Fake Okta / Azure AD / OneLogin SSO identity provider credential phishing — fraudulent email impersonating Okta, Azure Active Directory, Microsoft Entra ID, or OneLogin claiming the recipient's SSO account has been suspended, session has expired requiring re-authentication, or MFA authenticator needs to be re-enrolled — directing them to sign in through a spoofed identity provider portal to harvest their SSO credentials — the "master key" attack that unlocks every enterprise application at once; Okta serves 18,000+ enterprise customers; APWG 2024: IdP phishing grew 340% YoY; a single Okta credential gives attackers access to email, Slack, GitHub, Salesforce, Jira, and every other SSO-connected app simultaneously

Phishing emails impersonating Okta, Azure Active Directory, Microsoft Entra ID, or OneLogin claiming the recipient's SSO account has been suspended, their session has expired requiring re-authentication, or their MFA authenticator needs to be re-enrolled — directing them to sign in through a spoofed identity provider portal to harvest their enterprise SSO credentials. Key facts: (1) Okta serves 18,000+ enterprise customers processing 50+ billion authentications per month; Azure AD / Microsoft Entra ID is the dominant enterprise identity platform with 600M+ users; APWG 2024: identity provider phishing grew 340% year-over-year as organizations consolidated authentication to SSO; a single Okta or Entra ID credential gives attackers simultaneous access to email, Slack, GitHub, Salesforce, Jira, HR systems, and every other SSO-connected application at once — the "master key" attack; (2) The MFA re-enrollment variant is particularly sophisticated: it mimics a real, common IT workflow (MFA device changes, new device setup, authenticator resets after phone upgrade), conditioning employees who have been through legitimate re-enrollment to treat re-authentication requests as routine IT hygiene; in reality, attackers use the harvested credentials plus any captured MFA codes to establish their own device in Okta before the victim realizes they were phished; (3) The "session expired" phishing variant exploits the ubiquitous Okta "your session has expired, please sign in again" notification that every SSO user receives legitimately — attackers replicate this exact email format and timing, sending it during morning hours when employees are expecting to authenticate into work apps; (4) The Twilio/Okta supply chain breach (2022), the Caesars Entertainment Okta breach (2023), and MGM Resorts Okta breach (2023) all began with SMS phishing for Okta credentials — showing this attack chain's real-world impact. Warning signs: sender domain not okta.com, microsoft.com, or the organization's own domain; generic "company portal" link rather than a domain-specific SSO URL; no reference to specific organization name or application names; urgency about losing access to all apps immediately.