What we are seeing.
At approximately 06:14 ET, the Security Operations Center began observing a coordinated phishing wave impersonating Northgate IT Helpdesk. The lure claims that the recipient's Okta session has expired and requires "immediate re-authentication" to avoid account lockout in 24 hours.
The messages are convincingly branded, use our internal ticket numbering scheme, and reference the actual name of the employee's direct manager — suggesting reconnaissance via LinkedIn or a prior data exposure. Early telemetry shows 11 users have clicked the link; we are working individually with those accounts.
If you entered credentials into a site called northgate-okta-verify.com in the last 24 hours — stop reading, call x4911 now, and disconnect your laptop from the network.
What the email looks like.
A redacted sample of the phishing message, as it appears in Outlook. Hover-preview of any link reveals the true destination.
Our security scanner flagged unusual sign-in activity on your Northgate account from an unrecognized device in Warsaw, PL. As a precaution, your Okta session will be terminated in 24 hours unless you re-verify your credentials.
Your manager, [Manager Name], has been notified. Please re-authenticate using the secure link below:
— Northgate IT Helpdesk · Ticket #NG-884217
IOCs — block, report, and watch for.
Forward to personal vigilance; our email gateway and EDR have been updated. If you see any of these artifacts outside of corporate-managed tooling, report immediately.
| Type | Indicator | First Seen |
|---|---|---|
| DOMAIN | northgate-okta-verify.com | 2025-11-14 06:07 |
| DOMAIN | mail-verify-9921.cc | 2025-11-14 06:11 |
| URL | hxxps://northgate-okta-verify[.]com/sso/login?u= | 2025-11-14 06:14 |
| IP | 185.244.192.47 (sender) · AS202425, NL | 2025-11-14 06:14 |
| IP | 103.77.88.214 (credential drop) | 2025-11-14 06:28 |
| SHA-256 | a1f4c9…e73b2d (attached "Okta_Verify.html") | 2025-11-14 07:02 |
| SHA-256 | 9c2d88…41ae70 (second-stage payload) | 2025-11-14 07:49 |
What you must do today.
Reset your password
All Northgate employees must reset their SSO password via okta.northgate.internal. Passphrases of 16+ characters are required.
DUE BY FRI · 17:00 ETRe-enroll MFA
After password reset, re-register your authenticator. Remove any device you do not personally recognize in the Okta dashboard.
DUE BY FRI · 17:00 ETReport & delete the email
Use the "Report Phish" button in Outlook. Do not forward to colleagues. After reporting, delete from Inbox and Deleted Items.
Complete the 8-min refresher
A short KnowBe4 module titled "Spotting Okta Impersonation" has been assigned to your learning queue.
DUE BY MON · 18 NOVOne click is all it takes — and also all it takes to stop it.
These attackers did their homework. They used real names, real ticket formats, and real urgency. Reporting fast is how we contain them, not shame — if you clicked, tell us. We will help, not punish.
Thank you for taking this seriously. A follow-up advisory with remediation metrics will be circulated Monday morning.
Classification: TLP:AMBER
Supersedes: none