Expel said that PoisonSeed has found a clever sleight of hand to bypass this crucial step. As the user enters the username and password into the fake Okta site, a PoisonSeed team member enters them in real time into a real Okta login page. As Thursday’s post went on to explain:
In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in. The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator
→ Continue reading at Ars Technica