Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Crowdstrike 320×100
HackTheBox 970x120 1
Microsoft 365 Okta Phishing Attack: Experts Warn of New Threat

Microsoft 365 Okta Phishing Attack: Experts Warn of New Threat

12 December 2025 08:25

A recent study by Datadog Security Labs reveals an ongoing operation targeting organizations using Microsoft 365 and Okta for single sign-on (SSO) authentication. This operation uses sophisticated techniques to bypass security controls and steal session tokens.

As employees prepare for year-end performance reviews, this complex phishing scam has begun to spread, turning what appeared to be a pay raise into a cybersecurity threat.

Since early December 2025, this campaign has been unscrupulously exploiting company benefits. Unsuspecting recipients have received emails disguised as official communications from human resources departments or payroll services, including ADP or Salesforce.

Subject lines are designed to spark immediate urgency and curiosity , using phrases like “Action Required: Review 2026 Salary and Bonus Information” or “Confidential: Compensation Update.”

According to the report , security researchers say that phishing URLs include a URL parameter that indicates the targeted Okta tenant. It forwards any requests to the domain The original .okta.com, ensuring that all customizations to the Okta authentication page are preserved, making the phishing page appear more legitimate.

Some attacks use encrypted PDF attachments with the password provided in the email body— a classic tactic for bypassing email security scanners.

The threat becomes even more subtle if the victim accesses a fake Microsoft 365 login page. The malicious code stealthily examines browser traffic. Once it detects that the user is authenticating via Okta, using a specific JSON field called FederationRedirectUrl , the traffic is immediately intercepted.

Once the user enters their credentials, a client-side script called inject.js runs. It tracks keystrokes to capture usernames and passwords, but its primary goal is session hijacking.

The infrastructure behind these attacks is rapidly evolving.

Threat actors use Cloudflare to hide their malicious sites from security bots and are constantly refining their code.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

  • browser traffic hack
  • cloudflare security
  • cybersecurity threat
  • Microsoft 365 phishing
  • Okta security
  • password stealing
  • phishing attack
  • session token theft
  • single sign-on scam
Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.