Ddos 
Attack path diagram
A new report from Mandiant details how sophisticated voice phishing (vishing) rings are bypassing modern security controls to hold corporate data hostage. The threat activity, which bears the hallmarks of the notorious ShinyHunters extortion group, leverages live phone calls and personalized credential harvesting sites to trick employees into handing over the keys to the kingdom.
Mandiant and Google Threat Intelligence Group (GTIG) are currently tracking this surge in activity under multiple threat clusters—UNC6661, UNC6671, and UNC6240. While the groups operate independently, they share a common playbook: impersonate IT support, steal Single Sign-On (SSO) credentials, and pivot to cloud environments to steal sensitive data.
Unlike attacks that rely on software exploits, these campaigns target the human element directly. The attackers don’t just send an email; they get on the phone.
“These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes.” — Mandiant Report
By masquerading as helpful IT staff, the threat actors guide victims to fraudulent websites designed to look exactly like their company’s login portal. Once the victim enters their credentials and MFA codes, the attackers gain immediate entry.
Once inside, the intruders don’t waste time deploying ransomware on endpoints. Instead, they head straight for the cloud. The report notes that these actors target Cloud-based Software-as-a-Service (SaaS) applications to exfiltrate sensitive data and internal communications.
The extortion tactics are aggressive and personal. In campaigns linked to UNC6671, attackers didn’t just demand money; they engaged in the harassment of victim personnel to force payment.
“The threat actors employed aggressive extortion tactics following UNC6671 intrusions, including harassment of victim personnel.” — Mandiant Report
The report distinguishes between the different clusters based on subtle variations in their infrastructure and behavior:
- UNC6661: Uses victim-branded domains to harvest credentials.
- UNC6671: Similar tactics but often registers domains using Tucows and has been observed accessing Okta customer accounts. They also use PowerShell to download data from SharePoint and OneDrive.
“Also beginning in early January 2026, UNC6671 conducted vishing operations masquerading as IT staff and directing victims to enter their credentials and MFA authentication codes on a victim-branded credential harvesting site.” — Mandiant Report
Mandiant emphasizes that these breaches are not due to technical vulnerabilities in cloud products but rather the manipulation of authorized users.
“This activity is not the result of a security vulnerability in vendors’ products or infrastructure.” — Mandiant Report
For organizations, the defense against this threat isn’t a patch—it’s people. Training employees to verify the identity of “IT support” callers and implementing hardware-based MFA keys (which are resistant to phishing) are critical steps in stopping these voice-based intrusions.
Related Posts:
- Microsoft Teams Flaws Exposed: Attackers Could Impersonate Executives and Forge Caller Identity
- Trinity of Chaos: How LAPSUS$, Scattered Spider, and ShinyHunters Forged a Cybercrime Alliance
- ShinyHunters Expands With AI-Powered Vishing, Supply Chain Intrusions, and Insider Recruitment
- How New Phishing Kits Are Turning Vishing into Real-Time Orchestration
Donate