Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms - The Hacker News

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms Ravie LakshmananJan 31, 2026Social Engineering / SaaS Security Google-owned Mandiant on Friday said it identified an "expansion in threat activity" that uses tradecraft consistent with extortion-themed attacks orchestrated by a financially motivated hacking group known as ShinyHunters. The attacks leverage advanced voice phishing (aka vishing) and bogus credential harvesting sites mimicking targeted companies to gain unauthorized access to victim environments by collecting sign-on (SSO) credentials and multi-factor authentication (MFA) codes. The end goal of the attacks is to target cloud-based software-as-a-service (SaaS) applications to siphon sensitive data and internal communications and extort victims. The tech giant's threat intelligence team said it's tracking the activity under multiple clusters, including UNC6661, UNC6671, and UNC6240 (aka ShinyHunters), so as to account for the possibility that these groups could be evolving their modus operandi or mimicking previously observed tactics. "While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion," Mandiant noted. "Further, they appear to be escalating their extortion tactics with recent incidents, including harassment of victim personnel, among other tactics." Details of the vishing and credential theft activity are as follows - UNC6661 has been observed pretending to be IT staff in calls to employees at targeted victim organizations, directing them to credential harvesting links under the guise of instructing them to update their multi-factor authentication (MFA) settings. The activity was recorded between early and mid-January 2026. The stolen credentials are then used to register their own device for MFA and then move laterally across the network to exfiltrate data from SaaS platforms. In at least one case, the threat actor weaponized their access to compromised email accounts to send more phishing emails to contacts at cryptocurrency-focused companies. The emails were subsequently deleted to cover up the tracks. This is followed by extortion activity conducted by UNC6240. UNC6671 has also been identified as impersonating IT staff to deceive victims as part of efforts to obtain their credentials and MFA authentication codes on victim-branded credential harvesting sites since early January 2026. In at least some instances, the threat actors gained access to Okta customer accounts. UNC6671 has also leveraged PowerShell to download sensitive data from SharePoint and OneDrive. The differences between UNC6661 and UNC6671 relate to the use of different domain registrars for registering the credential harvesting domains (NICENIC for UNC6661 and Tucows for UNC6671), as well as the fact that an extortion email sent following UNC6671 activity did not overlap with known UNC6240 indicators. This indicates that different sets of people may be involved, illustrating the amorphous nature of these cybercrime groups. What's more, the targeting of cryptocurrency firms suggests that the threat actors may also be looking to explore further avenues for financial gain. It's worth noting that UNC6661 and UNC6671 are far from the only clusters to have engaged in vishing attacks to breach enterprise networks. In June 2025, Google Threat Intelligence Group (GTIG) exposed another threat actor known as UNC6040 that carried out voice phishing campaigns to breach organizations' Salesforce instances for large-scale data theft and extortion attacks. "We haven't seen any indications that UNC6040 was involved in the extortion activity for this latest campaign," Mandiant told The Hacker News via email. "While we cannot rule out future UNC6040 activity, we attribute the latest extortion activity to UNC6661, which GTIG tracks as a separate actor. To date, we've seen no overlap in activity between UNC6661 and UNC6040." To counter the threat posed to SaaS platforms, Google has outlined a long list of hardening, logging, and detection recommendations - Improve help desk processes, including requiring personnel to require a live video call to verify their identity Limit access to trusted egress points and physical locations; enforce strong passwords; and remove SMS, phone call, and email as authentication methods Restrict management-plane access, audit for exposed secrets and enforce device access controls Implement logging to increase visibility into identity actions, authorizations, and SaaS export behaviors Detect MFA device enrollment and MFA life cycle changes; look for OAuth/app authorization events that suggest mailbox manipulation activity using utilities like ToogleBox Email Recall, or identity events occurring outside normal business hours "This activity is not the result of a security vulnerability in vendors' products or infrastructure," Google said. "Instead, it continues to highlight the effectiveness of social engineering and underscores the importance of organizations moving towards phishing-resistant MFA where possible. Methods such as FIDO2 security keys or passkeys are resistant to social engineering in ways that push-based, or SMS authentication are not." (The story was updated after publication on February 3, 2026, to include a response from Google Mandiant.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cloud security, cybersecurity, Data Extortion, Google, Identity Security, Mandiant, Phishing, SaaS Security, social engineering, Threat Intelligence ⚡ Top Stories This Week ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Load More ▼ ⭐ Featured Resources AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown [Watch Demo] See Which Security Gaps Attackers Could Exploit First Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale