Okta Uncovers Custom Phishing Kits Built for Vishing Callers

AndyC 24 January 2026

Image: Unsplash

Phone scammers have achieved an unwelcome breakthrough, combining traditional phishing websites with real-time voice manipulation in ways that bypass even the strongest security measures.

Okta Uncovers Custom Phishing Kits Built for Vishing Callers

Okta Uncovers Custom Phishing Kits Built for Vishing Callers
Phone
Image: Unsplash

Phone scammers have achieved an unwelcome breakthrough, combining traditional phishing websites with real-time voice manipulation in ways that bypass even the strongest security measures.

While most people worry about suspicious emails, cybercriminals spent recent months quietly perfecting a far more personal and convincing approach.

Research released by Okta’s threat intelligence team, exposes sophisticated phishing toolkits specifically engineered for voice-based social engineering attacks, with these custom systems becoming increasingly available on a service basis. These advanced platforms can intercept user credentials while simultaneously providing real-time context that helps attackers convince victims to approve multi-factor authentication challenges during live phone conversations.

“Once you get into the driver’s seat of one of these tools, you can immediately see why we are observing higher volumes of voice-based social engineering,” said Moussa Diallo, threat researcher at Okta Threat Intelligence. “Using these kits, an attacker on the phone to a targeted user can control the authentication flow as that user interacts with credential phishing pages. They can control what pages the target sees in their browser in perfect synchronization with the instructions they are providing on the call. The threat actor can use this synchronization to defeat any form of MFA that is not phishing-resistant.”

The reality of attack

Attacks typically follow a consistent sequence:

  • The threat actor conducts reconnaissance on the target, gathering details such as employee names, commonly used applications, and phone numbers associated with IT support calls.
  • The threat actor then deploys a customized phishing page and contacts targeted users, spoofing the organization’s phone number or help desk hotline.
  • During the call, the threat actor persuades the user to visit the phishing site, framing it as a required IT support or security step.
  • The user enters their username and password, which are automatically relayed to the threat actor via a Telegram channel.
  • The threat actor uses the stolen credentials to sign in through the legitimate login portal and determines which MFA prompts the account triggers.
  • Finally, the threat actor updates the phishing site in real time to match the conversation, prompting the user to provide an OTP, approve a push notification, or complete other MFA challenges.

How it’s done

Diallo believes we’re only at the start of a growing wave of voice-driven phishing attacks—now supercharged by tools that enable real-time session orchestration.

“Vishing is becoming such an in-demand area of expertise that, much like access to these kits, that expertise is also sold on an as-a-service basis,” Diallo said.

He added that real-time orchestration capabilities first seen in earlier phishing kits are now being replicated in newer tools built specifically to support callers during live attacks.

In the past, threat actors could pay for access to a single kit with broad, “one-size-fits-all” features aimed at major identity providers like Google, Microsoft Entra, and Okta, as well as cryptocurrency platforms. Now, a new generation of fraudsters is shifting toward selling access to bespoke control panels tailored to specific targeted services.

Recommendations

Fortunately, Diallo says the defensive priorities are clear.

“In a workplace context, there is no substitute for enforcing phishing resistance for access to resources,” he said.

For organizations using Okta for workforce authentication, that means enrolling users in Okta FastPass, passkeys—or ideally both, “for the sake of redundancy.”

Diallo also noted that social engineering campaigns can be disrupted by enforcing network zones or tenant access control lists that block access from anonymizing services commonly used by attackers.

“The key is to know where your legitimate requests come from, and allowlist those networks,” he said.

Some banks and cryptocurrency exchanges are also testing live caller verification tools, which allow users to open a mobile app and confirm whether they’re currently speaking with an authorized representative.

A sophisticated new malware campaign is systematically dismantling Windows security defenses with alarming success—and it requires no security vulnerabilities to work.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , ,

More Stories

Hackers Disable Windows Security With New Malware Attack

Hackers Disable Windows Security With New Malware Attack

AndyC 24 January 2026
Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware

Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware

AndyC 23 January 2026
Under Armour Ransomware Attack Exposes 72M Email Addresses

Under Armour Ransomware Attack Exposes 72M Email Addresses

AndyC 23 January 2026
Zoom and GitLab Patch RCE, DoS, and 2FA Bypass Vulnerabilities

Zoom and GitLab Patch RCE, DoS, and 2FA Bypass Vulnerabilities

AndyC 23 January 2026
LastPass Warns of Phishing Campaign Targeting Its Customers

LastPass Warns of Phishing Campaign Targeting Its Customers

AndyC 23 January 2026
EU’s New Cybersecurity Act Could Ban High-Risk Suppliers

EU’s New Cybersecurity Act Could Ban High-Risk Suppliers

AndyC 22 January 2026

You may have missed

Corr-Serve strengthens South Africa’s cybersecurity market through expanded Seceon partnership

AndyC 24 January 2026
CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities

CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities

AndyC 24 January 2026
Okta Uncovers Custom Phishing Kits Built for Vishing Callers

Okta Uncovers Custom Phishing Kits Built for Vishing Callers

AndyC 24 January 2026
From Incident to Insight: How Forensic Recovery Drives Adaptive Cyber Resilience

Anthropic, Microsoft MCP Server Flaws Shine a Light on AI Security Risks

AndyC 24 January 2026

Today’s Microsoft Outage Explained and Why it Triggers a Scam Playbook

AndyC 24 January 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.