ShinyHunters Use Of Voice Phishing & SSO Abuse Fuel Cloud Data Theft

ShinyHunters and associated threat clusters have significantly refined their tactics for breaching enterprise cloud environments, shifting from opportunistic data theft to highly coordinated campaigns that exploit human trust and centralized identity infrastructure.

Recent threat intelligence from Mandiant and Google Threat Intelligence Group (GTIG) highlights a sustained wave of attacks in which social engineering, especially voice phishing (vishing), plays the central role in compromising single sign-on (SSO) credentials and multifactor authentication (MFA) codes.

The intrusions bypass traditional technical vulnerabilities and instead manipulate legitimate authentication workflows, gaining unauthorized access to corporate identity providers and, from there, a multitude of software-as-a-service (SaaS) platforms and cloud data stores.

The ShinyHunters extortion group, and other clusters tracked as UNC6661, UNC6671, and UNC6240 in threat analyst parlance, have repeatedly demonstrated that social engineering remains one of the most effective paths into today's cloud-centric enterprises.

Attackers impersonate internal IT or helpdesk staff in carefully targeted calls, urging employees to "verify" or "update" their MFA settings under false pretenses. While the victim remains on the phone, they are directed to fake, company-branded login portals that harvest credentials and deliver them to the attackers in real time.

These sophisticated phishing sites often mimic legitimate SSO login prompts from providers such as Okta, Microsoft Entra, and Google Workspace, convincing victims to enter their usernames, passwords, and one-time codes. Once this information is captured, attackers immediately relay it back to the real authentication systems, triggering valid MFA challenges and enabling unauthorized access.

In many cases, once the attackers authenticate successfully, they not only access the victim's cloud applications but also enroll their own MFA devices. This grants persistent access to the victim's identity provider long after the initial contact, allowing the attackers to move laterally into connected SaaS applications.

Because modern SSO dashboards list all services available to a user, including Salesforce, Microsoft 365, SharePoint, Google Drive, DocuSign, Slack, Atlassian, and more, a single compromised account can become a springboard for widespread data theft across an organization's cloud ecosystem. Mandiant's investigations have revealed that these attackers do not always adhere to a single criminal brand or tactic, complicating attribution and response efforts.

While ShinyHunters (UNC6240) has publicly acknowledged responsibility for many extortion attempts and even launched a data-leak site to pressure victims, other clusters, such as UNC6661 and UNC6671, have employed similar vishing and credential-harvesting techniques without direct overlap in negotiation tools or extortion signatures. These groups routinely leverage commercial VPN services, residential proxies, or anonymized networks to obscure their infrastructure and evade detection.

Abuse of SSO and MFA

Identity services like Okta, Microsoft Entra, and Google SSO are designed to streamline authentication across enterprise applications, but that very convenience has made them attractive targets for attackers. By compromising SSO credentials and enrolling unauthorized MFA devices, attackers can impersonate legitimate users and access multiple cloud applications without breaching each service individually.

According to industry analyses, this approach reflects a broader shift in cybercrime tactics: attackers are increasingly focusing on identity systems rather than individual application vulnerabilities because identity compromise enables mass access to high-value data.

Real-time MFA interception is a critical element of the ShinyHunters attack chain. Known as "MFA phishing" or "MFA relay," this technique captures time-sensitive one-time codes or push authentication approvals by prompting victims on fraudulent interfaces while attackers relay those responses back to the legitimate authentication portal.

Because the process leverages the legitimate authentication flow, even well-configured MFA can be bypassed without exploiting any code or cracking credentials. This method has allowed attackers to circumvent protections that many organizations considered robust against remote compromise.

Once inside, attackers exploit native SaaS capabilities to locate, extract, and exfiltrate sensitive data. Mandiant has documented instances in which attackers used scripting tools, such as PowerShell, to download files from SharePoint or OneDrive, and leveraged built-in platform features, such as Google Takeout or Salesforce data export, to harvest large datasets.

In some breaches, attackers installed add-ons such as Email Recall in Google Workspace to search for and delete security notifications and other evidence of compromise, further obscuring their tracks.

The consequences of these breaches extend beyond immediate data exfiltration. Stolen credentials and data enable extortion campaigns that demand payment in exchange for not disclosing public data. ShinyHunters and other extortion gangs use stolen data samples to pressure victims, often listing breached companies on public leak sites to shame and coerce payments. These tactics underscore the convergence of identity theft, cloud misuse, and financially motivated cybercrime at a scale that challenges traditional perimeter-based defenses.

In response to these threats, security teams must rethink how they defend and monitor identity systems. Proactive defense encompasses a broad set of controls that go beyond traditional patching and network segmentation, focusing instead on identity lifecycle management, stronger authentication protocols, and heightened monitoring of anomalous access patterns.

Central to this defensive strategy is the adoption of phishing-resistant MFA technologies. Authentication approaches such as FIDO2 security keys or passkeys offer stronger resistance to social engineering than SMS, push notifications, or time-based one-time codes because they rely on cryptographic assertions rather than user interaction with out-of-band factors. Organizations are encouraged to phase out less secure MFA methods and enforce stronger mechanisms for all sensitive access.

Detection and logging also play a vital role. Identity providers and SaaS platforms offer audit trails and event logs that can illuminate unusual activities, such as:

• Suspicious MFA enrollments or device changes shortly after authentication.
• Logins from unfamiliar geographies, anonymized networks, or proxy IPs associated with known threat actor infrastructure.
• SSO session compromises followed by rapid, high-volume data access or export behavior.

Beyond purely technical controls, organizations must reinforce their human defense layer. Mandiant's guidance emphasizes rigorous identity verification for helpdesk interactions, including multifactor verification and out-of-band confirmation for sensitive account changes. Training employees to recognize and report vishing and phishing techniques, running internal drills, and maintaining strict protocols for account-related requests can reduce the likelihood that social engineering succeeds.

The ongoing campaigns linked to ShinyHunters and related threat clusters demonstrate that cloud environments face complex risks that blend social engineering, identity abuse, and sophisticated lateral movement across SaaS platforms. The ease with which attackers exploit legitimate authentication flows and human trust highlights the need for a rebalanced defense posture that prioritizes identity security as a first-class security domain.

Stronger, phishing-resistant authentication, comprehensive monitoring, and proactive incident response planning are critical components of a modern corporate defense strategy. As attackers continue to refine their tactics and target identity systems directly, defenders must adapt in parallel, investing in both technology and training to safeguard cloud data in an increasingly hostile threat landscape.