Mandiant says a wave of current ShinyHunters SaaS data-theft assaults is being fueled by focused voice phishing (vishing) assaults and company-branded phishing websites that steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.
As first reported by BleepingComputer, risk actors are impersonating company IT and helpdesk employees and calling staff instantly, claiming that MFA settings must be up to date. In the course of the name, the focused worker is directed to a phishing website that resembles their firm’s login portal.
In keeping with Okta, these websites are utilizing superior phishing kits that permit risk actors to show interactive dialogs whereas on the cellphone with a sufferer.
Whereas nonetheless speaking to a focused worker, the attacker relays stolen credentials in actual time, triggers official MFA challenges, and tells the goal how one can reply, together with approving push notifications or coming into one-time passcodes.
This enables attackers to efficiently authenticate with stolen credentials and enroll their very own units in MFA.
As soon as they achieve entry to an account, they log in to a company’s Okta, Microsoft Entra, or Google SSO dashboard, which acts as a centralized hub itemizing all SaaS functions the consumer has permission to entry.
These functions embrace Salesforce, a major goal of ShinyHunters, Microsoft 365, SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive, and lots of different inside and third-party platforms.
For risk actors targeted on knowledge theft and extortion, the SSO dashboard turns into a springboard to an organization’s cloud knowledge, permitting them to entry a number of providers from a single compromised account.
The ShinyHunters extortion group confirmed to BleepingComputer that they and a few of their associates are behind these assaults. The extortion group additionally claims that different risk actors have since carried out comparable assaults.
Quickly after the details about these assaults grew to become public, the ShinyHunters extortion gang launched a data-leak website, the place it started leaking knowledge related to these assaults.
At this time, Google Menace Intelligence Group/Mandiant launched a report saying it’s monitoring this exercise throughout totally different risk clusters tracked as UNC6661, UNC6671, and UNC6240 (ShinyHunters).
A number of risk actors are conducting assaults
Mandiant says UNC6661 poses as IT employees when calling focused staff and directs them to company-branded phishing domains used to seize SSO credentials and MFA codes. After logging in, the attackers registered their very own MFA gadget to retain entry.
They used this entry to steal knowledge from cloud functions primarily based on no matter permissions have been out there by way of the compromised SSO session. Mandiant believes this exercise is opportunistic, with the risk actors focusing on no matter SaaS functions can be found.
Nevertheless, it must be famous that ShinyHunters has advised BleepingComputer up to now that their major focus is Salesforce knowledge.
Supply: Mandiant
Mandiant shared examples of logs that have been created through the knowledge theft assaults:
- Microsoft 365 and SharePoint occasions displaying file downloads the place the Consumer-Agent identifies PowerShell, indicating scripts or instruments have been used to obtain knowledge.
- Salesforce login exercise originating from IP addresses later recognized as utilized by the risk actors.
- DocuSign audit logs displaying bulk doc downloads tied to the identical IOCs.
In a single breach involving an Okta buyer, Mandiant says the attackers enabled a Google Workspace add-on known as “ToogleBox Recall,” a instrument they used to seek for and delete emails to cover their exercise.
“In at the least one incident the place the risk actor gained entry to an Okta buyer account, UNC6661 enabled the ToogleBox Recall add-on for the sufferer’s Google Workspace account, a instrument designed to seek for and completely delete emails,” explains Mandiant.
“They then deleted a “Safety methodology enrolled” electronic mail from Okta, virtually definitely to stop the worker from figuring out that their account was related to a brand new MFA gadget.
Mandiant says that web domains used within the UNC6661 assaults have been registered by way of NICENIC and generally used the format <companyname>sso.com or <companyname>inside.com.
Whereas the preliminary intrusion and knowledge theft assaults are attributed to UNC6661, Mandiant says the extortion calls for have been despatched by ShinyHunters, aka UNC6240, and included a Tox messenger ID utilized by them in previous extortion makes an attempt.
Supply: Mandiant
Mandiant says one other risk cluster tracked as UNC6671 is utilizing comparable vishing methods, however with their phishing domains registered by way of Tucows as an alternative.
In contrast to UNC6661, UNC6671’s extortion calls for weren’t despatched beneath the ShinyHunters identify, used a special Tox ID for negotiation, and used aggressive stress techniques, together with harassing firm personnel.
Mandiant says the phishing domains utilized in these assaults comply with widespread naming patterns designed to impersonate company portals.
- Company SSO portals: <companyname>sso[.]com, my<companyname>sso[.]com, and my-<companyname>sso[.]com
- Inside portals: <companyname>inside[.]com, www.<companyname>inside[.]com, and my<companyname>inside[.]com
- Help and helpdesk themes: <companyname>help[.]com, ticket-<companyname>[.]help, and support-<companyname>[.]com
- Id supplier impersonation: <companyname>okta[.]com, <companyname>azure[.]com, and on<companyname>zendesk[.]com
- Entry portals: <companyname>entry[.]com, www.<companyname>entry[.]com, and my<companyname>acess[.]com
For instance, matchinternal[.]com was used within the current breach at Match Group, which uncovered knowledge for the favored Hinge, Tinder, OkCupid, and Match relationship websites.
Mandiant notes that many IP addresses tied to the marketing campaign belong to industrial VPN providers or residential proxy networks, akin to Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and nsocks
Mandiant additionally says that defenders ought to prioritize the next habits detection to id these kinds of assaults:
- SSO account compromise adopted by fast knowledge exfiltration from SaaS platforms.
- PowerShell Consumer-Agent accessing SharePoint or OneDrive
- Surprising Google Workspace OAuth authorization for ToogleBox Recall
- Deletion of MFA modification notification emails
To assist organizations defend in opposition to these kinds of assaults, Mandiant has launched hardening, logging, and detection suggestions in opposition to ShinyHunters vishing assaults.
This steerage is organized round hardening id workflows and authentication resets, logging the precise telemetry, and detections designed to search out post-vishing habits earlier than knowledge theft happens.
Mandiant has additionally launched guidelines for Google SecOps to detect ShinyHunters exercise.
It is price range season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, determine rising tendencies, and examine their priorities as they head into 2026.
Find out how prime leaders are turning funding into measurable influence.
