UNC6783 Hackers Use Fake Okta Pages in Corporate Breach Campaign

Supply‑chain attacks have evolved from peripheral knock‑offs to sophisticated intrusion vectors, and UNC6783 exemplifies this shift. By homing in on Business Process Outsourcers, the group exploits the trust relationship between a vendor and its client, gaining a low‑cost foothold that grants access to high‑value data across multiple industries. This approach mirrors earlier campaigns that targeted managed‑service providers, but the use of extortion‑focused data theft raises the stakes for any organization that outsources critical functions.

The technical playbook employed by UNC6783 is notable for its blend of social engineering and credential‑theft tactics. Attackers initiate live‑chat conversations, posing as support agents, and send URLs that mimic Okta’s SSO portal. When victims paste credentials, clipboard hijacking captures the data, allowing the adversary to register a new device and maintain persistent access. Simultaneously, fake security‑update emails deliver Remote Access Trojans, turning compromised endpoints into command‑and‑control nodes. Traditional SMS‑based multi‑factor authentication proves inadequate against these layered attacks, prompting a move toward hardware‑based FIDO2 keys.

Mitigation now requires a multi‑pronged strategy that extends beyond the corporate perimeter. Deploying FIDO2 security keys eliminates reliance on vulnerable text‑message codes, while continuous monitoring of live‑chat logs can flag anomalous link patterns, such as the Zendesk‑style URLs observed in this campaign. Regular device enrollment audits and strict zero‑trust policies further reduce the attack surface. Finally, realistic phishing simulations that incorporate live‑chat scenarios empower employees to recognize and report suspicious interactions, reinforcing the human element of a resilient security posture.