0ktapus phishing campaign: How attackers abuse Okta SSO to bypass MFA

0ktapus is a large-scale phishing campaign that targets Okta Single Sign-On users with highly convincing lookalike IdP pages and real-time interception of credentials and MFA codes; captured data is replayed against legitimate Okta tenants to establish valid sessions and access connected SaaS ecosystems. The report attributes the campaign to Scattered Spider (UNC3944), notes impacts across 130+ organizations, describes TTPs (phishing, smishing, MFA fatigue, SSO abuse), and recommends mitigations including phishing-resistant MFA, domain monitoring, conditional access, session revocation, and user training.