APT-OKTA-SECredential Access

Identity-Provider Helpdesk SE (Scattered Spider)

Vish the helpdesk for MFA factor reset against an admin user of the IdP (Okta / Entra) — register attacker factor, log in, push policy/factor changes.

§ Where this technique fits

APT-OKTA-SE is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)
Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.
step 3 / 7

§ What commonly comes next

01
Account Manipulation
T1098 · Persistence
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)

§ What commonly comes next