In early March 2026, Okta Threat Intelligence released a comprehensive threat advisory titled SMS Pumping | Threat Advisory | Okta Threat Intelligence. The report details a coordinated, high‑volume campaign that exploits disposable email infrastructure and commodity proxy services to trigger SMS delivery on identity platforms, driving up telephony costs for victims. This article translates the advisory into a practical threat report that security analysts can apply immediately.
Executive Summary
The campaign—internally classified as O‑UNC‑036—leverages a revolving pool of shared disposable email domains and anonymized IP sources (VPNs, residential botnets, anonymizing proxies) to create thousands of fake accounts. Attackers then register these accounts on Okta, Auth0, or other login portals, add a personal phone number, and flood the system with SMS verification requests. The goal is to generate exorbitant international or premium‑rate SMS charges, costing targeted organizations hundreds of thousands of dollars.
Threat Actor Profile
While the report does not name a specific group, the operation exhibits traits of a financially motivated, opportunistic threat actor: persistent, automated, and indifferent to the target’s identity. The use of disposable email domains and high‑cost phone country codes indicates a well‑resourced, adaptive operation with a clear revenue model.
Tactics, Techniques & Procedures (TTPs)
- Reconnaissance & Enumeration: Identify MFA or registration endpoints that trigger SMS.
- Infrastructure Setup: Deploy commodity proxy services to distribute source IPs, bypassing IP‑based rate limits.
- High‑Volume Requests: Automate account creation with disposable email addresses and SMS‑enabled phone numbers in high‑cost regions.
- Cluster Activity: Use the O‑UNC‑036 disposable domain pool to cycle accounts, evading tenant‑level velocity checks.
Detection
Okta and Auth0 provide distinct event types that signal abuse. Look for spikes in the following categories:
- Okta:
system.sms.send_okta_push_verify_messageandsystem.sms.send_factor_verify_messagewithreason=Toll Fraud Suspected. - Okta:
system.email.new_device_notification.sent_messageassociated with suspicious ASNs. - Auth0: Guardian events such as
gd_enrollment_completeandgd_send_sms, as well asMFA bypassevents in Security Center. - Both platforms: High volumes of SMS sent to countries outside the organization’s normal operating regions.
Additionally, any account registered with an email from the indicator list is automatically suspect. Administrators should audit logs for the past 12 months to assess past impact.
Indicators of Compromise (IOCs)
| Domain |
|---|
| 2mails1box.com |
| 300bucks.net |
| blueink.top |
| desumail.com |
| e-boss.xyz |
| e-mail.lol |
| echat.rest |
| electroletter.space |
| emailclub.net |
| energymail.org |
| gogomail.ink |
| gopostal.top |
| guesswho.click |
| homingpigeon.org |
| kakdela.net |
| letters.monster |
| lostspaceship.net |
| message.rest |
| myhyperspace.org |
| mypost.lol |
| postalbro.com |
| protonbox.pro |
| rocketpost.org |
| sendme.digital |
| shroudedhills.com |
| specialmail.online |
| ultramail.pro |
| whyusoserious.org |
| wirelicker.com |
| writeme.live |
| writemeplz.net |
| ASN |
|---|
| 212238 |
| 16276 |
| 44477 |
| 26548 |
| 200373 |
| 137409 |
| 214483 |
| 13213 |
| 397368 |
Protective Controls & Response
Okta and Auth0 recommend a layered approach that removes SMS as a primary authentication factor and hardens registration paths:
- Adopt FIDO2/WebAuthn passkeys to replace SMS/voice factors. This eliminates the attack vector entirely.
- Block disposable email domains. Use the indicator list to deny account creation from those addresses.
- Restrict IP sources. Implement edge‑level blocking for ASNs and TLS client fingerprints that appear in the IOC list.
- Limit SMS destinations. Configure your telephony provider to reject messages to untrusted or high‑cost countries.
- Lower rate limits. Reduce the number of accounts that can be created per IP per minute to slow automated scripts.
- Enable bot detection & CAPTCHA. Use Auth0’s Tenant Access Control List or Okta’s Identity Defense workflows to challenge suspicious sign‑ups.
- Actively deactivate suspect accounts. Use the Okta API or Auth0’s bulk user management to disable accounts tied to IOC domains or ASNs.
- Monitor for toll‑fraud events. Set up alerts for
reason=Toll Fraud Suspectedand high‑volume SMS spikes. - Engage support. Contact Okta or Auth0 support for tailored rate‑limit adjustments and to share IOC lists.
These controls have proven effective. The report notes that when attackers encounter friction—such as mandatory passkeys or blocked IP ranges—they abandon the target, halting the attack before significant financial damage occurs.
Conclusion
The SMS pumping campaign demonstrates how identity platforms can be weaponised to create costly telephony fraud. By applying the detection rules, blocking indicators, and migrating to passkey‑based authentication, organizations can neutralise this threat. Continuous monitoring, log review, and timely response remain essential to mitigate emerging variants of this campaign.

