New AiTM Attack Campaign That Bypasses MFA Targeting Microsoft 365 and Okta Users

A sophisticated phishing campaign has emerged that successfully bypasses multi-factor authentication, protecting Microsoft 365 and Okta users, representing a serious threat to organizations relying on these platforms for identity management.

The campaign, discovered in early December 2025, demonstrates advanced knowledge of authentication flows.

This campaign targets companies across multiple industries through carefully crafted phishing emails disguised as HR and benefits notifications.

Datadog Security Labs security analysts identified this active phishing campaign that specifically targets organizations using Microsoft 365 and Okta for single sign-on services.

The campaign employs modern phishing techniques designed to intercept legitimate SSO workflows, allowing attackers to capture both user credentials and session tokens before MFA can block unauthorized access.

The attackers have registered multiple lookalike domains, including sso.okta-secure.io, sso.okta-cloud.com, and sso.okta-access.com, creating convincing replicas of authentic authentication pages.

The phishing emails, sent from compromised mailboxes linked to Salesforce Marketing Cloud, use compensation-focused lures such as year-end salary reviews and bonus information.

These messages include shortened links that redirect victims to first-stage phishing domains hosted on Cloudflare infrastructure.

Organizations have observed hundreds of users across multiple companies receiving these emails in recent weeks, with the campaign remaining active as of December 2025.

The attack succeeds through a two-stage phishing process that leverages JavaScript-based credential harvesting. On the first stage, attackers proxy legitimate Okta pages while injecting malicious code that captures usernames and monitors for session cookies.

The injected inject.js script continually monitors specific critical cookies including idx, JSESSIONID, proximity_, DT, and sid, which are essential for maintaining authenticated sessions.

Every second, the script checks for new or modified cookies and exfiltrates them to the attacker’s server through a POST request to the /log_cookie endpoint, allowing the attacker to impersonate the victim’s session in their own browser.

Understanding the JavaScript-Based Credential Capture Mechanism

The technical sophistication lies in how the JavaScript interception operates during the authentication process.

The malicious code hooks the window.fetch method, redirecting all legitimate requests from Okta back to the attacker’s phishing domain.

When a victim enters their username, the script captures it through DOM event listeners and stores it in multiple locations including localStorage, sessionStorage, and cookies.

This ensures the credential is captured even if the user navigates between pages or clears browser storage.

For victims using Okta as their identity provider with Microsoft 365, the attack becomes even more dangerous.

When the victim begins Microsoft 365 authentication, a second injected script monitors responses from Microsoft’s authentication endpoint for a field called FederationRedirectUrl.

The script detects when this URL points to an Okta domain and dynamically modifies it to redirect to the attacker’s second-stage Okta phishing page instead.

The attacker’s domain then proxies all traffic to the legitimate Okta tenant, creating a seamless experience that tricks users into completing authentication on the phishing site.

Session cookies captured during this process give attackers immediate access to victim accounts without requiring MFA circumvention—they simply replay the stolen session credentials.

Organizations should monitor their Okta logs for auth_via_mfa events with mismatched request origins from Cloudflare IP addresses and implement phishing-resistant MFA methods like FIDO2 security keys to prevent such attacks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.