Why Attackers Are Bypassing Phishing Emails and Targeting Identity Instead

This report describes 'Okta vishing', a rising voice-based social engineering technique where attackers call users or help desks to manipulate MFA and SSO settings, gain access to identity providers, and pivot into cloud SaaS (Microsoft 365, SharePoint, OneDrive, Google Workspace, Slack, etc.) for large-scale data exfiltration; it details an attack flow, key DFIR indicators (MFA resets, new device enrollments, abnormal SharePoint/OneDrive downloads, OAuth app consent), and mitigations including phishing-resistant MFA, strict help-desk verification, conditional access, identity logging/monitoring, and SOC/MDR alignment.