BlackFile Vishing Campaign: UNC6671 Turns SSO Trust Into an Extortion Pipeline
BlackFile is a reminder that the modern breach does not always start with malware, an exploit, or a noisy perimeter alert. Sometimes it starts with a phone call that sounds enough like IT support to move an employee into the attacker’s workflow.
Google Threat Intelligence Group (GTIG) says UNC6671 has been running an expansive extortion campaign built around voice phishing, single sign-on compromise, and fast abuse of cloud identity. The group’s tradecraft is not exotic in the cinematic sense. It is worse: it is practical, repeatable, and aimed directly at the systems companies now rely on to run everything.
What happened
GTIG reported on May 15, 2026 that it has continued tracking UNC6671, a financially motivated threat actor operating under the “BlackFile” brand. Since emerging in early 2026, the group has targeted dozens of organizations across North America, Australia, and the United Kingdom.
The campaign centers on vishing and identity compromise. Callers impersonate internal IT or help desk personnel and contact employees directly, often on personal mobile phones. The pretext typically involves a mandatory passkey migration, an MFA update, or an SSO enrollment process. That social engineering gives the attacker a believable reason to direct the victim to a credential-harvesting site.
UNC6671 has used lookalike domains and subdomains designed to resemble legitimate enterprise authentication workflows, including themes such as passkey enrollment and SSO setup. GTIG observed examples including <organization>.enrollms[.]com, <organization>.passkeyms[.]com, and <organization>.setupsso[.]com.
How the attack works
The vishing call functions as a live adversary-in-the-middle operation. The victim is directed to a fake SSO portal, enters credentials, and the threat actor relays those credentials into the legitimate identity provider in real time.
When the real service issues an MFA challenge, the victim is coached into approving it or providing the code, believing they are completing a legitimate setup process. Once inside, the attacker quickly moves to security settings and attempts to register a new attacker-controlled MFA device. That step is critical because it can convert a short-lived social engineering win into persistent access.
GTIG says the group primarily targets Microsoft 365 and Okta infrastructure, then uses the compromised SSO session to move across SaaS applications. Observed targets include SharePoint, OneDrive, Zendesk, and Salesforce. In several intrusions, the actors searched for terms such as “confidential” and “SSN” to prioritize sensitive material.
The exfiltration layer
BlackFile’s operation becomes especially dangerous after authentication succeeds. GTIG observed UNC6671 moving from manual browsing to scripted data theft, using Python and PowerShell to harvest data from Microsoft 365 environments.
In some cases, the actors used Microsoft Graph, the python-requests library, and PowerShell to issue direct HTTP GET requests against document resource URLs. GTIG also reported that the actors reused valid session cookies, including FedAuth, captured during the initial compromise to stream file content directly to attacker-controlled infrastructure.
This matters for detection. A file streamed this way may appear as a FileAccessed event rather than a FileDownloaded event. Many SOC workflows still prioritize download events and treat access events as lower severity, which gives the attacker room to move through large volumes of data without matching the most obvious exfiltration pattern.
The scale can be significant. GTIG reported one case where a Python script accessed and downloaded more than one million individual files from a victim’s SharePoint and OneDrive environments. In another case, the actor rapidly iterated through tens of thousands of SharePoint file interactions.
Extortion without ransomware
BlackFile is not primarily a ransomware story. It is a data-theft extortion story built on SaaS access, identity abuse, and pressure tactics.
GTIG says UNC6671 begins extortion with unbranded ransom notes sent from programmatically generated consumer email accounts. Once a victim engages over an encrypted communication channel such as Tox or Session, the operators identify themselves under the BlackFile brand.
The demands often begin in the millions of dollars, but GTIG observed the group pivoting to low six-figure demands during active engagement. The group has also escalated pressure through spam campaigns, threatening voicemails to executives, and in severe cases, swatting tactics against company personnel.
The group launched a BlackFile data leak site on February 6, 2026, presenting itself as “security researchers.” GTIG reported that the site went offline in late April 2026, briefly returned on May 11, 2026 with a message saying BlackFile was shutting down “under this name,” and was inaccessible at the time of GTIG’s publication.
Why this stands out
UNC6671’s campaign shows how attackers are adapting to environments where cloud identity is the real perimeter. The group does not need to exploit a vendor vulnerability when it can compromise the authentication flow, enroll its own MFA method, and use legitimate SaaS access paths to steal data.
The campaign also exposes a gap in many defensive models. MFA is often treated as the finish line, but push approvals, SMS codes, and time-based one-time passwords can still be phished or relayed during live adversary-in-the-middle attacks. Phishing-resistant MFA, such as FIDO2 security keys and properly implemented passkeys, changes that equation because authentication is bound to the legitimate origin.
The other problem is telemetry interpretation. A SharePoint FileAccessed event from a normal browser session is one thing. A burst of FileAccessed events from python-requests/2.28.1, Windows PowerShell, an unmanaged device, or a commercial VPN exit node is something else entirely. BlackFile’s success depends on defenders missing that distinction.
Defender actions
Organizations should treat this campaign as an identity and SaaS incident pattern, not just a phishing problem. Help desk workflows need caller verification, escalation paths, and limits on what can be completed during a single phone call. Employees should not be trained merely to “watch for suspicious links”; they need to understand that an attacker may be on the phone guiding them through the compromise in real time.
Identity teams should prioritize phishing-resistant MFA for high-risk users, administrators, executives, finance teams, legal teams, and employees with broad SaaS access. Conditional access should account for unmanaged devices, unfamiliar geography, commercial VPN infrastructure, suspicious MFA enrollment, and impossible or unusual authentication sequences.
SOC teams should review Okta and Microsoft 365 logs for suspicious MFA setup events, abandoned challenges followed by successful authentication, new device enrollment after vishing-like activity, and bulk SharePoint or OneDrive access from scripting user agents. FileAccessed should be elevated when the volume exceeds human browsing behavior or when the user agent indicates automation.
NeuraCyb's Assessment
BlackFile’s lesson is blunt: attackers have learned that the fastest path to enterprise data is often through the identity layer, not around it. The phone call, the fake SSO page, the MFA prompt, the session cookie, and the scripted SaaS download are now one continuous intrusion chain. Defenders who still separate phishing, identity, and cloud data monitoring into different mental boxes are giving operations like UNC6671 exactly the seams they need.
References
Google Threat Intelligence Group: Welcome to BlackFile: Inside a Vishing Extortion Operation
Google Cloud: UNC6240 and ShinyHunters-style SaaS Data Theft Extortion
Google Workspace: Passkeys and Phishing-Resistant Authentication
Microsoft Learn: Passwordless and Phishing-Resistant Authentication Methods
