APT-OKTASS-0KTAPUSInitial Access

0ktapus SMS-Phish Sweep

Mass SMS phishing of help-desk / contractor logins across ~130 SaaS tenants — Twilio, MailChimp, DoorDash et al. compromised through one Okta-style phishlet (Group-IB tracked it).

§ Where this technique fits

APT-OKTASS-0KTAPUS is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)
Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.
step 3 / 6

§ What commonly comes next

01
AITM Phishing — Evilginx / Modlishka
PH-AITM-EVILGINX · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

§ What commonly comes next