SLSH Supergroup Breaches 100+ Enterprises by Targeting SSO. MFA Did Not Stop It.

A coordinated cybercrime alliance called SLSH, combining the social engineering of Scattered Spider, the extortion playbook of LAPSUS$, and ShinyHunters' data theft infrastructure, has actively targeted more than 100 high-value enterprises by attacking Okta SSO and other identity providers. Confirmed breaches include Atlassian, HubSpot, Canva, Epic Games, Moderna, Panera Bread, Match.com, Bumble, Halliburton, ZoomInfo, and SoundCloud.

This is not automated credential spraying. This is human-led social engineering at scale.

How the Attack Works

SLSH runs live vishing operations where attackers impersonate IT support staff, call employees directly, and walk them through fake login portals in real time. A live phishing panel positions the attacker within the active login session, intercepting credentials and MFA tokens simultaneously. One compromised SSO session becomes a skeleton key to every app linked to that identity provider. For most enterprises, that means dozens or hundreds of internal and SaaS applications.

The operation is sophisticated enough that victims often first learn of the breach when their brand appears in SLSH's public Telegram channels, where coordinated harassment is designed to humiliate organizations into paying ransoms.

The Scale Is Alarming

Security firm Silent Push detected active phishing infrastructure targeting organizations across financial services including Blackstone, RBC, and State Street. Healthcare targets include Biogen and Moderna. Technology targets include Atlassian, Canva, Epic Games, HubSpot, and Zoom. Real estate targets include Simon Property Group and Zillow. Critical infrastructure targets include AECOM and Halliburton.

The breadth is the point. SLSH does not specialize in one vertical. They specialize in one attack vector: the identity layer.

Why Standard Defenses Fail

Push-based MFA does not stop this. The attackers intercept MFA tokens in real time during live sessions. Conventional security awareness training does not stop this either. SLSH operators are highly persuasive, coordinated, and adapt their approach to each victim's specific login prompts and verification procedures.

The group targets the identity layer specifically because a single compromised SSO account yields access to the entire enterprise SaaS ecosystem. The blast radius of one successful vishing call can span every application connected to that identity provider.

What Enterprise Security Teams Should Do Now

This is a board-level conversation for any organization using Okta or any centralized SSO provider. The defensive playbook needs to shift immediately.

Deploy phishing-resistant MFA using FIDO2 or WebAuthn hardware keys, not push-based MFA. Implement real-time session anomaly detection that flags impossible travel, unusual device fingerprints, and access patterns that deviate from baseline. Redesign help desk verification procedures so they cannot be socially engineered. Train help desk staff to recognize vishing attempts specifically, not just email phishing.

Audit your SSO blast radius. Know exactly how many applications a single compromised session unlocks. If that number is over 50, your risk exposure from a single successful social engineering call is catastrophic. Reduce it through conditional access policies, session segmentation, and step-up authentication for high-value applications.

The risk of inaction: SLSH is actively expanding its target list. If you have not been targeted yet, the operational question is when, not if.