Modern Vishing Kits: Real-Time MFA Bypass Targeting SSO Systems

Hackers are now combining sophisticated, customizable phishing kits with phone-based social engineering to pull off real-time, MFA-defeating attacks against single sign-on (SSO) systems used by Google, Microsoft, Okta and major cryptocurrency providers. Security teams are seeing the emergence of purpose-built “vishing kits” — phishing-as-a-service (PhaaS) offerings that let an attacker orchestrate the browser UI while speaking to the victim on the phone, dynamically changing the fake authentication flow to match whatever multi-factor prompt the legitimate service produces. The result is a synchronized two-person operation: a caller guiding a user through a fake login while the kit relays credentials and adapts pages on the fly, allowing the attacker to complete a legitimate login and bypass non-phishing-resistant MFA in near real time.

Background / Overview​

Vishing — voice phishing — is not new, but the modern variants are. Traditional vishing relied on social engineering scripts and pretexting to extract credentials or convince people to move money. The new wave couples vishing with agile phishing infrastructure: modular phishing kits that are pre-built to clone SSO login flows, collect credentials and session artifacts, and present contextual pages that mirror legitimate MFA prompts (push notifications, one-time passcodes, number-matching screens). Because the attacker is on the line, the kit can be updated or its UI changed at the caller’s direction while the victim is interacting with it.
These kits are distributed as services: a low-skill actor can rent the toolkit, pick templates for a target provider, and combine it with voice spoofing (caller ID impersonation) and reconnaissance to make a convincing call. The operator of the call and the operator of the kit may be the same or different actors collaborating in real time.
Security researchers and identity providers’ threat teams have documented multiple instances of custom kits used to target enterprise SSO, cloud email, and crypto accounts. The observed attack patterns share common telemetry: targeted reconnaissance, use of spoofed support numbers, synchronized phone-and-browser interaction, and exploitation of non-phishing-resistant multifactor mechanisms.

---

How the new vishing kits work — step-by-step​

The attack sequence is deceptively simple to describe, but technically and operationally effective in execution.

• Reconnaissance and profiling
• The attacker collects public and internal-facing information about the target: applications in use, corporate phone trees, helpdesk numbers, and any leaked user data.
• The attacker may use compromised accounts, OSINT, and directory harvests to confirm the identity and role of the target.
• Build a tailored landing page and session backend
• Using a kit or template, the attacker deploys a fake login page customized to the target’s SSO provider (Google, Microsoft, Okta, etc.
• The backend can automatically relay credentials to the attacker and mirror the legitimate authentication steps.
• Spoofed call and social engineering
• The attacker places a phone call that appears to come from an internal helpdesk or trusted support line. Spoofing techniques make the caller ID look authentic.
• The caller convinces the victim to visit the provided (spoofed) URL or to scan a QR code that redirects to the phishing site.
• Credential capture and live relay
• When the victim types a username and password, the kit relays those details to an operator or automated backend that immediately attempts a login to the real service.
• The legitimate service triggers an MFA challenge.
• Real-time MFA interception or deception
• Because the attacker is already trying to sign in, they can observe which MFA method the service requests (push, SMS/TOTP, number matching).
• The phishing kit then pushes the matching fake page to the victim’s browser — a push notification approval screen, a TOTP prompt, or number-matching UI — and the caller instructs the victim how to respond.
• The victim, following the caller’s script, approves the challenge or enters the code, which the attacker uses to complete the login.
• Post-compromise actions
• Once inside, the attacker may escalate privileges, steal session tokens or cookies, extract OAuth authorizations, exfiltrate data, or move laterally.
• In some cases, the attacker leaves the victim unaware that access has been granted.

This choreography—telephony and browser made to act in lockstep—is what makes modern vishing kits especially dangerous. They don’t rely on static pages or obvious UX differences; they dynamically change to match the authentication flow as it unfolds.

---

Why these attacks succeed: the technology and human factors​

Several intersecting technical and human factors make these campaigns effective.

• Real-time control of the victim’s authentication experience
  The attacker doesn’t need to predict the MFA method in advance; they find out when the attacker’s backend attempts the login and then push the corresponding fake UI to the victim. That removes much of the uncertainty that limited earlier phishing attempts.
• Caller-guided legitimacy
  A live voice on the line explaining the exact steps gives victims confidence and reduces the chance of scrutiny. Sophisticated social engineers use consecutive prompts and pretexted trouble tickets, which match the victim’s expectations.
• Use of anonymizing and disposable infrastructure
  Attackers deploy disposable domains, ephemeral hosting, and anonymizing services to evade detection and takedown. These services can be frustrating to block at scale unless tenant access controls are configured.
• Weaknesses in many MFA methods
  MFA methods that can be relayed or mimicked — SMS one-time passwords, TOTP codes, and push notifications lacking phishing resistance — can be defeated by real-time interaction and relay.
• Phishing-as-a-Service (PhaaS) economy
  Ready-made kits let low-skilled users launch targeted campaigns without deep technical expertise. When combined with voice spoofing and social engineering scripts, barriers to entry fall and volumes increase.

---

What’s new versus classic phishing​

Traditional credential-phishing scams used static pages and one-off emails. Modern kits are:

• Adaptive — they change the browser UI in response to what the attacker sees when they attempt the login.
• Caller-driven — an operator on a call synchronizes instruction with browser updates.
• Purpose-built for SSO — templates replicate complex SSO flows, not just single-site logins.
• Sold as services — lowering skill requirements and increasing scale.
• Able to intercept or replicate MFA prompts — not just passwords.

These advances shift the failure point away from basic technical defenses and toward the quality of authentication methods and organizational controls.

---

Verified technical claims and what we can confirm​

Independent threat intelligence and identity provider research teams have reported the following consistent findings:

• Multiple custom phishing kits exist that are explicitly designed to support voice-based social engineering and to adapt in real time to authentication flows.
• Targets include major SSO providers and cloud services, notably Google, Microsoft, major IdPs, and cryptocurrency platforms.
• The kits allow attacker control of the pages the victim sees, enabling synchronization with caller instructions and facilitating MFA bypass for non-phishing-resistant factors.
• Identity provider mitigation advice consistently points to adopting phishing-resistant authentication — FIDO2/WebAuthn keys or passkey-style mechanisms — as the most reliable defense.

These findings are corroborated across multiple vendor advisories and independent security reports. Exact success rates, numbers of incidents, and the total scale of active campaigns are not uniformly disclosed; therefore, any assertion about prevalence beyond “growing” or “increasing” should be treated cautiously unless backed by vendor telemetry.

---

The limitations: what these kits cannot (easily) do​

No technology is omnipotent. Current vishing kit techniques have limits:

• True phishing-resistant authentication (hardware-backed FIDO2/WebAuthn passkeys, security keys, or platform-bound TruePass-like flows) cannot be reliably forged or relayed by these kits. These methods are the recommended defense because they provide cryptographic proof tied to the original origin and cannot be trivially proxied.
• Aggressive network and tenant access controls (blocking anonymizing services and limiting access by network zones or IP allow-lists) significantly increase attacker friction and reduce the effectiveness of disposable infrastructure.
• Well-trained users who verify caller identity using out-of-band methods (calling back an official support number verified independently) can thwart the social-engineering portion of the attack.

---

Practical mitigation — a prioritized checklist for organizations​

Stopping these attacks requires layered defenses spanning authentication design, network controls, monitoring, and user behavior. The following is a prioritized, actionable checklist.

• Move to phishing-resistant authentication
• Deploy FIDO2/WebAuthn hardware keys and platform passkeys where possible.
• Enable phishing-resistant methods across SSO and high-risk applications.
• Use client-bound, cryptographic methods (Okta FastPass or equivalent) rather than push-only approvals.
• Harden access policies and network zones
• Implement conditional access policies that require stronger authentication for remote or high-risk logins.
• Deny access from known anonymizing services or disposable hosting ranges.
• Use tenant access control lists to restrict which IP ranges can authenticate to critical tenants.
• Reduce attack surface around legacy auth
• Disable legacy authentication methods that bypass Conditional Access (basic auth, IMAP/POP) where possible.
• Block or monitor ROPC (resource owner password credentials) and other flows that could be abused.
• Strengthen helpdesk and call verification procedures
• Train staff and users to verify calls: use verified call-backs to an independently obtained support number.
• Remove or limit the publication of internal support numbers on public pages.
• Log and analyze all password-reset and support actions for anomalies.
• Monitor and detect fast, automated login attempts
• Flag rapid credential relay patterns: same-second credential use from different geolocations or device fingerprints.
• Look for login attempts followed immediately by successful MFA approval from different IP addresses.
• Collect telemetry on session issuance, OAuth grants, and token exchange for suspicious patterns.
• Restrict OAuth and API token scopes
• Enforce least privilege for OAuth grants.
• Monitor for unusual OAuth consent flows and token exchanges that occur outside normal enterprise patterns.
• Prepare incident response playbooks for voice + phishing attacks
• Simulate scenarios where a caller and websession are coordinated.
• Include phone verification and immediate token revocation in response checklists.
• User training with modern test cases
• Update phishing exercise templates to include voice scenarios and dynamic fake authentication flows.
• Emphasize not approving unexpected MFA prompts or revealing codes during a call.

---

Recommendations for end users​

• Treat unsolicited calls that ask you to sign in or approve authentication with extreme caution.
• Never approve MFA requests unless you initiated the sign-in. If a caller claims to be support, hang up and call the support number you have independently verified.
• Use passkeys, Windows Hello, or hardware security keys where available for personal and work accounts.
• If told to visit a URL, check the domain carefully and cross-verify any support number you are given. Publicly posted support numbers can be spoofed; always use trusted contact points.

---

Detection and response: what SOCs need to look for​

Security operations centers must tune detections for the choreography that characterizes these attacks:

• Rapid credential use: immediate use of freshly entered credentials from different network origins.
• MFA pattern anomalies: approvals that follow a credential entry faster than human reaction time or approvals originated from a distinct session.
• Out-of-band correlation: matching a reported phone call to a login event in logs. If a user reports a suspicious call, triage by comparing the time and method of authentication to recorded sessions.
• Scripted UI interactions: repeated identical page flows across multiple victims that indicate a templated kit in use.

Automated playbooks should include immediate token revocation, password resets, and elevated monitoring of the impacted account.

---

Business risk analysis​

The new vishing kits elevate the business risk profile in several ways:

• Compromise of high-value SSO accounts can provide access to broad swathes of corporate data and downstream services through federated trust.
• OAuth tokens and session cookies stolen during these attacks can bypass credential-based detection. Tokens may allow persistent access beyond password resets if refresh tokens are not properly managed.
• Financial loss and fraud, especially in cryptocurrency-related accounts, can be immediate and irreversible.
• Reputational damage can be severe when attacker calls impersonate internal support and deceive multiple employees.

Organizations that treat MFA as a checkbox rather than a robust, phishing-resistant control are exposed to substantial risk.

---

What vendors and identity providers recommend​

Identity vendors consistently advise moving to phishing-resistant authentication and tightening the perimeter around tenant access. Recommended measures include:

• Phishing-resistant MFA: hardware-backed keys, platform passkeys, or enterprise passwordless solutions.
• Network zoning and tenant ACLs: deny access from anonymizing services and enforce IP allow-lists where feasible.
• Logging and system alerts for suspected phishing events and failed-to-successful login sequences.
• Making phishing-resistant methods the default for high-privilege users and administrators.

These vendor recommendations are practical: when a cryptographic key bound to the original origin is required, proxy/relay attacks become infeasible.

---

The strategic view: where defenses should evolve​

Short-term, organizations need to accelerate passkey and FIDO2 adoption across the enterprise and prioritize high-risk accounts for immediate transition. Medium-term, identity systems should move beyond single-factor and push-based MFA to adopt standards that are resistant to interception and man-in-the-middle proxying.
Security architectures should also incorporate improved phone verification, stronger denial of anonymous infrastructure, and better automation of incident response for voice-correlated events. Finally, education campaigns must evolve to address synchronized phone-and-browser scams rather than only email-based phishing.

---

Known unknowns and claims that require caution​

Some claims circulating in public reports are precise in their technical description but incomplete in quantitative scope. The presence of custom kits and increased vishing volumes are well-documented in vendor advisories and independent reporting. However:

• Publicly available telemetry on total incidents, effective success rates, and global scale is incomplete. Organizations should assume these attacks are on the rise but recognize that exact prevalence figures are not universally released.
• Not all MFA implementations are equally vulnerable; details matter: the attack surface is largely where authentication methods allow proxied confirmation or code entry that can be relayed. Claims that “MFA is useless” are overstated; rather, some MFA types are vulnerable to sophisticated man-in-the-middle and relay attacks.

Until identity providers and defenders can share standardized telemetry, treat volume and impact claims as directional rather than absolute.

---

Final analysis: defensive posture and the road ahead​

The convergence of high-quality phishing kits, commoditized voice spoofing, and live social engineering has created a materially more dangerous class of attack for SSO environments. The underlying truth for defenders is simple: where authentication can be relayed or proxied, attackers will find a way to exploit human trust and technical gaps.

• The strongest, most immediate defense is phishing-resistant authentication — hardware-backed FIDO2/WebAuthn or equivalent passwordless solutions.
• Network controls, tenant-level restrictions, and aggressive telemetry analysis create practical friction for attackers and reduce successful campaigns.
• User verification procedures for phone-based support must be improved and enforced via policy and training.
• Detection and response playbooks need to include phone-assisted attack scenarios and rapid token revocation.

Organizations that move quickly to adopt cryptographic, phishing-resistant factors and couple them with access zoning and smarter detection will reduce the effectiveness of these modern vishing kits. Those that rely on conventional MFA alone — SMS, push notifications without attestation, or TOTP — should expect attackers to adapt and continue to seek opportunities for credential and token theft.
The arms race between attackers and defenders now includes not just better phishing templates, but a human element performed live on the phone. Closing that attack vector requires both better technology and better operational practices — and the urgency to prioritize those changes has arguably never been higher.

---

Source: TechRadar Custom-made 'vishing' kits are attacking SSO accounts across the world