ShinyHunters Claims Responsibility for SSO Account Hijacking Campaign

The ShinyHunters cybercrime group has publicly claimed responsibility for a wave of voice phishing (vishing) attacks targeting enterprise single sign-on (SSO) accounts, enabling attackers to breach corporate SaaS platforms and extort organizations. This campaign exploits trusted SSO providers like Okta, Microsoft Entra, and Google as entry points into corporate networks.

According to investigations by BleepingComputer, attackers impersonate IT support staff, calling employees and guiding them to phishing sites that mimic legitimate company login portals. During these real-time calls, victims are tricked into entering credentials and multi-factor authentication (MFA) codes.

Once attackers compromise an SSO account, they gain access to all connected enterprise applications listed in the SSO dashboard—including platforms like Salesforce, Microsoft 365, Google Workspace, Dropbox, and Slack. ShinyHunters confirmed to BleepingComputer that Salesforce remains their 'primary interest,' while other compromised platforms become collateral damage.

Okta's Threat Intelligence team recently documented the phishing kits used in these attacks, revealing sophisticated control panels that allow attackers to dynamically update phishing pages during calls. As Okta's report explains: 'Attackers can display new dialog boxes in real time to instruct victims to approve push notifications or enter TOTP codes.'

Key Attack Mechanics

• Social Engineering Precision: ShinyHunters leverages stolen employee data from previous breaches (including phone numbers, job titles, and names) to craft convincing scenarios.
• SSO as Attack Vector: A single compromised SSO account exposes all linked SaaS applications shown in platforms like the Microsoft Entra dashboard.
• Evasion Technique: By capturing MFA codes in real time, attackers bypass traditional security measures.

Protective Measures for Organizations

1. Verification Protocols: Implement strict call-back procedures where IT never asks for credentials over unsolicited calls. Require in-person verification for sensitive requests.
2. Conditional Access Policies: Configure Microsoft Entra Conditional Access or equivalent tools to restrict access based on device compliance and location.
3. Phishing-Resistant MFA: Transition to FIDO2 security keys or certificate-based authentication instead of SMS/TOTP codes vulnerable to real-time interception.
4. SSO Dashboard Auditing: Regularly review connected applications and permissions in SSO portals, removing unused integrations.
5. Employee Training Simulations: Conduct vishing drills mimicking these attack patterns to improve recognition of social engineering tactics.

Microsoft and Google state they have no evidence of platform vulnerabilities being exploited, emphasizing that compromised accounts result from credential theft. ShinyHunters simultaneously relaunched its Tor data leak site, listing breaches at SoundCloud, Betterment, and Crunchbase—underscoring the group's ongoing threat to enterprises.

As SSO becomes ubiquitous in modern workplaces, this attack pattern demonstrates how centralized authentication systems can become high-value targets. Organizations must balance convenience with layered verification controls to prevent single points of failure.