Google Threat Intelligence Group reports that UNC6671, operating under the BlackFile brand, is using vishing and adversary-in-the-middle tactics to compromise Microsoft 365 and Okta accounts. The group steals large volumes of SaaS data with Python and PowerShell scripts, then uses extortion emails, Session/Tox messaging, and a BlackFile leak site to pressure victims. #UNC6671 #BlackFile #Microsoft365 #Okta #GoogleThreatIntelligenceGroup
Keypoints
- UNC6671 uses voice phishing to trick employees into handing over credentials and MFA codes.
- The group performs real-time adversary-in-the-middle attacks against SSO portals.
- Microsoft 365, SharePoint, OneDrive, Zendesk, Salesforce, and Okta are key targets.
- Python, PowerShell, and Microsoft Graph are used for automated data exfiltration.
- BlackFile extortion emails, Session chats, and a data leak site are used to pressure victims.
Read More: https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation