Listen to this Post
Introduction:
As cyber threats evolve, attackers are increasingly exploiting the trust organizations place in single sign-on (SSO) systems. Datadog Security Labs has recently exposed a high-stakes Adversary-in-the-Middle (AiTM) phishing campaign aimed at Microsoft 365 and Okta SSO users. Unlike traditional phishing attacks, this operation bypasses standard multi-factor authentication (MFA), putting employee credentials and corporate accounts at unprecedented risk.
Summary of the Attack:
First detected in early December 2025, the phishing campaign relies on highly convincing lookalike domains to hijack authentication flows. Attackers initiate the operation using familiar lures themed around employee benefits and year-end compensation reviews, sending emails or password-protected PDFs that masquerade as HR or payroll notifications, often referencing trusted services like ADP.
Clicking the links directs victims to first-stage phishing pages with URLs such as employee-hr-portal[.]com, corporate-hr-portal[.]com, and mybenefits-portal[.]com. Hosted on Cloudflare, these pages replicate Microsoft 365 login portals with alarming accuracy. For organizations federated with Okta, the attack dynamically identifies the identity provider and redirects the user to a second-stage phishing site using domains like sso.okta-secure[.]io, sso.okta-cloud[.]com, and okta-access[.]com. These sites proxy requests through the legitimate Okta domain to maintain the authentic look and feel of the login interface.
Technically, attackers inject JavaScript to modify the browser’s fetch function, capturing credentials and Okta session tokens in real-time. An additional script, inject.js, exfiltrates session cookies such as idx, JSESSIONID, and sid every second via the /log_cookie endpoint. This allows attackers to impersonate victims and maintain persistent access to organizational accounts.
Datadog’s analysis revealed that Microsoft 365 phishing pages also include obfuscated scripts that intercept responses from login.microsoftonline.com. When federation redirects point to Okta, attackers substitute their malicious links to seamlessly funnel victims into the second-stage phishing flow.
The campaign has been evolving over months, with malicious domains primarily registered through NameSilo and protected with Cloudflare Turnstile challenges to evade automated detection. Organizations using Okta FastPass may notice login declines when origins don’t match expected URLs, such as https://sso.okta-secure.io
.
Known malicious domains include benefitsviewportal[.]com, benefitsmemberportal[.]com, okta-secure[.]io, and okta-panel[.]com. Datadog advises deploying phishing-resistant MFA and monitoring SSO activity for anomalies, particularly those originating from non-organizational or Cloudflare IP addresses.
What Undercode Say:
This campaign illustrates the next level of sophistication in phishing attacks, where conventional MFA no longer provides absolute security. The attackers’ method of dynamically detecting identity providers and proxying requests through legitimate domains shows a clear understanding of enterprise authentication flows. By injecting scripts to capture both credentials and session cookies, the attackers bypass the protective layer that MFA offers, effectively turning authentication into a vector for persistent compromise.
The use of Cloudflare-hosted pages and Turnstile challenges demonstrates a deliberate effort to evade automated detection systems, suggesting that the campaign operators are well-funded and technically adept. The targeting of year-end compensation and benefits reviews is psychologically strategic, preying on timely employee anxieties to increase click-through rates.
The campaign also highlights gaps in federated authentication monitoring. Even organizations with Okta FastPass may experience declined logins due to origin mismatches, exposing a subtle but critical point of failure. This calls for tighter scrutiny of login events, origin validation, and session token anomalies.
Obfuscation techniques on the Microsoft 365 side, particularly the interception of federation redirects, underscore that attackers are not merely phishing for passwords—they are actively manipulating the authentication flow to maintain invisibility. This implies that organizations need not only technical defenses but also real-time behavioral monitoring to detect such stealthy intrusions.
Organizations should treat this as a wake-up call: phishing-resistant MFA alone is insufficient. Endpoint detection, SSO event logging, and employee awareness campaigns are essential components of a holistic defense. The campaign’s continued evolution indicates that static defenses will be outpaced without adaptive security measures.
From a broader perspective, this campaign may represent a shift in enterprise-targeted phishing strategies. By combining social engineering, technical proxying, and sophisticated JavaScript exfiltration, attackers are effectively weaponizing trust in corporate SSO systems. Continuous threat intelligence sharing and cross-platform monitoring could be key mitigations.
🔍 Fact Checker Results:
✅ Campaign confirmed by Datadog Security Labs.
✅ Targets Microsoft 365 and Okta SSO users via AiTM phishing.
❌ Not a generic phishing attack—uses advanced session cookie exfiltration.
📊 Prediction:
💻 This AiTM campaign is likely to escalate, targeting other federated SSO platforms beyond Okta.
📈 Organizations that delay implementing phishing-resistant MFA and robust SSO monitoring could face credential theft and persistent account compromise.
⚠️ Expect attackers to refine obfuscation and evade detection with new Cloudflare-protected domains.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
