A new wave of attacks combines vishing with SSO abuse to extort SaaS platforms. Cybercriminals call employees, impersonate technical support, and obtain MFA codes in seconds. With SSO access, they escalate privileges and move laterally, leaving companies with no time to react.
How social engineering works on federated SSO 🛡️
The attack exploits trust in federated authentication flows. Vishing tricks the user into revealing their password and the MFA app code. Upon entering the SSO, the attacker obtains a valid session token. From there, they use internal APIs to create administrator accounts in SaaS applications like Slack or Salesforce, without triggering suspicious login alerts.
Employee of the year: the one who gives away their MFA over the phone 📞
The funny thing is that companies spend fortunes on firewalls, and then an employee hands over their two-factor code because the security guy sounded very professional. The attacker only needs a script and patience. Meanwhile, the CISO reviews logs thinking it's a technical glitch. The real firewall was not answering calls from unknown numbers.