Real-Time phishing kits target Okta, Microsoft, Google<\/title> <meta name=\"description\" content=\"Cybercrime groups, including one that identifies as ShinyHunters, are targeting single sign-on services to gain access to victim networks and steal data.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/shinyhunters-voice-phishing-sso-okta-mfa-bypass-data-theft\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"A new wave of 'vishing' attacks is breaking into SSO accounts in real time\"> <meta property=\"og:description\" content=\"Cybercrime groups, including one that identifies as ShinyHunters, are targeting single sign-on services to gain access to victim networks and steal data.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/shinyhunters-voice-phishing-sso-okta-mfa-bypass-data-theft\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-01-26T23:48:55+00:00\"> <meta property=\"article:modified_time\" content=\"2026-01-26T23:51:19+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg\"> <meta property=\"og:image:width\" content=\"8256\"> <meta property=\"og:image:height\" content=\"5504\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:title\" content=\"A new wave of 'vishing' attacks is breaking into SSO accounts in real time\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1765909325g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1767719924g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87555\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87555\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fshinyhunters-voice-phishing-sso-okta-mfa-bypass-data-theft%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fshinyhunters-voice-phishing-sso-okta-mfa-bypass-data-theft%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87555 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/shinyhunters-voice-phishing-sso-okta-mfa-bypass-data-theft\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.258465011287\">\n<div class=\"single-article__header-content\" readability=\"36.224299065421\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/shinyhunters-voice-phishing-sso-okta-mfa-bypass-data-theft\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Cybercrime groups, including one that identifies as ShinyHunters, are targeting single sign-on services to gain access to victim networks and steal data. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/87555\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg 8256w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"79.628605451178\"><body readability=\"162.39285203717\"><\/p>\n<p>Threat hunters and researchers are racing to contain a wave of voice-phishing attacks targeting single sign-on tools, already leading to data theft and extortion attempts. Multiple cybercrime groups are combining voice calls and advanced phishing kits to trick victims into handing over access \u2014 including a group identifying itself as ShinyHunters, which has publicly named alleged targets and posted samples of stolen data.<\/p>\n<p>The attacks share common characteristics with previous campaigns attributed to ShinyHunters, which has abused third-party vendors to gain initial access to multiple company networks, including the attack spree that impacted <a href=\"https:\/\/cyberscoop.com\/salesforce-gainsight-customers-breach\/\">more than 700 Salesforce customer environments<\/a> last fall.<\/p>\n<p>\u201cMandiant is tracking a new, ongoing ShinyHunters-branded campaign using evolved voice phishing techniques to successfully compromise SSO credentials from victim organizations, and enroll threat actor controlled devices into victim multifactor authentication solutions,\u201d Charles Carmakal, chief technology officer at Mandiant Consulting, said in an email to CyberScoop.<\/p>\n<p>\u201cThis is an active and ongoing campaign,\u201d Carmakal added. \u201cAfter gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organizations with an extortion demand.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Cybercriminals are registering custom domains that mimic legitimate single sign-on portals used by targeted companies, then deploying tailored voice-phishing kits to call victims while remotely controlling which pages appear in the victim\u2019s browser. This lets the attackers sync their spoken prompts with multifactor-authentication requests in real time, increasing the likelihood the victim approves or enters the needed codes on cue.<\/p>\n<p>Okta, one of the single sign-on providers targeted by this campaign, released <a href=\"https:\/\/www.okta.com\/blog\/threat-intelligence\/phishing-kits-adapt-to-the-script-of-callers\/\">threat intelligence on phishing kits observed in this campaign<\/a> and others Thursday. Attackers appearing to be aligned with ShinyHunters have attempted to extort targeted organizations on behalf of a specific initial access broker that used one of these phishing kits.<\/p>\n<p>Brett Winterford, vice president at Okta Threat Intelligence, said researchers have observed at least two phishing kits that demonstrate the real-time capability to mimic the authentication flows of identity providers. <\/p>\n<p>\u201cThis creates a more compelling pretext for asking the user to share credentials and accept multifactor authentication challenges,\u201d he told CyberScoop.<\/p>\n<p>\u201cOkta Threat Intelligence has observed multiple phishing kits developed for the needs of voice phishing operators, each with dedicated panels for impersonation of Google, Microsoft and Okta sign-in flows, as well as cryptocurrency providers,\u201d Winterford added.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>A spokesperson for Microsoft said the company has nothing to share on the campaign. Meanwhile, a Google spokesperson said: \u201cAt this time, we have no indication that Google itself or its products are affected by this campaign.\u201d<\/p>\n<p>Security experts noted the attacks don\u2019t involve a vulnerability in single sign-on vendors\u2019 products or infrastructure, but rather a persistent weak point in identity and access management. Targeted victims are once again being duped into sharing their credentials with attackers.<\/p>\n<p>These phishing kits allow cybercriminals without deep technical skills to buy the tooling and focus on targeting people and processes, said Cynthia Kaiser, senior vice president of Halcyon\u2019s ransomware research center. <\/p>\n<p>\u201cWhile these campaigns occur often, the difference here is the amount of success in the recent campaign is slightly higher. That\u2019s likely because of the believable content and the use of voice phishing versus just phishing,\u201d she said.<\/p>\n<p>\u201cIf you\u2019re getting a call and it\u2019s personalized and it\u2019s changing in real time \u2014 that feels believable, that\u2019s a different element that people don\u2019t necessarily have their guard up for.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<h4 class=\"wp-block-heading\" id=\"h-investigation-ongoing-into-scope\">Investigation ongoing into scope<\/h4>\n<p>It\u2019s unclear how many organizations have been impacted by the campaign. A ShinyHunters-branded data leak site, which is currently down, previously listed at least three victims, including two companies that publicly confirmed they were impacted by recent attacks.<\/p>\n<p>SoundCloud said some personally identifiable data on about <a href=\"https:\/\/community.soundcloud.com\/playbook-articles\/protecting-our-users-and-our-service\">20% of its user base<\/a>, roughly 36 million people, was compromised by an attack it first discovered in mid-December. The company insists sensitive data wasn\u2019t exposed and did not name the attackers, but said users, employees and partners have been flooded with threatening emails. <\/p>\n<p>\u201cWe are aware that a threat actor group has published data online allegedly taken from our organization,\u201d Sade Ayodele, senior director of communications at SoundCloud, said in an email. \u201cOur security team \u2014 supported by leading third-party cybersecurity experts \u2014 is actively reviewing the claim and published data.\u201d<\/p>\n<p>Betterment, a financial services company, said an attacker gained access to some of its systems via social engineering on Jan. 9. The company said <a href=\"https:\/\/www.betterment.com\/customer-update\">customer data was stolen<\/a>, but no accounts were accessed and customer credentials weren\u2019t compromised.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The attacker also quickly used access to Betterment\u2019s systems to send a fraudulent cryptocurrency offer to some customers. Betterment did not respond to a request for comment.<\/p>\n<p>Threat intelligence suggests additional victims have been targeted and potentially impacted. Sophos researchers are tracking a cluster of about 150 malicious domains established starting last month, including some used in voice phishing campaigns resulting in data theft and ransom notes demanding a payment, said Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit.<\/p>\n<p>\u201cWe can\u2019t confirm that they have all been used but the threat actors are creating target-specific domains, themed to reflect single-sign on services and impersonating authentication providers like Okta,\u201d Pilling said. The fake domains impersonate organizations in the education, real estate, energy, financial services and retail sectors.<\/p>\n<p>While one of the groups behind this campaign identifies itself as ShinyHunters, researchers have yet to confirm that claim or formally attribute the attacks to a specific group or person. <\/p>\n<p>\u201cShinyHunters typically has a mix of real victims and recycled information or exaggerated claims,\u201d Kaiser said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Moreover, the names adopted or reused by some cybercriminals has lost relevance, said Ian Gray, vice president of intelligence at Flashpoint. <\/p>\n<p>A cybercriminal or group can use any username they choose and apply that to a data-leak site, but that doesn\u2019t prove a direct link. <\/p>\n<p>\u201cWhile ShinyHunters have claimed credibility for the campaign,\u201d Gray said, \u201cit is equally important that we examine the tactics, techniques and procedures being employed and how they relate to previous campaigns.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.258896797153\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/01\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/shinyhunters-voice-phishing-sso-okta-mfa-bypass-data-theft\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Real-Time phishing kits target Okta, Microsoft, Google Skip to main<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,440,895,323,3911,387,281,684,646,625,614,60,3627,46,2151,2927,288,5855],"tags":[286,86,444,902,327,3915,391,285,689,650,630,619,67,3630,54,2155,2928,294,5856],"class_list":["post-8300","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-data-breaches","category-data-theft","category-extortion","category-flashpoint","category-google","category-hacking","category-halcyon","category-mandiant","category-microsoft","category-okta","category-phishing","category-phishing-kit","category-ransomware","category-shinyhunters","category-sophos","category-threats","category-voice-phishing","tag-cybercrime","tag-cybersecurity","tag-data-breaches","tag-data-theft","tag-extortion","tag-flashpoint","tag-google","tag-hacking","tag-halcyon","tag-mandiant","tag-microsoft","tag-okta","tag-phishing","tag-phishing-kit","tag-ransomware","tag-shinyhunters","tag-sophos","tag-threats","tag-voice-phishing"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-breaches\/\" rel=\"category tag\">data breaches<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-theft\/\" rel=\"category tag\">Data theft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/extortion\/\" rel=\"category tag\">extortion<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/flashpoint\/\" rel=\"category tag\">Flashpoint<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/google\/\" rel=\"category tag\">Google<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/halcyon\/\" rel=\"category tag\">Halcyon<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mandiant\/\" rel=\"category tag\">Mandiant<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/okta\/\" rel=\"category tag\">okta<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing\/\" rel=\"category tag\">phishing<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/phishing-kit\/\" rel=\"category tag\">phishing kit<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/shinyhunters\/\" rel=\"category tag\">ShinyHunters<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/sophos\/\" rel=\"category tag\">Sophos<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/voice-phishing\/\" rel=\"category tag\">voice phishing<\/a>","tag_info":"voice phishing","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8300"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8300\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8300,"date":"2026-01-26T17:48:55","date_gmt":"2026-01-26T23:48:55","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87555"},"modified":"2026-01-26T17:48:55","modified_gmt":"2026-01-26T23:48:55","slug":"a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/01\/26\/a-new-wave-of-vishing-attacks-is-breaking-into-sso-accounts-in-real-time\/","title":{"rendered":"A new wave of \u2018vishing\u2019 attacks is breaking into SSO accounts in real time"},"content":{"rendered":"