← CIO Briefings · High Impact ACTION REQUIRED

New Multi-Sector Identity Attack Campaign Bypasses MFA via Vishing and SSO Hijacking — Finance, Technology, Logistics Targeted

Two coordinated threat actor clusters are conducting large-scale campaigns combining voice phishing against IT help desks and adversary-in-the-middle SSO attacks to gain persistent, MFA-bypassing access to enterprise Microsoft 365, Okta, and Entra ID environments. Active campaigns span finance, technology, and logistics sectors. Standard MFA provides no protection — only phishing-resistant authentication (FIDO2/passkeys) stops the SSO interception technique.

4 min read

What Happened

Two cybercriminal groups — Cordial Spider and Snarky Spider — are conducting coordinated attacks against enterprise organisations using two techniques that together defeat standard multi-factor authentication: (1) calling IT help desks while impersonating an employee to trick staff into resetting MFA devices, and (2) sending phishing emails that create a “man-in-the-middle” proxy of the organisation’s single sign-on login page, intercepting authentication tokens even after a user has completed MFA verification.

The attacks specifically target single sign-on (SSO) systems — the authentication hub used by most enterprise organisations where one login provides access to all connected applications (email, files, HR systems, finance systems, and more). Compromising the SSO layer gives attackers simultaneous access to all of these systems at once.

Business Impact

These campaigns result in complete, persistent access to the compromised employee’s full digital environment — every application they can access becomes accessible to the attacker. Confirmed post-compromise activity observed in victim organisations includes:

  • Financial fraud: Business email compromise (BEC) attacks launched from compromised email accounts within hours, redirecting payments or submitting fraudulent invoices
  • Data theft: Systematic download of SharePoint/OneDrive files, particularly contracts, M&A materials, financial forecasts, and HR records
  • Account persistence: Registration of long-lived access credentials (OAuth application tokens) that survive password resets — meaning IT-initiated password changes do not remove attacker access

Organisations in finance, technology, and logistics sectors have been confirmed as victims. The financial exposure in BEC-adjacent cases can be material — misdirected payment fraud from a single compromised executive account can reach six or seven figures.

Regulatory Implications

For organisations subject to DORA or NIS2, a confirmed SSO compromise that exposes customer data, financial records, or operational systems would trigger incident reporting obligations. DORA Article 19 requires major incidents to be reported to the relevant competent authority within 4 hours of classification. NIS2 requires early warning within 24 hours of becoming aware of a significant incident.

Board-Ready Summary

  • Attackers are bypassing standard employee authentication security (multi-factor authentication) through a combination of calling IT helpdesks and intercepting login sessions — both techniques are active in multi-sector campaigns right now
  • A successful attack gives attackers complete access to everything the compromised employee can access, across all company systems, and the access typically persists even after passwords are changed
  • The board should authorise an emergency review of two specific controls: whether the company’s IT help desk requires video verification for MFA resets, and whether the company has deployed phishing-resistant authentication (hardware security keys or passkeys) for high-risk roles

  1. Immediate (today): Brief IT help desk staff on the vishing technique — attackers calling while impersonating employees with convincing personal details. Implement a rule that MFA device resets require video call verification or manager co-authorisation. No exceptions.

  2. This week: Assess whether phishing-resistant MFA (FIDO2 hardware keys or passkeys) is deployed for privileged accounts, finance roles, and executive accounts. These are the highest-value targets for SSO compromise. Adversary-in-the-middle phishing cannot steal FIDO2/WebAuthn credentials.

  3. This week: Review SSO and identity provider logs (Entra ID, Okta, Ping) for the past 30 days for the following patterns: new MFA device registrations, new OAuth application consents, email forwarding rule creation within 30 minutes of login, and login sessions from unfamiliar countries or devices.

  4. Within two weeks: Set identity provider policy to require administrator approval for all OAuth application registrations by users. This prevents attackers from creating persistent access tokens that survive password resets.

  5. Ongoing: Add SSO compromise with AiTM phishing to your tabletop exercise cycle. The scenario — employee receives convincing phishing email, completes “MFA,” attacker has session token — is not captured by traditional phishing simulation platforms that focus on credential entry rather than session token interception.