Sophisticated Okta SSO Phishing Bypasses Defenses to Steal Session Tokens With Salary Review Lures
Ddos 
Just as employees begin anticipating their year-end performance reviews, a sophisticated new phishing campaign has emerged, turning the promise of a pay raise into a cybersecurity nightmare. A new report from Datadog Security Labs reveals an active operation targeting organizations relying on Microsoft 365 and Okta for Single Sign-On (SSO), employing advanced techniques to bypass security controls and steal session tokens.
Active since early December 2025, the campaign ruthlessly exploits corporate benefits cycles. Victims receive emails disguised as notifications from HR departments or payroll services like ADP or Salesforce. The subject lines are designed to trigger immediate urgency and curiosity, using hooks such as “Action Required: Review Your 2026 Salary & Bonus Information” or “Confidential: Compensation Update”.
Some attacks utilize encrypted PDF attachments with the password provided in the email body—a classic tactic to bypass email security scanners.
What sets this campaign apart is its technical sophistication in handling identity federation. The attackers have built a “proxy” system that doesn’t just look like a login page—it interacts with the real one.
According to the report, “The phishing URLs include an URL parameter indicating the Okta tenant that’s targeted… It proxies any request to the original <target>.okta.com domain, ensuring that any customizations to the Okta authentication page is preserved, making the phishing page appear more legitimate” .
The attack gets even smarter if the victim starts on a fake Microsoft 365 login page. The malicious script monitors the browser’s background traffic. If it detects a specific JSON field named FederationRedirectUrl—which indicates the user authenticates via Okta—it intercepts the traffic.
“The script hooks xhr.onreadystatechange and watches for any JSON field named FederationRedirectUrl in an HTTP response,” the researchers explain. Once identified, the malware dynamically rewrites the browser’s destination, seamlessly redirecting the victim from the fake Microsoft page to a fake Okta page.
Once the user enters their credentials, a client-side script named inject.js goes to work. It tracks keystrokes to capture usernames and passwords, but its primary goal is session hijacking.
The malware actively monitors for “critical” cookies necessary to impersonate a user’s session, including “idx,” “JSESSIONID,” and “sid”. “The captureCookies function checks if any of the cookies is a ‘critical’ one (session cookie), then exfiltrates it by sending a POST request” to the attacker’s server.
The infrastructure behind these attacks is evolving rapidly. The threat actors are using Cloudflare turnstiles to hide their malicious sites from security bots and are constantly refining their code.
Donate