AI-powered identity abuse moved from novel to normal this week. On September 12, Okta detailed VoidProxy, a phishing-as-a-service kit that bypasses MFA (Multi-Factor Authentication) by stealing sessions in real time. It targets Microsoft and Google accounts. This is packaged, repeatable, and available to non-experts. Also on September 12, the FBI issued a FLASH about two groups, UNC6040 and UNC6395. The advisory describes vishing and OAuth token abuse to access Salesforce data for theft and extortion. Identity trust in connected SaaS is under pressure.
The Ecosystem Risks of AI Identity Attacks
The Salesforce incident shows the potential impact on the overall ecosystem. Google Threat Intelligence traced mass Salesforce data theft to Drift tokens used in August. Cloudflare said it rotated 104 API tokens after attackers accessed its Salesforce cases. One third-party integration became a cross-tenant problem.
Consumer impact is visible in losses and support load. The FTC reported $12.5 billion in fraud losses in 2024, up 25% year over year. The agency also flagged a 4x jump in reports of impersonation scams targeting older adults. More deepfakes and token abuse mean more account recoveries, more complaint volume, and faster churn when recovery fails. In February 2024, Arup lost about $25 million after staff were fooled by a deepfaked video call. This September, UK consumer advocate Martin Lewis called for fines worth “tens of billions” for platforms that fail to curb deepfake scam ads. Public pressure and litigation risk are rising.
Platforms are reacting, but incrementally. Microsoft Teams added malicious-link warnings in private chats. This helps with basic phishing, yet adversary-in-the-middle kits still capture sessions unless authentication is phishing-resistant. Link scanning is a useful layer, not a substitute for passkeys or hardware-backed WebAuthn.
Market expectations are shifting. Consumer services will be judged on three basics: phishing-resistant sign-in, safer app connections, and visible authenticity. Passkeys and hardware-backed WebAuthn should become the default. OAuth scopes must be minimized and lifetimes shortened, with revocation after third-party incidents. Voice and video interactions will need liveness checks or provenance signals in sensitive contexts. Vendors that lag will see higher complaint volume, slower recovery, and weaker retention at renewal.
Bottom line: identity is now the control plane. MFA that stops bots but not AitM (Adversary-in-the-Middle) and deepfakes is insufficient. Trust will hinge on phishing-resistant auth, careful token hygiene, and verifiable human presence.
Supporting signals
FBI FLASH on Salesforce targeting
Event: FBI warned that UNC6040/UNC6395 are accessing Salesforce via vishing and OAuth abuse, enabling data theft and extortion.
Why it matters: Token abuse and social engineering are driving multi-tenant data exposure in popular SaaS. Expect more consumer notices, forced re-auth, and scrutiny of third-party connections.
Watch: Monthly count of public OAuth token revocations and forced re-auth events at major SaaS platforms, including Salesforce-connected ecosystems.
VoidProxy MFA-bypass kit disclosed
Event: Okta detailed VoidProxy, which intercepts credentials, codes, and sessions to undermine SMS/OTP MFA on Microsoft and Google accounts.
Why it matters: Packaged AitM lowers attacker skill requirements. Services that still allow SMS/OTP will see higher account takeover rates and support escalations.
Watch: Share of top consumer platforms offering passkeys as default for sign-in and recovery; reported rates of AitM campaigns targeting Microsoft and Google accounts.
