow, which improves productivity but also concentrates risk. These panels usually include applications linked - corporate mail, CRM, support tools and document repositories - so that a compromised account can become a direct door to sensitive assets.

Okta published a technical analysis of phishing kits that help run these campaigns. In its report the company describes how these tools allow to dynamically change the dialogues on the supplanting page to guide the user step by step during the call, even when the verification requests additional factor such as push or TOTP. You can read Okta's analysis on her technical blog: Okta Threat Intelligence.

The journalistic investigation that warned about the wave of attacks cited companies that received payment requirements signed by the extortion group called ShinyHunters. The group itself stated to the media that it is behind some of these campaigns and that its main interest is the data hosted on CRM platforms such as Salesforce; it also ensured that it has infrastructure to run fraudulent calls and pages. More details about news coverage can be found in BleepingComputer, who has followed the case.

A particularly dangerous practice in these intrusions is the use of previously filtered data to increase the credibility of calls: phone numbers, charges, names and corporate details extracted from previous gaps allow the attacker to better personalize someone from the IT team and reduce the doubts of the contacted employee. After the intrusion, attackers often extract documents and databases and then threaten to publish or sell them if they do not receive a ransom.

Recent incidents have been linked to companies whose data appeared in previous leaks or which have confirmed unauthorized access to their networks. Some services affected by recent leaks - according to public reports - include platforms such as SoundCloud or Crunchbase; these organizations have issued reports and are investigating the scope of the incidents. Read the official notes of the companies to know their version and measures: for example, Crunchbase's press page and notices or SoundCloud's releases when appropriate.

The responses of the large suppliers have been cautious. Microsoft indicated that it had no additional statements at the time, and Google noted that it had no evidence of direct abuse of its products in that campaign at the time of the report. When attacks that exploit the human factor rather than technical failures occur, public communication is often gradual while investigating vectors and mitigating risks.

What can organizations do to reduce this risk? The first line of defense is to recognize that so-called "human confirmation" is not absolute guarantee: continuous training in the detection of suplantings, phishing exercises by the security team itself and internal telephone verification protocols help, but are not enough on their own. It is key to combine awareness-raising with technical controls that make abuse difficult even if the credentials reach the attacker.

The technical recommendations that companies should evaluate include the deployment of phishing-resistant authentication mechanisms such as FIDO2 keys and other physical authenticators; the implementation of conditional access policies that limit the session and require reauthentication to abnormal behaviour; the segmentation of privileges so that an account does not have indiscriminate access to all applications; and early monitoring and response based on the detection of suspicious patterns in SSO sessions. Microsoft and Google publish guidelines on good practices in access and identity management that can serve as a starting point: Microsoft Conditional Access and Google Workspace Security Guides.

It is also important to reduce the attack surface. Limit the permissions granted to user accounts, deactivate recovery methods that can be coopted by attackers and control the creation of third-party applications within the SSO are operational decisions that make mass exploitation difficult after an initial commitment.

From a regulatory and compliance perspective, keep audit tracks, have updated incident response plans and work with security forces when exfiltration is detected are steps that allow not only to contain the damage, but also to preserve evidence and fulfil legal obligations. Organizations that suffer massive data theft often need coordination between technical, legal and communication teams to manage the crisis.

The central lesson is that attackers do not always seek service failures: they often point to the weakest link, which is usually a person in a hurry and a convincing call. The combination of training, robust technical controls and policies that limit the impact of committed access is the most practical defence today.. Instituting phishing-resistant authentication, hardening access control and keeping clear procedures for support calls can make the difference between a failed attempt and an intrusion that eventually leaks sensitive information.

If you want to go into the technical issue, in addition to Okta's analysis and media coverage, documents such as NIST's authentication guide provide the basis for designing safer access architectures: NIST SP 800-63B. And if your company uses SSO, it is recommended to review the conditional access settings and session management in your supplier's official documentation.

The phenomenon is not new, but its scale and engineering have evolved: remote-controlled phishing kits and the reuse of data from previous gaps have made these campaigns more persuasive and difficult to detect. Keeping the guard high and applying defense in depth remains the best recipe in front of an opponent who exploits human confidence to open digital doors.