AISEC > Security News > Phishing > 0ktapus Phishing Campaign Hits 130+ Companies
August 29, 2022 #phishing Source: Threatpost 3 min read · 617 words

Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms

Щупальця групи '0ktapus' вразили 130 компаній

130+ Companies Just Got Phished by '0ktapus'—And It's Worse Than You Think

Over 130 companies. That's the scale of the phishing campaign Threatpost recently reported on, and it's not some theoretical exercise or proof-of-concept attack. This is active, ongoing cybersecurity warfare happening right now.

The threat group behind it? They're calling themselves '0ktapus,' and they've figured out something genuinely clever: spoofing multi-factor authentication systems to harvest credentials at scale. So while you thought MFA was your security blanket, these attackers found a way to make it work against you.

Breaking It Down

Here's what makes this campaign different from the usual phishing noise we deal with. Instead of just creating fake login pages and hoping for the best, 0ktapus went after the authentication layer itself. They're spoofing MFA prompts—the very thing that's supposed to protect users when their password gets compromised.

According to Threatpost's reporting, the attackers are using phishing emails to trick users into entering their credentials, then immediately presenting fake MFA verification screens. By the time the victim realizes something's wrong, the attacker's already got their username, password, and—critically—they've manipulated the user into revealing what they think is a legitimate second factor.

The scope is staggering. One hundred and thirty companies across multiple industries. And Threatpost notes that many of these organizations have sophisticated security teams. They weren't low-hanging fruit; these are companies that should know better.

The Technical Side

So how does this actually work? The attack chain is deceptively simple, which is probably why it's so effective.

It starts with a phishing email—nothing revolutionary there. But instead of linking to a page that mimics a company's login portal, the email often directs victims to a credential harvesting page that impersonates the organization itself or a service provider. Once the user enters their credentials, they get redirected to what appears to be an MFA verification screen.

And here's where it gets mean. That fake MFA prompt doesn't actually validate anything. It just collects whatever the user enters—their authenticator app code, their SMS token, whatever. The attacker now has everything needed for account takeover.

The reason this works? Human psychology. When you see an MFA prompt, your brain switches into a different mode. You're no longer thinking "is this real?"—you're just trying to complete the process. It's the security equivalent of a magic trick: misdirection at the right moment.

Who's Affected

Threatpost didn't disclose all 130 victims, but that's actually the concerning part. We don't know the full damage assessment yet. Some targets have already gone public; others probably haven't noticed the compromise, or they're quietly investigating before disclosure.

The industries hit? Tech companies, financial services, government contractors. Basically, the organizations attackers most want to infiltrate.

What To Do Now

First, stop treating MFA as a magic bullet. It's still essential—don't disable it—but understand that it's one layer, not the whole defense.

Second, check your email logs. Look for suspicious phishing campaigns targeting your organization. If you spot them, investigate whether anyone actually clicked through and entered credentials. This isn't optional—if 0ktapus hit your company, the damage clock is already running.

Third, educate your team on MFA fatigue attacks. Users need to understand that legitimate MFA prompts won't appear after a phishing email. If they got redirected to a login screen from an email, then got an MFA prompt immediately after, that's not how it actually works.

And finally, implement phishing-resistant authentication if you can. FIDO2 security keys, Windows Hello, passkeys—these eliminate the attack vector entirely because there's no credential for an attacker to harvest in the first place.

The 0ktapus campaign isn't going to stop. As long as MFA-spoofing works, they'll keep using it. Your job? Make sure it doesn't work against your organization.

Read original article →

// FAQ

Is my company on the 0ktapus victim list?

Not all 130+ affected companies have been publicly identified. Check with your security team, review email logs for phishing campaigns, and monitor for unauthorized account access. If you were targeted, you'd likely see suspicious login attempts or evidence of credential compromise.

How do I know if I fell for the 0ktapus phishing attack?

If you entered your password and MFA code into a form after clicking an email link, assume your credentials were compromised. Immediately change your password, notify your IT team, and check your account activity for unauthorized access. Your organization should also reset your MFA tokens.

Does MFA still protect me if attackers can spoof it?

Yes, but only if you use phishing-resistant MFA like FIDO2 security keys, not codes from authenticator apps or SMS. Traditional MFA is still protective if users recognize that legitimate MFA prompts won't appear immediately after an email login attempt.

// RELATED

#phishing SLH Offers $500–$1,000 Per Call to Recruit Women for IT Help Desk Vishing Attacks 2026-02-25 #phishing ‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA 2026-02-20 #phishing Fake Google Security site uses PWA app to steal credentials, MFA codes 2026-03-02

Concerned about your project's security? Run an automated pentest with AISEC — fully automated AI-powered scanner. Go to dashboard →