Mandiant, a Google-owned cybersecurity firm, has reported an escalation in sophisticated vishing (voice phishing) attacks consistent with tactics used by the financially motivated ShinyHunters hacking group and associated clusters UNC6661, UNC6671, and UNC6240. These threat actors impersonate IT personnel to deceive employees at targeted organizations into visiting fake credential harvesting websites designed to mimic legitimate company portals. Victims are instructed to update their multi-factor authentication (MFA) settings, during which attackers capture single sign-on (SSO) credentials and MFA codes. The attackers then register their own devices for MFA, effectively bypassing the victim’s MFA protections. This access enables lateral movement within the victim’s network and exfiltration of sensitive data from cloud-based SaaS platforms such as Okta, SharePoint, and OneDrive. In some cases, compromised email accounts are weaponized to send additional phishing emails, particularly targeting cryptocurrency firms, followed by deletion of these emails to cover tracks. The threat actors also escalate extortion tactics, including harassment of victim personnel. The campaign exploits social engineering rather than software vulnerabilities, underscoring the limitations of traditional MFA methods like SMS and push notifications. Google recommends adopting phishing-resistant MFA methods such as FIDO2 security keys or passkeys, improving help desk verification processes (e.g., requiring live video calls), restricting management-plane access, auditing for exposed secrets, and enhancing logging and detection of anomalous identity and authorization activities. The attackers’ use of different domain registrars and extortion patterns suggests multiple loosely connected groups or evolving tactics. This threat represents a significant risk to organizations relying on cloud SaaS platforms for critical business operations and sensitive data.

For European organizations, this threat poses a substantial risk to the confidentiality and integrity of sensitive corporate data and internal communications hosted on SaaS platforms. Successful compromise can lead to unauthorized access to critical cloud services, enabling data theft, business email compromise, and lateral movement within networks. The extortion component can result in financial losses, reputational damage, and operational disruption. Organizations in sectors with high SaaS adoption, such as finance, technology, and cryptocurrency, are particularly vulnerable. The social engineering nature of the attack means even well-secured environments can be compromised if employees are deceived. The harassment and extortion tactics further increase the risk of insider stress and potential operational impact. Given the widespread use of SaaS platforms like Okta, Microsoft 365, and Google Workspace across Europe, the threat could affect a broad range of enterprises, especially those with remote or hybrid workforces where identity verification is more challenging. The attack also highlights the need for stronger identity security practices to prevent lateral movement and data exfiltration.

European organizations should implement multi-layered defenses tailored to counter advanced social engineering and credential theft. Key measures include: 1) Deploy phishing-resistant MFA methods such as FIDO2 security keys or passkeys instead of SMS or push-based MFA to prevent MFA code interception. 2) Enhance help desk and IT support processes by requiring live video verification or other strong identity proofing before making changes to MFA or account settings. 3) Restrict management-plane access to trusted networks and devices, enforce strong password policies, and remove weaker authentication methods like SMS and email-based MFA. 4) Conduct regular audits for exposed secrets, credentials, and unauthorized device registrations in identity providers and SaaS platforms. 5) Implement comprehensive logging and monitoring focused on identity lifecycle events, OAuth/app authorizations, and anomalous access patterns, especially outside normal business hours. 6) Train employees on recognizing vishing and social engineering tactics, emphasizing verification of IT requests. 7) Use endpoint detection tools to identify lateral movement and suspicious PowerShell or scripting activity. 8) Establish incident response plans that include rapid containment and forensic analysis of SaaS platform breaches. 9) Collaborate with SaaS providers to leverage their security features and threat intelligence. 10) Consider segmentation of SaaS access and least privilege principles to limit potential damage from compromised accounts.