Timeline: When the Campaign Unfolded
August 2022. That's when security researchers first caught wind of something big brewing. A coordinated phishing operation had already swept across more than 130 companies by the time anyone sounded the alarm. But here's the thing that makes this different from garden-variety phishing: the attackers weren't just trying to steal credentials. They were going after the keys to the kingdom—multi-factor authentication systems.
The real question is: how long had this been happening before detection?
The Discovery
Threatpost reported the findings after security researchers identified the campaign and attributed it to the threat group known as 0ktapus. The attackers had been methodical. Calculated. They weren't spraying generic phishing emails to random addresses—they were conducting targeted company cyber attacks with surgical precision, spoofing legitimate MFA prompts to trick employees into surrendering their second factor of authentication.
This wasn't some script kiddie operation.
The group's sophistication showed in their approach: crafting convincing replicas of Okta's authentication interface, timing attacks during business hours when users are more likely to be distracted, and focusing on high-value targets across multiple industries. According to Threatpost, the campaign demonstrated knowledge of victim organizations' internal systems and user patterns.
Technical Analysis
So how does MFA spoofing actually work? The attackers started with phishing emails that appeared to come from trusted sources within targeted organizations. When employees clicked, they landed on a fake login page that looked nearly identical to their company's actual authentication portal. The page collected their username and password. Then came the clever part.
When legitimate MFA notifications appeared on the victim's phone, the attacker's infrastructure intercepted and replayed those authentication prompts in real-time, convincing users they needed to approve a login they'd just initiated. By the time users realized something was wrong, their credentials were already compromised and their second factor had been bypassed.
It's particularly nasty because MFA is supposed to be the safety net when passwords fail. When that fails too, you've got a problem.
The campaign targeted organizations across sectors including financial services, technology, and law firms—industries that typically hold the most sensitive data and are willing to pay for access. This wasn't random. This was calculated theft preparation.
Damage Assessment
Law firm cyber attack statistics don't typically get enough attention, but this campaign should change that conversation. As company cyber attack examples go, 0ktapus represents exactly the kind of threat that keeps CISO's awake at night: widespread, effective, and difficult to detect in real-time.
One hundred and thirty companies.
That's not a typo. Threatpost's reporting confirmed that figure, though the full scope of financial damage and data exfiltration remains unclear. Not every compromised company reported successful breach—some caught the activity during investigation phases. Others likely haven't discovered the intrusion yet.
What makes this worse? Law firm cyber attacks in 2024 continue to spike, and incidents like 0ktapus demonstrate why. Firms hold attorney-client privileged information, financial records, and M&A data worth millions. One successful compromise can expose years of client secrets.
Mitigation
Organizations hit by this campaign faced immediate remediation challenges. Changing passwords wasn't enough—defenders needed to assume attackers had full system access and treated the situation accordingly. Most victims implemented emergency credential resets across all user accounts, invalidated active sessions, and reviewed access logs for lateral movement attempts.
But here's what actually prevents this from happening again. Organizations need to implement push-based MFA that requires explicit user interaction rather than simple approval prompts. Time-based one-time passwords (TOTP) and hardware security keys are significantly harder to defeat than SMS or app-based notifications alone. Additionally, disabling legacy authentication protocols, implementing conditional access policies, and monitoring for impossible travel scenarios—logins from geographic locations that couldn't physically be reached in the time between requests—all raise the bar substantially.
Endpoint detection and response (EDR) solutions that flag unusual credential usage patterns can catch compromises during the window when attackers are still establishing persistence. The window is small, but it exists.