Cross-Tenant Impersonation: Unmasking the Invisible Threat and Fortifying Defenses


Published on Sep 2, 2023   —   2 min read

Members Only

One of the most insidious forms of attack is cross-tenant impersonation. A recent article by Okta Security sheds light on this sophisticated attack vector, detailing how threat actors exploit social engineering and identity federation features to impersonate highly privileged users within an organization. This blog post aims to dissect the mechanics of such attacks and offer actionable insights for prevention and detection.

The Anatomy of Cross-Tenant Impersonation Attacks

In a typical scenario, attackers use social engineering techniques to manipulate IT service desk personnel into resetting Multi-factor Authentication (MFA) factors for highly privileged users. Once this is achieved, they gain access to Okta Super Administrator accounts, which are then used to abuse identity federation features. This enables them to impersonate users within the compromised organization.

Tactics, Techniques, and Procedures (TTPs)

  • Credential Manipulation: Attackers either have passwords to privileged user accounts or manipulate the delegated authentication flow via Active Directory.
  • Anonymization: The threat actor accesses the compromised account using anonymizing proxy services, making detection more challenging.
  • Privilege Escalation: Compromised Super Administrator accounts are used to assign higher privileges to other accounts or reset enrolled authenticators in existing administrator accounts.

This post is for subscribers only

Subscribe now and have access to all our stories, enjoy exclusive content and stay up to date with constant updates.


Already have an account? Sign in

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.