Identity Provider Okta Reports Surge in Phone-Based Scams Targeting Microsoft 365 Users
Criminals are calling Microsoft 365 users and directing them to fake login pages to steal credentials and gain network access.
A Growing Threat Through Your Phone
Identity management company Okta has raised an alarm about a coordinated attack campaign where criminals are using phone calls to trick Microsoft 365 customers into surrendering their login credentials. Unlike traditional phishing emails that arrive in your inbox, these attackers take a more personal approach—they call their targets directly and guide them toward bogus websites designed to look identical to legitimate Microsoft Entra ID login portals. Once victims enter their usernames and passwords on these fake sites, the attackers gain the keys to their corporate networks.
This hybrid attack strategy, blending voice communication with web-based deception, represents an evolution in how cybercriminals operate. It's like receiving a convincing phone call from someone pretending to be your bank, then being directed to a counterfeit website that perfectly mimics the real thing—except in this case, the stakes involve access to your entire organization's data and systems.
Why This Matters Right Now
Microsoft 365 has become the backbone of modern business operations. Thousands of companies rely on it for email, file storage, collaboration, and countless critical workflows. When attackers compromise a user's account, they don't just gain access to that one person's information—they often unlock the entire network. From there, they can steal sensitive documents, deploy malware, or hold systems for ransom.
The phone-based approach is particularly effective because it bypasses many of the technical defenses organizations put in place. Your email security tools might catch suspicious links, but a direct phone call feels personal and urgent, making people more likely to lower their guard. The criminals often use social engineering tactics—creating a false sense of urgency or authority—to pressure victims into acting quickly without thinking.
What This Means for You
If you use Microsoft 365 for work, you've become a potential target. These attackers are likely purchasing contact lists or using publicly available business information to identify their victims. They're betting on the fact that many employees won't verify whether a phone call is legitimate before visiting a website or entering their credentials.
For IT managers and security leaders, this campaign highlights a critical vulnerability: the human element. No firewall or encryption can protect against someone who voluntarily hands over their password to a criminal posing as a helpful support person.
Steps You Should Take Immediately
- Never click links from unsolicited calls. If someone calls claiming to be from Microsoft or your IT department, hang up and contact your IT team directly using a phone number you know is legitimate.
- Verify before you enter credentials. Always type website addresses directly into your browser rather than following links provided during unexpected calls or messages.
- Watch for red flags. Real Microsoft support won't ask for passwords over the phone. Legitimate IT departments will use established channels and won't create artificial urgency.
- Report suspicious calls. If you receive a call attempting this scam, inform your security team immediately so they can alert others.
- Enable multi-factor authentication. If someone does steal your password, this extra security layer can prevent them from accessing your account.
- Get trained. Request security awareness training focused on social engineering and vishing (voice phishing) tactics.
As cyber threats become more sophisticated and personal, staying vigilant about who you're talking to—and what information you're sharing—has become just as important as keeping your software updated.
Want to understand the technology behind this story? ITVedas has beginner-friendly guides on every IT topic.
Explore IT Chapters →