SaaS Super Admins Targeted in Social Engineering Campaign

How to keep your Okta tenant and highly privileged SaaS accounts safe and secure

By John Filitz, Group Product Marketing Manager, AppOmni

In a recent statement, Identity Provider (IdP) Okta warns of well-orchestrated social engineering campaigns targeting IT service desk staff with highly privileged roles within Okta customer organizations.

This latest wave of targeted social engineering attacks on Okta is indicative of a broader, ongoing threat trend. In August and September 2022, the so-called Oktapus spear phishing campaign hit over 130 organizations successfully compromising more than 10,000 credentials and two-factor authentication (2FA) codes.

Attacks aimed at Super Admins highlight the significance of protecting highly privileged SaaS accounts. It also underscores the importance of a layered approach to cyber defense, with continuous SaaS cybersecurity monitoring at the forefront.

Overview: Manipulating Identity Access

Okta reports that threat actors are leveraging impersonation attacks in the form of voice calls, coaxing IT service desk personnel into resetting Multi Factor Authentication (MFA) for highly privileged end-users like Super Admins.

It appears that the threat actors already have login credentials to privileged end-user accounts or are able to manipulate the authentication flow via Active Directory (AD), Okta stated.

According to Okta, the threat actors are also demonstrating “novel methods of lateral movement and defense evasion.”

Additional tactics, techniques, and procedures (TTPs) used by the threat actors as reported by Okta include:

  • Assigning elevated privileges to other end-user accounts once the Super Admin role is compromised. They would also reset enrolled authenticators or remove 2FA and authentication policies altogether.
  • Anonymizing proxy services, as well as an IP and device not associated with the accounts, to access the compromised accounts.
  • Configuring a second IdP, which enables compromised accounts to continue accessing SaaS apps within the compromised organization via an inbound federated approach.

How to Stay Safe Against Social Engineering Attacks

Okta outlines several steps to prevent such attacks from being successful. Some of the threat mitigation steps include:

  • Enforcing phishing resistant authentication with Okta FastPass and FIDO2 WebAuthn.
  • Requiring re-authentication for privileged app access.
  • Using strong authenticators (Okta Verify or Google Authenticator) for self-service recovery.
  • Streamlining Remote Management and Monitoring (RMM) tools and blocking unauthorized ones.
  • Enhancing help desk verification processes by using a combination of visual verification methods, MFA challenges and manager approvals.
  • Utilizing new devices and suspicious activity monitoring.
  • Reviewing and limiting Super Admin roles, implementing privilege access management (PAM) and delegating high risk tasks to custom admin roles.
  • Mandating admin sign-ins from managed devices via phishing resistant MFA and from trusted network zones only.

Any Organization is Vulnerable to Social Engineering Attacks

According to IBM’s Cost of a Data Breach Report (2023), phishing and stolen credentials are the two most common initial attack vectors. Phishing attempts aren’t one-off situations. As organizations adopt more SaaS apps, the access points and side doors for threat actors to gain confidential information grow exponentially. Get to know the most common techniques attackers use to conduct phishing.

The recent Okta targeted attacks along with a spate of recent SaaS cyber breaches, highlight the importance of continuous monitoring and security management of your SaaS estate. Neglecting these measures makes it nearly impossible to maintain a proactive cybersecurity stance.

An SSPM solution like AppOmni enables organizations to develop a baseline for security configuration management for critical SaaS apps and data across their SaaS estate. This includes proactive alerting for any drifts or deviations from the baseline, such as changes to end-user authentication requirements or the provisioning of new end-users accounts with elevated levels of privilege. It also helps to mitigate the cyber risk associated with SaaS-to-SaaS apps, such as the ability to detect and alert on anomalous lateral movement between SaaS apps.

Focus on Defense-in-Depth

Further Reading

Given the pervasiveness of social engineering attacks and the increasing rate of adoption of SaaS, the challenge of securing your SaaS estate will only increase. On a positive note, organizations are becoming acutely aware of this growing attack surface risk. According to the recently released AppOmni SaaS Security Posture Management Report (2023), securing SaaS is identified as a top 3 cybersecurity priority.

The most critical step to securing your SaaS is to establish visibility and control over your SaaS estate, including SaaS-to-SaaS connections. Adopting a SaaS Security Posture Management solution like AppOmni is an important and foundational step in this regard.


SaaS Breach Info Center | AppOmni

SaaS Breach Info Center

As SaaS adoption continues to explode, the risk for breaches that threaten business operations and the security of highly sensitive data escalates. Learn how — and how often — SaaS data breaches occur.


Related Resources