Vishing for Access: Mandiant Tracks ShinyHunters-Branded SaaS Data Theft Expanding Across Cloud Platforms

A familiar extortion brand is showing up again, but this time the entry point is not a flashy zero-day. says it has tracked a widening set of intrusions that look consistent with ShinyHunters-branded operations, built around voice phishing and carefully cloned login portals designed to steal single sign-on credentials and multi-factor authentication codes.

Once attackers get a foothold, the playbook shifts quickly to cloud: harvest data from SaaS platforms, pull internal communications, and turn that access into leverage for extortion. The report frames this as a scaling problem, with multiple overlapping threat clusters and an expanding target set of cloud services rather than a single vendor weakness.

Image credit: Google Cloud blog (Mandiant / Google Threat Intelligence)

Not a Software Bug, a Human Workflow Failure

Mandiant is explicit on one point: this activity is not driven by a security vulnerability in SaaS vendors’ products or infrastructure. Instead, the attackers are winning through social engineering, pairing convincing phone calls with victim-branded credential harvesting sites and real-time collection of MFA codes.

The result is a breach that looks, at first glance, like a normal employee login. That’s what makes it dangerous in enterprise environments where identity is the control plane and SaaS is where the crown jewels live.

Three Clusters, One Extortion Story

To keep the picture clean as partnerships shift and impersonation is possible, GTIG says it is tracking the activity across multiple clusters: UNC6661, UNC6671, and UNC6240. The day-to-day intrusion mechanics may look similar, but the separation helps analysts map changes in infrastructure, operators, and extortion behavior.

The key overlap is consistent: voice phishing to capture SSO and MFA, followed by opportunistic access into whatever SaaS applications the compromised session can reach. The report also notes escalating pressure tactics in some cases, including harassment of victim personnel.

UNC6661: “IT Support” Calls and Victim-Branded SSO Portals

In incidents spanning early to mid-January 2026, UNC6661 allegedly called employees while impersonating IT staff and told them the company was updating MFA settings. Victims were directed to lookalike login pages to capture their SSO credentials and MFA codes, after which the attackers registered their own device for MFA.

Mandiant says the credential-harvesting domains often followed patterns that appear plausible to a busy employee, such as variations of <companyname>sso.com or <companyname>internal.com, and were frequently registered through specific registrars.

What Happens After Login: SaaS Data Theft at Speed

After initial access, the campaign shifts into data collection. Mandiant highlights theft from multiple SaaS environments and frames the selection as largely permission-driven: once a user session is compromised, the attackers pivot into whatever tools that user can access.

In some environments, the operators appear to search for high-leverage keywords and sensitive material, including terms like “confidential,” “internal,” “proposal,” “salesforce,” and “vpn,” and they may target personally identifiable information stored in CRM systems.

There are also signs of attempts to cover tracks. In at least one incident involving an Okta customer account, Mandiant observed the enablement of a Google Workspace add-on called “ToogleBox Recall,” described as a tool that can search for and permanently delete emails. The report says a “Security method enrolled” notification was deleted, likely to reduce the chance the victim notices a new MFA device was registered.

UNC6240: Extortion, Proof Packs, and a New Leak Site

GTIG attributes the extortion phase that follows UNC6661 intrusions to UNC6240, citing overlaps such as negotiation tooling, ShinyHunters-branded extortion emails, and the use of external services to host samples as proof of theft.

In mid-January extortion emails, the actors allegedly specified what data they stole, demanded payment, and threatened consequences if the ransom was not paid within 72 hours. Reports also referenced extortion text messages to employees and DDoS targeting of victim websites.

Image credit: Google Cloud blog (Mandiant / Google Threat Intelligence)

Mandiant also notes the emergence of a ShinyHunters-branded data leak site listing alleged victims and contact points associated with prior operations, suggesting renewed coordination around branding and public pressure.

UNC6671: Similar Vishing, Different Extortion Style

A second cluster, UNC6671, began activity in early January with a similar “IT staff” vishing approach and victim-branded credential harvesting domains. Mandiant describes differences in infrastructure and extortion behavior, including the use of unbranded extortion emails and different contact identifiers.

In some cases, Mandiant observed evidence of PowerShell being leveraged to download sensitive data from SharePoint and OneDrive, pointing to a preference for speed and automation once SaaS access is achieved.

IOC Patterns and Hunting Signals Defenders Can Use

Mandiant’s reporting is unusually practical for SOC teams because it outlines repeatable patterns rather than relying solely on one-off indicators. A few that matter in day-to-day detection engineering:

• Phishing domain lures: common formats mimic corporate portals, such as <company>sso[.]com, my-<company>sso[.]com, <company>internal[.]com, or support-themed variations.
• Okta and identity signals:
• M365 and SharePoint:
• Google Workspace:

Mandiant also cautions that many network indicators in this campaign align with commercial VPN and residential proxy services. Broad blocking can create noise and collateral damage, so the recommendation is to prioritize them for hunting and correlation rather than knee-jerk deny lists.

Why Phishing-Resistant MFA Is the Real Fix

The uncomfortable truth is that push-based MFA and SMS codes can be defeated when an attacker is on the phone steering a victim through the login flow in real time. Mandiant argues that the long-term control here is phishing-resistant MFA, including FIDO2 security keys or passkeys, which are fundamentally harder to social-engineer in these scenarios.

This is also where identity governance matters. If a single compromised SSO session unlocks broad SaaS access, the blast radius is a permissions and segmentation problem as much as it is a user-awareness problem.

What CISOs and SOC Teams Should Do This Week

1) Treat vishing as an intrusion vector, not a training topic. Implement a helpdesk verification workflow that cannot be bypassed by urgency or “IT maintenance” scripts. Add call-back procedures and internal ticket validation.

2) Move high-risk users to phishing-resistant MFA first. Start with IT admins, finance, security, and executives. If you need a phased rollout, prioritize roles with access to SaaS admin consoles and sensitive datasets.

3) Hunt for SaaS theft patterns, not just malware. Build detections for bulk downloads, PowerShell-driven SharePoint activity, unusual OAuth grants, and “new device enrolled” signals followed by deletion of security notifications.

4) Tighten SaaS session controls. Reduce session lifetime where feasible, enforce device trust, and restrict access by network zones or conditional access rules that make proxy-based logins noisier and easier to spot.

5) Prepare for harassment-style extortion. Update incident playbooks to include employee communications guidance, doxxing risk, and coordination with legal and HR when threats escalate beyond technical containment.

Mandiant’s broader message is clear: cloud platforms are now the data lake, identity is the front door, and attackers are betting that the quickest path to both is a convincing voice on the phone.