Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

§ Context

Assumed environment: many tenants use Okta-style SSO with push MFA. SMS bypasses email phishing filters. Phishlet captures credentials + relays push approval in real time.

§ Steps

1. 01
   Cross-app data harvestExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Sweep every SSO-connected SaaS appInitial Access

   T1078— Valid Accounts
3. 03
   Buy / scrape employee phone numbersReconnaissance

   W-RECON-GITHUB-DORK— GitHub / GitLab Dorking
4. 04
   Capture creds + push approvalInitial Access

   PH-AITM-EVILGINX— AITM Phishing — Evilginx / Modlishka
5. 05
   Stand up phishlet (Okta clone)Resource Development

   T1583— Acquire Infrastructure
6. 06
   Mass SMS to victims with phishlet URLInitial Access

   APT-OKTASS-0KTAPUS— 0ktapus SMS-Phish Sweep

§ References

• T1041Exfiltration Over C2 Channel
• T1078Valid Accounts
• T1583Acquire Infrastructure

§ Frequently asked

What is the "Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)" attack path?

Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Cross-app data harvest (T1041) — a exfiltration primitive. Assumed environment: many tenants use Okta-style SSO with push MFA.

What is the final impact of this kill-chain?

The final step lands on Mass SMS to victims with phishlet URL (APT-OKTASS-0KTAPUS), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)

  Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.

• Shared techniques3

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.

• Shared techniques3

  Hardware wallet supply-chain tamper → pre-seeded seed

  Intercept Trezor / Ledger / KeepKey in transit (or counterfeit on Amazon / eBay). Replace device with one that already has a known seed phrase the attacker controls — victim deposits, attacker drains.

• Shared techniques2

  Cloudflare account compromise → Worker rewrite → mass cred theft

  Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice.

• Shared techniques2

  Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

  Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.