Phase 1: Typosquatting and Infrastructure Development
The attack chain begins with thorough external reconnaissance. The threat actors purchase lookalike domains designed to mimic corporate Identity Providers (IdP) such as Okta or Microsoft Entra ID. These domains utilize target-specific subdomains and second-level domains to appear legitimate to unsuspecting employees. Alongside these domains, the actors deploy advanced Adversary-in-the-Middle (AiTM) phishing platforms, such as modified versions of the Doko kit, which are designed to act as reverse proxies. These proxies intercept traffic between the victim, the fake landing page, and the genuine authentication portal, allowing real-time harvesting of passwords and active login session cookies.
Phase 2: Vishing and Identity Compromise
With their infrastructure prepared, the attackers execute voice phishing (vishing) campaigns. Utilizing spoofed VoIP lines or manipulated Caller ID Names (CNAM), they call corporate employees, pretending to be IT helpdesk or security technicians. They construct highly believable social engineering scripts, informing the employee of a simulated security alert, a mandatory software update, or an active account issue. The victim is then directed to log into one of the lookalike domains. As the user completes the login sequence, the AiTM phishing kit captures both the password and the multi-factor authentication (MFA) token, instantly establishing an active, validated session for the attacker.
Phase 3: Persistence through Rogue MFA Registration
To avoid repeating the vishing phone call, the threat actor must secure persistent access to the target cloud environment. Using the stolen session token, the attacker logs in and immediately navigates to the user's personal security registration panel. They register a new, attacker-controlled MFA device, such as a rogue FIDO2 hardware key, an authenticator application, or a customized passkey. Because this action occurs from an already-authenticated web session, it is often treated by default policies as a trusted user update. Future access requests by the attacker are authenticated using this newly registered rogue device, completely bypassing the victim's legitimate MFA setup.
Phase 4: Directory Exploitation and Lateral Movement
Once persistent access is established, the threat actor maps the organization's internal structure. They use built-in, legitimate directory tools to harvest enterprise structure maps, targeting senior administrators, executive leadership, or IT support personnel who possess elevated privileges. Rather than using noisy brute-force tools, they escalate privileges via internal phishing, sending highly targeted malicious messages through compromised corporate email accounts or trusted platforms such as Microsoft Teams to compromise administrative accounts.
Phase 5: Automated API Scraping and Exfiltration
Data exfiltration is executed using standard, administrative cloud APIs rather than malware. Threat actors utilize automated Python or PowerShell scripts to interact with Microsoft Graph API, OneDrive, SharePoint, or Salesforce. These scripts search systematically for directories containing sensitive financial records, customer details, or proprietary corporate data. During this programmatic exfiltration process, security teams may notice anomalous user-agent strings, specifically Python-requests/2.28.1, initiating massive read and download requests. The stolen data is then uploaded directly from the corporate cloud to attacker-controlled storage buckets or public hosting platforms, ensuring the exfiltration bypasses standard network firewalls entirely.