TL;DR: Okta's threat intelligence team revealed on January 22, 2026, that attackers are using custom-built phishing kits designed specifically for voice phishing (vishing) attacks. The kits let an attacker talk to a victim on the phone while simultaneously controlling what the victim sees in their browser, in real time. Push-based MFA, including number matching, gets bypassed because the attacker literally tells the victim which number to tap. At least two kits are available as-a-service. ShinyHunters already claims to have used the technique to breach Crunchbase and Betterment. If your company uses Okta, Google, or Microsoft SSO, switch to phishing-resistant MFA (FIDO2, passkeys) immediately.
What's Happening
On January 22, 2026, Okta published a threat advisory warning that a new generation of phishing kits is being built specifically for voice-based social engineering.[1] These aren't your standard credential-harvesting pages. They're adversary-in-the-middle (AitM) platforms with real-time command-and-control panels that let attackers orchestrate what a victim sees while talking to them on the phone.
The attacker calls a target employee, spoofs the company's IT helpdesk number, and walks them through a "security check" or "password reset." Meanwhile, the phishing kit intercepts their login and session tokens as they type.
The scary part: push-based MFA doesn't stop this. Number matching doesn't stop this. The attacker is on the phone telling the victim exactly which number to select on their push notification, because the kit shows them the challenge in real time.[2]
How the Attack Works, Step by Step
- Reconnaissance: Attackers research the target employee: what apps they use, what their IT support number looks like, their role, their schedule.[1]
- The Call: The attacker phones the victim from a spoofed helpdesk number. "Hi, this is IT support. We're seeing unusual activity on your account and need to verify your identity."
- The Phishing Page: Victim gets directed to a fake login page that looks identical to Okta, Google, or Microsoft SSO. The page is actually a real-time proxy sitting between the victim and the real login server.[2]
- Credential Capture: Victim enters their username and password. The kit forwards it to the real server and captures the session.
- MFA Bypass: When the real server sends a push notification, the attacker's C2 panel displays a matching prompt in the victim's browser. The attacker says on the phone: "You should see a notification asking you to approve. Go ahead and tap the number 47." The victim does it. The attacker is in.[1]
- Session Hijack: The kit captures the authenticated session token. The attacker now has full access to the victim's SSO: every connected app, every piece of data.
Vishing-as-a-Service
At least two custom phishing kits are being sold on an as-a-service basis to multiple threat actor groups.[1] Where older kits offered generic phishing pages for Google, Microsoft, and Okta, this new generation sells bespoke panels for each target service.
And it's not just the kits. Okta researcher Diallo told BleepingComputer that vishing expertise itself is now sold as a service: experienced callers for hire who know how to manipulate employees into compliance.[2]
Think about that for a second. You can now rent a professional social engineer and a custom phishing platform for a targeted attack on any company using SSO. The barrier to entry just collapsed.
Already Being Exploited
This isn't theoretical. As of January 24, 2026, the cyber extortion group ShinyHunters claims to have compromised Crunchbase and Betterment by vishing Okta SSO credentials from employees.[3] Neither company has confirmed the claims, but ShinyHunters has a track record: they were behind the 2024 Ticketmaster breach and the AT&T data theft.
BleepingComputer reported that Okta had privately warned its customers' CISOs earlier in the week before going public.[2] The attacks were already in progress when the advisory dropped.
Why Your MFA Isn't Enough
Push notifications? Bypassed: the attacker tells the victim what to tap. Number matching? Bypassed: the kit shows the attacker the number and they relay it verbally. SMS codes? Bypassed: the kit intercepts them in real time via the proxy. TOTP codes (authenticator apps)? Bypassed: same proxy interception.[1]
The only MFA methods that survive this attack are hardware-bound, phishing-resistant ones:
- FIDO2 security keys (YubiKey, etc.): The key verifies the domain. A fake domain won't trigger authentication.
- Passkeys: Same domain-bound verification, built into your device.
- Okta FastPass: Okta's own phishing-resistant authenticator.
Everything else is vulnerable to a human on the phone walking your employees through the attack.
What To Do Right Now
Deploy Phishing-Resistant MFA
Roll out FIDO2 keys, passkeys, or Okta FastPass. These verify the domain cryptographically: a fake page can't trigger them. This is the single most effective defense.
Train Employees on Vishing
IT support will never call and ask you to log in via a link they send. Make this policy. Repeat it. If someone calls from "IT," hang up and call the real helpdesk number yourself.
Restrict Network Access
Set network zones or tenant access control lists in Okta that block logins from VPNs, Tor, and anonymizing proxies commonly used by attackers.[1]
Monitor for Anomalies
Watch for logins from unusual IPs, new device enrollments, or rapid access to multiple apps after authentication, classic signs of session hijack.
The Bigger Picture
Vishing isn't new. But weaponizing it with real-time phishing kits that can puppet a victim's browser session while an attacker talks them through it? That's a step change.
The 2023 MGM Resorts breach (which cost the company over $100 million) started with a vishing call to an IT helpdesk.[4] Scattered Spider, the group behind that attack, pioneered the technique. Now the tools they used are being productized and sold to anyone willing to pay.
Okta's Diallo said it plainly: "We're only at the beginning of a wave of voice-enabled phishing attacks."[2]
Push notifications were supposed to be the answer to password theft. Then number matching was supposed to be the answer to push fatigue attacks. Now both are defeated by someone who can make a phone call. The only thing that actually works is cryptographic verification of the server you're talking to, and most organizations still haven't deployed it.
What This Means for You Personally
Even if you're not an IT admin, you might be a target. These attacks work on anyone with SSO access to valuable systems: HR, finance, engineering, customer support.
- Never log into anything via a link someone sends you over the phone: type the URL yourself or use a bookmark
- If "IT support" calls you, hang up and call back on the official number from your company directory
- Ask your employer about FIDO2 keys or passkeys: if they're not using them, they're vulnerable
- Enable passkeys on your personal accounts too: Google, Apple, Microsoft, and many others support them
References
- Okta Threat Intelligence - Phishing Kits Adapt to the Script of Callers (January 22, 2026)
- BleepingComputer - Okta SSO Accounts Targeted in Vishing-Based Data Theft Attacks (January 22, 2026)
- Help Net Security - Okta Users Under Attack: Modern Phishing Kits Are Turbocharging Vishing Attacks (January 23, 2026)
- TechRepublic - Okta Uncovers Custom Phishing Kits Built for Vishing Callers (January 2026)