Mandiant Reports ShinyHunters Extortion Tactics, Vishing, and SSO Compromise Target Cloud Environments
Published
Key Takeaways
- Social Engineering: Threat actors are leveraging vishing and victim-branded credential harvesting sites to compromise SSO credentials and MFA codes.
- Targeted Escalation: They exfiltrate sensitive data from cloud-based SaaS applications, with extortion tactics escalating to include the direct harassment of victim personnel.
- Defensive Measures: These breaches exploit human factors rather than software flaws, necessitating the adoption of phishing-resistant MFA.
Mandiant has identified a significant expansion in threat activity utilizing tactics, techniques, and procedures (TTPs) consistent with ShinyHunters-branded operations. These actors are using sophisticated ShinyHunters extortion tactics to gain initial access to corporate networks through a combination of voice phishing (vishing) and victim-branded credential-harvesting sites.
By deceiving employees, attackers successfully capture single sign-on (SSO) credentials and multi-factor authentication (MFA) codes, allowing them to bypass perimeter defenses and infiltrate critical systems by registering their own device for MFA.
Tracking Activity Across Threat Clusters
Google Threat Intelligence Group (GTIG) is currently tracking these maneuvers under distinct threat clusters: UNC6661, UNC6671, and UNC6240. This granular tracking is essential for distinguishing between evolving partnerships and potential impersonation activities within the cybercrime ecosystem.
Once inside the network, the threat actors pivot to target high-value cloud-based software-as-a-service (SaaS) applications. The objective is to exfiltrate sensitive internal communications and proprietary data to fuel subsequent extortion demands.
UNC6671 showed some TTP similarities with UNC6661. The group gained access to Okta customer accounts and stole sensitive data from SharePoint and OneDrive. Notably, these operations are escalating in aggression, with threat actors now resorting to the harassment of victim employees to increase pressure on organizations.
Mitigating Risks with Phishing-Resistant MFA
Mandiant emphasizes that this surge in activity is not the result of zero-day vulnerabilities in vendor products or infrastructure. Rather, it underscores the persistent effectiveness of social engineering, which reports say is currently among the top ransomware attack vectors.
To combat vishing and credential harvesting, organizations must prioritize cloud platform security by migrating to phishing-resistant MFA.
In January, Okta warned of active social engineering campaigns targeting users of its SSO services via phishing attacks that rely on custom-built kits designed for vishing. ShinyHunters claimed these attacks, alleging they published stolen records from Crunchbase (2 million), SoundCloud (30 million), and Betterment (20 million), with more to follow.
In June 2025, GTIG discovered that the ShinyHunters-linked UNC6040 threat actor targeted Salesforce via sophisticated vishing campaigns. In September, the FBI warned of active Salesforce exploitation campaigns by UNC6040, focused on vishing to impersonate IT desks, nd UNC6395, which exploited compromised Salesloft Drift OAuth tokens.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular