Close this search box.

‘0ktapus’ SMS Phishing Campaign Targets 130 Companies mimicking MFA service Okta


An ongoing phishing campaign has spoofed multi-factor authentication systems at over 130 companies.

The phishing campaign compromised 9,931 accounts at over 130 organisations, including Twilio and Cloudflare. The campaigns linking to a targeted abuse of Okta have earned them the name 0ktapus.

“The primary goal of the threat actors was to obtain Okta identity credentials and multi-factor authentication (MFA) codes from users of the targeted organisations,” according to a Group-IB report. “These users received text messages containing links to phishing sites that mimicked the Okta authentication page of their organisation.”

There were 114 US-based firms affected, with additional victims scattered across 68 countries, including Australia and New Zealand. 

According to a senior threat intelligence analyst at Group-IB, it is unknown what the scope of the attacks is. “The 0ktapus campaign has been incredibly successful, and the full scale of it may not be known for some time,” he said.

Geolocation of users that had their credentials compromised during Oktapus phishing campaign
(Source: Group-IB)
Geolocation of headquarters of organisations targeted during Oktapus phishing campaign
(Source: Group-IB)

Goal of the Oktapus hacking campaign

0ktapus attackers began their campaign by targeting telecommunications companies to gain access to phone numbers.  

A theory researchers propose is that 0ktapus attackers started their campaign by targeting telecommunications companies to obtain a list of phone numbers used in MFA-related attacks.  

Next, attackers sent phishing links via text message to targets. The links led to websites mimicking the Okta authentication page used by the target’s employer. In addition to Okta credentials, victims had to supply multi-factor authentication (MFA) codes used by employers to secure their logins.  

An accompanying technical blog explains that the initial compromises of software-as-a-service firms were merely the first phase of a multifaceted attack. The goal of Oktapus was to gain access to company mailing lists or customer-facing systems to facilitate supply-chain attacks.  

DoorDash also revealed in a possibly related incident that it had been the victim of an attack with all the hallmarks of an Oktapus-style attack within hours of Group-IB publishing its report late last week.

More MFA attacks to come

Group-IB reported that the attackers compromised 5,441 MFA codes during their campaign.  

It has become easier for threat actors to bypass supposedly secure multi-factor authentication through MFA attacks. These threats won’t subside anytime soon, either. Globally, phishing attacks rose by 29 per cent in 2021, according to Zscaler, which notes that SMS phishing is increasing faster than other kinds of scams because people have become better at identifying fraudulent emails.  

The more you know about the types of attacks committed against the MFA you use, the better prepared you will be to detect and respond to them safely. 

To mitigate 0ktapus-style campaigns, researchers recommend using FIDO2-compliant security keys for MFA and good URL and password hygiene.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →