The Okta Identity Services Provider warns of Social Engineering Attacks Enrages social engineering actors to obtain administrator privileges from the company’s Super Administrator accounts.
They then use these privileges to institute users within the compromised organization.
The threat actor also uses the access granted to the Super Administrators to assign higher privileges to other accounts, reset enrolled authenticators in existing administrator accounts, and remove second-factor requirements from authentication policies.
This second identity provider, also controlled by the attacker, would act as a source’ IdP in an inbound federation relationship (sometimes called ‘Org2Org) with the target.
According to the threat actor, this resulted in the creation of a second identity provider that serves as their source or idP for the intended victim.