ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

Advisory ID: NCC-CSIRT-2026-004

Summary: 

Cybersecurity firm Mandiant, part of Google Cloud threat intelligence, has identified an active and escalating vishing (voice phishing) campaign attributed to threat actors associated with the ShinyHunters criminal syndicate and related clusters (tracked as UNC6661, UNC6671, UNC6240). These actors impersonate internal IT staff via telephone calls and direct employees to victim-branded credential harvesting sites, convincing them to enter single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. Attackers then register their own devices, bypass MFA protections, and gain unauthorized access to corporate SaaS platforms, where they harvest sensitive data for extortion and financial gain. This campaign does not exploit software vulnerabilities in SaaS products but relies on advanced social engineering and real-time credential relaying.

Damage/Probability: Critical/High

Product(s): 

• Identity Providers and Single Sign-On (SSO) Systems (e.g., Okta, Microsoft Entra/Azure AD, Google Workspace SSO).
• Cloud-based Software-as-a-Service (SaaS) Platforms (email, file storage, CRM, collaboration suites).
• Multi-Factor Authentication (MFA) mechanisms in enterprise environments.

Version(s): 

Not product/version-specific, impacts any enterprise using SSO and MFA protections that rely on user-supplied codes, push approvals, SMS, or help-desk resets without phishing-resistant second factors.

Platform(s): 

• Corporate identity systems
• Workforce SSO dashboards
• Cloud applications (Microsoft 365, Okta, Google Workspace, SharePoint, OneDrive, Salesforce, Slack, etc.).

Description: 

Mandiant and related threat intelligence sources report that since early January 2026, sophisticated vishing operations have been targeting enterprise employees across sectors. Adversaries call targets impersonating legitimate IT support or security personnel, claiming an urgent need to update MFA or verify credentials. Victims are guided to company-branded phishing domains that imitate real SSO login portals. While still on the call, attackers capture single sign-on credentials and MFA codes, then immediately use them to authenticate on the legitimate SSO portal, effectively bypassing MFA protections and enrolling attacker-controlled devices for persistent access.

Once access is achieved, threat actors can traverse the SaaS environment, including email, file shares, collaboration tools and CRM systems, to exfiltrate sensitive data and internal communications. In many cases, attackers export data and later contact organizations with extortion demands or harass personnel to pressure compliance.

This activity is tracked under multiple clusters (UNC6661, UNC6671, UNC6240) and appears to be an evolution of ShinyHunters-brand extortion operations, expanding across SaaS ecosystems and leveraging social engineering tradecraft rather than technical exploits.

Threat Types: 

• Vishing: Calls posing as IT/help desk to steal credentials and MFA codes.
• Credential phishing + MFA bypass: Real-time phishing sites capture logins and MFA tokens.
• SSO compromise & Cloud pivoting: Stolen identities used to access SaaS and linked services.
• Data theft & Extortion: Exfiltrated data used for ransom and follow-on phishing.

Impacts: 

• Unauthorized access to identity/SSO systems, bypassing MFA.
• Sensitive data stolen from connected cloud apps (email, files, CRM, chat).
• Hijacked accounts used for internal phishing or lateral movement.
• Ransom extortion, staff harassment, and operational disruption.
• Data breaches cause fines, reputational damage, and loss of trust.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Use phishing-resistant MFA (FIDO2 keys/passkeys), not SMS, push, or email codes.
• Run targeted vishing and social-engineering simulation training.
• Enforce strict MFA request verification, including supervisor call-backs.
• Review MFA enrollments, remove suspicious devices, and apply conditional access.
• Use SIEM and UEBA to detect suspicious cross-platform access.
• Apply least-privilege access and segment cloud environments.
• Enable detailed identity audit logs and retain them for forensics. 
• If compromised, revoke sessions/devices and reissue credentials with strong MFA.
• Investigate lateral movement and data exfiltration (API/OAuth activity) after compromise.

References:

• https://cybernews.com/cybercrime/shinyhunters-link-sso-vishing-attacks-okta-paywall/

• https://www.computerweekly.com/news/366637762/Wave-of-ShinyHunters-vishing-attacks-spreading-fast

• https://www.redsecuretech.co.uk/blog/post/shinyhunters-ramp-up-vishing-attacks-on-saas-platforms/853

• https://kbi.media/press-release/mandiant-warns-of-active-shinyhunters-vishing-campaign-targeting-enterprise-identity-systems/

• https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html