ShinyHunters’ Sophisticated Vishing Attacks Compromise SaaS Platforms
In a recent development, cybersecurity firm Mandiant has identified a surge in cyberattacks that mirror the tactics of the notorious hacking group ShinyHunters. These attacks employ advanced voice phishing (vishing) techniques and counterfeit credential harvesting websites designed to impersonate targeted organizations. The primary objective is to illicitly obtain Single Sign-On (SSO) credentials and Multi-Factor Authentication (MFA) codes, thereby gaining unauthorized access to victims’ environments.
The ultimate aim of these cybercriminals is to infiltrate cloud-based Software-as-a-Service (SaaS) applications, exfiltrate sensitive data, and leverage this information for extortion purposes. Mandiant’s threat intelligence team is monitoring this activity under several clusters, including UNC6661, UNC6671, and UNC6240 (also known as ShinyHunters). This classification accounts for the possibility that these groups are either evolving their methods or emulating previously observed tactics.
Mandiant’s analysis reveals that these threat actors are expanding their focus to a broader range of cloud platforms in their quest for sensitive data to exploit. Notably, there has been an escalation in extortion tactics, with recent incidents involving the harassment of victim organization personnel, among other aggressive strategies.
Detailed Breakdown of the Vishing and Credential Theft Activities:
– UNC6661: This group has been observed impersonating IT staff in calls to employees of targeted organizations. They direct these employees to fraudulent credential harvesting sites under the pretense of updating their MFA settings. This activity was particularly prevalent between early and mid-January 2026. Once the attackers obtain the credentials, they register their own devices for MFA, enabling lateral movement across the network to exfiltrate data from SaaS platforms. In at least one instance, the threat actors used compromised email accounts to send phishing emails to contacts at cryptocurrency-focused companies, subsequently deleting these emails to cover their tracks. Following this, extortion activities were conducted by UNC6240.
– UNC6671: Similar to UNC6661, this group impersonates IT staff to deceive victims into providing their credentials and MFA codes on counterfeit credential harvesting sites. Since early January 2026, they have gained access to Okta customer accounts and utilized PowerShell to download sensitive data from SharePoint and OneDrive. Differences between UNC6661 and UNC6671 include the use of different domain registrars for registering the fraudulent domains and variations in the extortion emails sent post-compromise. These distinctions suggest that different individuals may be involved, highlighting the fluid nature of these cybercrime groups. The targeting of cryptocurrency firms indicates that the attackers are exploring additional avenues for financial gain.
Recommendations to Mitigate Threats to SaaS Platforms:
To counteract the threats posed to SaaS platforms, Google has provided a comprehensive list of hardening, logging, and detection recommendations:
1. Enhance Help Desk Processes: Implement procedures that require personnel to verify their identity through live video calls.
2. Restrict Access: Limit access to trusted egress points and physical locations; enforce strong passwords; and eliminate SMS, phone call, and email as authentication methods.
3. Control Management-Plane Access: Restrict access to management interfaces, audit for exposed secrets, and enforce device access controls.
4. Implement Comprehensive Logging: Increase visibility into identity actions, authorizations, and SaaS export behaviors.
5. Monitor for Anomalies: Detect MFA device enrollment and lifecycle changes; look for OAuth/app authorization events that suggest mailbox manipulation activity using utilities like ToogleBox Email Recall; and monitor for identity events occurring outside normal business hours.
Google emphasizes that this activity is not due to vulnerabilities in vendors’ products or infrastructure. Instead, it underscores the effectiveness of social engineering tactics and highlights the importance of organizations adopting phishing-resistant MFA methods. Techniques such as FIDO2 security keys or passkeys offer resistance to social engineering in ways that push-based or SMS authentication methods do not.
