Executive Summary

Mandiant, a leading threat intelligence provider under Google Cloud, has uncovered a sophisticated campaign leveraging ShinyHunters-style vishing attacks to compromise multi-factor authentication (MFA) and breach major SaaS platforms. This campaign, attributed to the financially motivated ShinyHunters group and related clusters (UNC6661, UNC6671, and UNC6240), employs advanced social engineering, real-time credential harvesting, and MFA bypass techniques. The attackers target organizations across technology, cryptocurrency, biotech, and other SaaS-heavy sectors, aiming for data theft, extortion, and operational disruption. The campaign’s technical sophistication, rapid evolution, and broad targeting underscore the urgent need for organizations to adopt phishing-resistant MFA, reinforce help desk protocols, and enhance monitoring of identity-based anomalies.

Threat Actor Profile

The ShinyHunters group, active since at least 2020, is a financially motivated cybercrime syndicate known for high-profile data breaches, credential theft, and extortion. Recent activity has been attributed to three clusters: UNC6661, UNC6671, and UNC6240. These clusters share TTPs (tactics, techniques, and procedures) but may operate semi-independently or collaborate opportunistically. UNC6661 and UNC6671 are notable for their use of specific domain registrars (NICENIC and Tucows, respectively) to establish phishing infrastructure, while UNC6240 (the canonical ShinyHunters) specializes in extortion and harassment post-breach. The group’s operations are characterized by rapid adaptation, use of commercial VPN/proxy services for operational security, and a focus on exploiting human factors in authentication workflows.

Technical Analysis of Malware/TTPs

The attack chain begins with vishing, where adversaries impersonate IT or help desk staff and contact employees by phone. Using pretexts such as urgent MFA updates or account security checks, attackers direct targets to highly convincing, company-branded phishing sites. These sites, often registered via NICENIC or Tucows, employ HTTPS and mimic legitimate SSO portals for platforms like Okta, Microsoft 365, Google Workspace, and others.

Once on the phishing site, victims are prompted to enter their SSO credentials and, crucially, their MFA codes. The attackers operate in real time, relaying these credentials to the legitimate SaaS login pages to trigger MFA challenges, which are then harvested from the victim. With both credentials and MFA tokens, attackers register their own devices for MFA, effectively bypassing the victim’s security and establishing persistent access.

Post-compromise, attackers move laterally within the SaaS environment. They leverage OAuth abuse, PowerShell scripts, and native SaaS APIs to access and exfiltrate sensitive data from SharePoint, OneDrive, Salesforce, and other platforms. Compromised email accounts are used to propagate further phishing campaigns, particularly targeting cryptocurrency organizations. The final phase often involves extortion, with attackers threatening to release stolen data and, in some cases, harassing victim personnel to pressure compliance.

Key MITRE ATT&CK techniques observed include T1598.002 (Voice Phishing), T1556.004 (MFA Bypass), T1078 (Valid Accounts), T1566.002 (Spearphishing via Service), T1114 (Email Collection), and T1486 (Data Encrypted for Impact).

Exploitation in the Wild

The campaign has been active since at least early January 2026, with over 100 organizations targeted globally. Sectors most affected include cryptocurrency, technology, biotech, and any enterprise with significant reliance on cloud-based SaaS platforms. Attackers have demonstrated the ability to rapidly adapt their phishing infrastructure, often deleting phishing emails from compromised accounts to evade detection. Use of commercial VPN and proxy services such as Mullvad, Oxylabs, NetNut, and Infatica further complicates attribution and network-based detection.

Real-world incidents have seen attackers exfiltrate large volumes of sensitive data, disrupt business operations, and escalate to extortion and harassment. Notably, the campaign does not exploit software vulnerabilities in SaaS platforms themselves but abuses legitimate authentication and access mechanisms through advanced social engineering.

Victimology and Targeting

The primary targets are organizations with extensive SaaS adoption, particularly those using Okta, Microsoft 365, Google Workspace, Salesforce, Atlassian, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, WeWork, Slack, and DocuSign. The campaign is not limited by geography, with victims identified in North America, Europe, and Asia-Pacific. The attackers prioritize organizations with valuable intellectual property, financial assets, or large user bases, with a particular focus on cryptocurrency exchanges and technology firms.

Victims are typically selected based on their SaaS footprint and the perceived value of their data. The attackers’ use of real-time vishing and credential harvesting allows them to bypass even well-configured MFA deployments, making traditional perimeter defenses insufficient.

Mitigation and Countermeasures

Organizations should immediately review and harden their authentication workflows. Key recommendations include requiring live video verification for all help desk-initiated MFA or password reset requests, removing SMS, phone call, and email as authentication methods, and enforcing phishing-resistant MFA such as FIDO2 security keys or passkeys. SaaS access should be restricted to trusted egress points and physical locations wherever possible.

Comprehensive audit logging must be enabled for all identity actions, authorizations, and SaaS export behaviors. Security teams should monitor for unusual OAuth or app authorization events, anomalous MFA device enrollments, and mailbox manipulation outside normal business hours. Device-based access policies should be enforced for all management planes, and incident response playbooks should be updated to include detection and remediation of identity-based attacks.

User awareness training should emphasize the risks of vishing and the importance of verifying all IT-related requests through official channels. Regular phishing simulations and red team exercises can help identify gaps in both technical controls and user behavior.

References

Google Cloud Threat Intelligence Blog: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft

Mandiant/Google Cloud: Proactive Defense Against ShinyHunters-Branded Data Theft

The Hacker News: Mandiant Finds ShinyHunters Using Vishing to Steal MFA and Breach SaaS

CyberScoop: Real-Time phishing kits target Okta, Microsoft, Google

SecurityWeek: Over 100 Organizations Targeted in ShinyHunters Phishing Campaign

MITRE ATT&CK Techniques: https://attack.mitre.org/

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. Our platform leverages real-time intelligence, automated workflows, and deep analytics to provide actionable insights and strengthen your organization’s security posture. For questions or to discuss how Rescana can help you address emerging threats, contact us at ops@rescana.com.