Okta/SSO hit by vishing: how FIDO2 blocks MFA bypass

Confirmed incident (January 2026): Okta/Microsoft SSO accounts were compromised via a vishing + AiTM proxy campaign capturing credentials and MFA codes in real time. Public IOC: inclusivity-team[.]onrender.com. A phishing‑resistant MFA (FIDO2/WebAuthn) aligns with GDPR Article 32 security duties.

What happened

On January 22, 2026, BleepingComputer reported an active vishing campaign targeting enterprises to steal SSO credentials (Okta, Microsoft Entra, Google). Attackers impersonated IT, drove victims to an adversary‑in‑the‑middle phishing site, intercepted authentication, and relayed MFA challenges live. Infrastructure included a Socket.IO server hosted at inclusivity-team[.]onrender.com (public IOC). Phishing domains mimicked company names, often with “internal” or “my”, to capture SSO then exfiltrate data (e.g., CRMs) for extortion. Okta explicitly recommends phishing‑resistant MFA (FIDO2/WebAuthn passkeys, FastPass) against these adaptive kits. Source: BleepingComputer, 22/01/2026.

In the following weeks, Microsoft also warned of a large‑scale phishing wave (35,000 users in three days, sophisticated QR flows and “enterprise” pages) that bypasses traditional MFA to seize sessions. This confirms the 2026 trend: AiTM, device code phishing, and malicious QR codes are eroding OTP/push effectiveness. See TechRadar summary, 05/2026 and BleepingComputer, 19/02/2026.

IOCs to watch (public excerpts)

• inclusivity-team[.]onrender.com (Socket.IO C2) — source
• Typosquatted domains like <company>internal[.]com, my<company>[.]com (observed patterns) — source

Applicable legal framework

• GDPR — Article 32: obligation to implement “appropriate” technical and organizational measures proportional to risk, including authentication and resilience, with evidence of ongoing effectiveness. Official text: EUR‑Lex. CNPD guidance: CNPD — Chapter IV. For local compliance context, see our material on GDPR and CNPD requirements.
• Regulatory expectations: authentication proportionate to risk (administrators, SSO, sensitive data), resilience to known threats (phishing/AiTM), and demonstrable “state of the art” (FIDO2/WebAuthn recognized as phishing‑resistant). ENISA’s NIS2 implementation guidance: ENISA, 26/06/2025.

Legal conclusion: failing to deploy phishing‑resistant authentication on high‑impact access — with active AiTM threats — risks non‑compliance with Article 32.

The technical solution to deploy

Phishing‑resistant MFA (FIDO2/WebAuthn/passkeys):

• Principle: public‑key authentication with origin binding (the challenge is signed for the real domain; a phishing proxy cannot replay it). No shared secret, no interceptable OTP, no phone‑coached push approvals.
• In practice: enable FIDO2/WebAuthn at the IdP (Okta, Entra ID, etc.), issue domain‑bound passkeys, and require a phishing‑resistant “authentication strength” for:
  • privileged accounts (IT admin, security),
  • exposed SSO portals/mail/SaaS,
  • sensitive actions (policy changes, bulk export).
• Associated controls:
  • Token binding/anti‑hijacking, shorter session lifetimes, rapid revocations,
  • Conditional access enforcing “phishing‑resistant”,
  • Block weak methods (SMS/OTP/push) for critical accounts,
  • AiTM detection (network/browser fingerprinting, anomalous IP/TLS).
• References: ISO/IEC 27001:2022 (A.5.17, A.8.2), NIST SP 800‑63B (AAL2/AAL3), CIS v8 (Safeguard 6).

How Luxgap delivers this

• ISO 27001 governance: risk‑based scoping, Authentication Policy, GDPR Art. 32 evidence (effectiveness reviews, adoption metrics, test reports). For an outsourced lead, our fractional CISO service secures the roadmap.
• 24/7 managed SOC: IdP log ingestion (Entra/Okta), AiTM signals (anomalous device code, proxy TLS signatures, SSO from suspect ASNs), alerting and IOC blocking (incl. inclusivity-team[.]onrender.com). Explore our managed SOC incident detection.
• E‑learning platform: targeted “anti‑vishing/QR” modules with simulations and certificates to reinforce the technical standard. See our security awareness programs.

Real‑world case in Luxembourg or the EU

A regulated financial services firm (EU) using Okta faced vishing attempts against finance staff. In six weeks:

• migrated admins and “payments” accounts to FIDO2/passkeys with “phishing‑resistant only” policies;
• blocked OTP/push for those roles and shortened sessions;
• added SIEM rules for AiTM patterns (inconsistent User‑Agent/TLS, out‑of‑scope device code sign‑ins) and IOC blocking (incl. inclusivity-team[.]onrender.com);
• delivered a 12‑minute “anti‑vishing/QR” micro‑training.

Outcome: two later attempts failed (non‑FIDO2 auth denied); SOC correlated alerts in under five minutes with automatic blocking. For local support, see our resources on cybersecurity in Luxembourg.

First concrete steps

• Hunt for traces: in Entra/Okta logs, filter “device code” events and sign‑ins from new ASNs; immediately block traffic to inclusivity-team[.]onrender.com and look for access to “<company>internal[.]com”/“my<company>[.]com”.
• Fix the scope: decide which roles/apps require “phishing‑resistant only” (admins, SSO, mail, finance).
• Enable FIDO2/WebAuthn at the IdP: pilot with 20 key users (IT/security/finance), provide hardware keys if needed, document recovery.
• Harden policies: shorten sessions, disable SMS/OTP/push for critical accounts, enforce phishing‑resistant “authentication strength”.
• Train teams: a micro‑module on vishing and QR codes, plus a clear rule “never approve a phone‑coached push”.

Official sources

• Incident and IOCs: BleepingComputer — Okta SSO accounts targeted in vishing-based data theft attacks (22/01/2026); additional context: BleepingComputer — Device code vishing (19/02/2026), TechRadar — 35,000‑user campaign (05/2026).
• Legal framework: GDPR — Article 32 (EUR‑Lex); CNPD reminder: Chapter IV — CNPD.
• EU technical reference: ENISA — NIS2 Technical Implementation Guidance (26/06/2025) — recommends phishing‑resistant authentication for critical access.

In short: what just happened (vishing + AiTM with a public IOC) is exactly what FIDO2/WebAuthn prevents by design. Under GDPR Article 32, deploying phishing‑resistant MFA on high‑impact accounts and systems is no longer optional: it’s an appropriate, auditable control.

Get in touch to plan a FIDO2 passkeys pilot and IdP hardening.