The Vishing Vortex: Mandiant Uncovers Sophisticated Attacks Breaching SaaS and Stealing MFA

In a significant cybersecurity alert, Google-owned Mandiant has revealed a concerning escalation in threat activity, pinpointing sophisticated voice phishing (vishing) campaigns that mirror the tactics of the notorious financially motivated hacking group, ShinyHunters. These advanced attacks are designed to bypass multi-factor authentication (MFA) and infiltrate cloud-based Software-as-a-Service (SaaS) platforms, ultimately leading to data exfiltration and extortion.

The Evolving Threat Landscape

Mandiant’s threat intelligence team is tracking this evolving menace under several clusters, including UNC6661, UNC6671, and UNC6240 (the latter being synonymous with ShinyHunters). This multi-cluster approach accounts for the possibility of these groups adapting their methods or mimicking successful past strategies. The core of these operations involves highly deceptive vishing calls combined with convincing, yet bogus, credential harvesting sites that mimic legitimate company portals.

The primary objective is to steal Single Sign-On (SSO) credentials and MFA codes, granting unauthorized access to victim environments. Once inside, threat actors target SaaS applications to siphon sensitive data, internal communications, and then leverage this stolen information for extortion. Mandiant notes a concerning trend: the breadth of targeted cloud platforms is expanding, and extortion tactics are escalating, even including harassment of victim personnel.

Anatomy of a Vishing Attack: UNC6661 and UNC6671

UNC6661: The Impersonating IT Staff

Observed between early and mid-January 2026, UNC6661 operators impersonate IT staff during calls to employees. They direct victims to credential harvesting links under the guise of updating MFA settings. Once credentials are stolen, the attackers register their own devices for MFA, enabling lateral movement within the network and data exfiltration from SaaS platforms. In a particularly insidious move, they’ve weaponized compromised email accounts to launch further phishing campaigns, specifically targeting contacts at cryptocurrency-focused companies, before deleting the emails to cover their tracks. This activity often precedes extortion efforts by UNC6240.

UNC6671: Credential Theft and Data Exfiltration

Since early January 2026, UNC6671 has also been active, employing similar tactics of IT staff impersonation to trick victims into divulging credentials and MFA codes on fake, victim-branded sites. Notably, this group has successfully gained access to Okta customer accounts in some instances. UNC6671 has also demonstrated the capability to leverage PowerShell for downloading sensitive data from SharePoint and OneDrive.

While similar, Mandiant highlights key differences between UNC6661 and UNC6671, such as the use of distinct domain registrars (NICENIC for UNC6661 and Tucows for UNC6671) for their harvesting domains. Furthermore, extortion emails linked to UNC6671 activity have not overlapped with known UNC6240 indicators, suggesting the involvement of different individuals or splinter groups, underscoring the fluid nature of these cybercrime operations. The targeting of cryptocurrency firms by these actors also points to a broader search for financial gain.

Google’s Recommendations: Fortifying SaaS Defenses

Google emphasizes that these attacks are not due to vulnerabilities in vendor products but rather the effectiveness of social engineering. To counter this evolving threat, Google has provided a comprehensive list of hardening, logging, and detection recommendations:

• Enhance Help Desk Security:

  Implement stringent verification processes, such as requiring live video calls for identity verification.

• Strengthen Access Controls: Limit access to trusted egress points and physical locations, enforce robust password policies, and eliminate less secure authentication methods like SMS, phone calls, and email-based MFA.
• Restrict Management Plane Access: Audit for exposed secrets and enforce strict device access controls.
• Improve Logging and Visibility: Implement comprehensive logging to gain deeper insight into identity actions, authorizations, and SaaS export behaviors.
• Advanced Detection: Monitor for MFA device enrollment and lifecycle changes, and scrutinize OAuth/app authorization events that could indicate mailbox manipulation (e.g., using utilities like ToogleBox Email Recall) or identity events occurring outside normal business hours.

Crucially, Google underscores the importance of transitioning to phishing-resistant MFA methods. Technologies like FIDO2 security keys and passkeys offer superior protection against social engineering tactics compared to push-based or SMS authentication, which remain susceptible to sophisticated vishing and phishing schemes.

As cybercriminals continue to innovate, organizations must prioritize robust security measures and educate their personnel to withstand these increasingly cunning social engineering attacks.

For more details, visit our website.

Source: Link