Google’s Mandiant says a recent wave of SaaS data-theft incidents linked to the ShinyHunters group is being driven by targeted voice phishing (vishing) attacks combined with company-branded phishing websites designed to steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. Mandiant is tracking the activity across multiple threat clusters, including UNC6661, UNC6671, and UNC6240, the latter associated with ShinyHunters.
According to Mandiant, UNC6661 attackers impersonate IT staff in phone calls to targeted employees, directing them to fake corporate login portals that capture SSO credentials and MFA codes. After gaining access, the attackers register their own MFA device to maintain persistence and then steal data from cloud applications based on the permissions available through the compromised SSO session.
Mandiant believes the campaign is opportunistic, with attackers exfiltrating data from whatever SaaS applications are accessible. In one breach involving an Okta customer, attackers enabled a Google Workspace add-on called “ToogleBox Recall” to search for and permanently delete emails, including an Okta notification alerting the user that a new MFA method had been enrolled.
Mandiant said phishing domains used by UNC6661 were often registered through NICENIC and followed naming patterns such as <companyname>sso.com or <companyname>internal.com.
While UNC6661 carried out the initial intrusions, extortion demands were attributed to ShinyHunters (UNC6240), using a Tox messenger ID previously linked to the group. A separate cluster, UNC6671, was observed using similar vishing tactics with phishing domains registered through Tucows, but its extortion efforts did not use the ShinyHunters name and instead relied on more aggressive pressure tactics, including harassment of company staff. Many IP addresses associated with the campaign were linked to commercial VPNs and residential proxy services, including Mullvad, Oxylabs, NetNut, and Infatica.