Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users

Datadog analyzed an active phishing campaign that impersonates Microsoft 365 and Okta pages to hijack SSO flows, capture credentials and session cookies, and bypass non-phishing-resistant MFA. The campaign uses lookalike Okta domains, two-stage phishing pages, on-page JavaScript that hooks fetch/XHR to rewrite federation redirects and exfiltrate cookies, and a variety of phishing infrastructure and lures such as benefits-themed emails and PDFs #Okta #Microsoft365

Keypoints

The campaign impersonates Okta and Microsoft 365 login flows using lookalike domains (e.g., sso.oktasecure[.]io, okta-cloud[.]com) to proxy traffic and preserve legitimate page customizations.
Attackers inject client-side JavaScript that hooks window.fetch and xhr.onreadystatechange to rewrite URLs, modify FederationRedirectUrl responses, and redirect victims to second-stage Okta phishing pages.
Injected scripts capture usernames via DOM events, persist them to storage/cookies, monitor for changes to cookies every second, and exfiltrate “critical” Okta session cookies (e.g., idx, JSESSIONID) to the attacker.
Phishing delivery includes malicious links and password-protected PDFs, use of compromised mailboxes (Salesforce/ExactTarget evidence) and Amazon SES for sending, plus link shorteners and Cloudflare-hosted pages with turnstiles for evasion.
Datadog provides detection guidance for Okta and Microsoft 365 logs (e.g., FastPass auth events, policy.evaluate_sign_on challenges, Cloudflare-sourced activity, and mail access queries for observed subject lines).

MITRE Techniques

[T1566] Phishing – Campaign uses targeted phishing emails linking to credential-harvesting pages: ‘We identified a phishing campaign targeting organizations that use Microsoft 365 and Okta…’
[T1566.002] Spearphishing Link – Malicious emails contain links (often hidden via shorteners) that redirect to first-stage phishing domains: ‘Link shortener services were used to hide the domains like lnk[.]ie.’
[T1566.001] Spearphishing Attachment – Some phishing messages include password-protected PDFs that contain links to phishing pages: ‘phishing emails where the link to the phishing page is stored in a PDF file, encrypted with a password that’s shared in the phishing email.’
[T1056] Input Capture – Client-side script captures typed usernames via DOM events and stores them in cookies/localStorage: ‘the script tracks when the victim types in their username using the change and submit DOM events… document.cookie = ‘okta_captured_username=’ + encodeURIComponent(e.target.value) …’
[T1539] Steal Web Session Cookie – The injected JavaScript enumerates and exfiltrates Okta session cookies deemed “critical” for session impersonation: ‘const CRITICAL_COOKIES = [“idx”,”JSESSIONID”,”proximity_”,”DT”,”sid”];’ and it posts them to ‘/log_cookie’.
[T1078] Valid Accounts – Attackers use stolen session cookies and compromised mailboxes to impersonate users and send phishing: ‘the compromised mailboxes appear to be associated with Salesforce Marketing Cloud’ and stolen cookies are stored server-side for reuse by the attacker.

Indicators of Compromise

[Domain ] First-stage phishing landing pages – employee-hr-portal[.]com, secure-hr-portal[.]com, and 24 more domains (e.g., mybenefits-portal[.]com, benefitsviewportal[.]com, office365mailsecurity[.]com).
[Domain ] Second-stage Okta lookalike domains used to proxy Okta tenants – okta-secure[.]io, okta-access[.]com, and 6 more domains (e.g., okta-cloud[.]com, oktasecure[.]io).
[Email Subject ] Observed phishing email subjects used as lures – “Action Required: Review Your 2026 Salary & Bonus Information”, “Thank You, : Your 2026 Compensation Package”, and 1 more subject.
[Email Address ] Malicious senders or display names observed – [email protected], mocked [email protected] (spoofed display name) as seen in campaign emails.
[Hosting/Infrastructure ] Cloud services used to host and send phishing content – Cloudflare hosted phishing pages (turnstiles used) and Amazon SES for sending malicious emails.
[Redirector ] Shortener/redirect domains used to hide final landing pages – lnk[.]ie (example) used to obfuscate the phishing URL.