0ktapus Phishing Attacks Compromised 130 Firms, Bypassed MFA

A coordinated phishing operation attributed to the threat group 0ktapus has ensnared more than 130 organizations across multiple industries, according to researchers at Threatpost. The campaign relied on convincing emails that impersonated a widely used multi-factor authentication (MFA) provider, directing victims to fraudulent login pages designed to harvest credentials.

The attackers crafted spear-phishing messages that mimicked routine MFA notifications, prompting users to verify their identity by entering their username, password, and a one-time passcode. The fake portals replicated the branding and UI of the legitimate service, making it difficult for end-users to recognize the deception. By intercepting the submitted OTP, the actors gained immediate access to corporate accounts, enabling further lateral movement within the targeted networks.

Researchers linked the infrastructure used in the campaign to previously identified activity associated with the 0ktapus group, suggesting a financially motivated or state-sponsored agenda. While the exact scale of data exfiltration remains under investigation, preliminary forensic analysis indicates that credentials from dozens of high-value targets have already been compromised, potentially exposing sensitive business data and intellectual property.

Security teams are urged to reinforce defenses by deploying phishing-resistant MFA mechanisms such as FIDO2/WebAuthn tokens or hardware security keys, which are not vulnerable to OTP interception. Additionally, organizations should enforce rigorous email filtering, conduct regular user awareness training, and monitor for anomalous login patterns indicative of credential misuse. Prompt revocation of compromised credentials and implementation of least-privilege access controls can further mitigate the risk posed by such campaigns.