Customers of cloudy identification vendor Okta are reporting social engineering attacks targeting their IT service desks in attempts to compromise user accounts with administrator permissions.

“Multiple US-based Okta customers” have reported these phishing attempts, “in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users,” according to a security alert published on Thursday.

“The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization,” the alert continued.

According to Okta chief security officer David Bradbury, the company spotted the campaign beginning July 29, and it continued until August 19.

“We don’t have visibility into which customers were targeted, but we know that four customers were affected within the three-week period since we’ve begun tracking these activities,” he told The Register.

When asked if Okta attributed the attacks to a particular group, Bradbury said “other cyber security companies have linked this behavior to threat actors known as Scattered Spider.”

Scattered Spider, also tracked as UNC3944, Scatter Swine, and Muddled Libra, has bee