Investigating an adversary-in-the-middle phishing campaign targeting Microsoft 365 and Okta users

### Executive summary Datadog Security Labs reports an active, sophisticated phishing campaign that hijacks Microsoft 365 and Okta SSO flows by proxying legitimate login pages and injecting JavaScript to steal credentials and session cookies; the attack uses lookalike Okta domains and weaponized Microsoft login pages that redirect victims to second-stage Okta phishing pages, leverages Cloudflare infrastructure and link shorteners, and uses an "employee benefits" lure — the report includes code samples, IOCs (domains, email subjects, senders), and detection queries for Okta and Microsoft 365 logs.