Vishing for Access: ShinyHunters SaaS Data Theft Expansion

Google Threat Intelligence tracks expanded activity consistent with prior ShinyHunters-branded extortion: voice phishing posing as IT (e.g., false “MFA settings update”), victim-branded phishing domains (<company>sso.com, internal, support, and IdP-themed patterns), and theft of SSO credentials plus MFA codes followed by registration of attacker-controlled MFA devices.

UNC6661 (early–mid January 2026) and UNC6671 (early January 2026) overlap on TTPs; UNC6671 more often used Tucows for registration and PowerShell-based SharePoint/OneDrive download. Post-intrusion collection includes high-volume or programmatic SharePoint file access, keyword searches (e.g., confidential, Salesforce, VPN), Salesforce and DocuSign downloads, and in one case Google Workspace ToogleBox Recall authorization to find and delete email, including an Okta “Security method enrolled” message. Follow-on phishing to cryptocurrency contacts from compromised mailboxes and deletion of sent items is described. Extortion is attributed to UNC6240 (Tox overlap, Limewire samples, SHINYHUNTERS DLS, tutanota/onionmail contacts).

Network IOCs are often commercial VPN/residential proxies; Mandiant recommends hunting over broad blocking. The article is not a product vulnerability story, it stresses phishing-resistant MFA (FIDO2/passkeys).