The ShinyHunters extortion group says it is conducting vishing campaigns that impersonate IT support to phish SSO credentials and MFA codes for Okta, Microsoft Entra, and Google accounts, enabling attackers to access corporate SaaS platforms. Compromised SSO dashboards let intruders pivot into services like Salesforce, Microsoft 365, Google Workspace and other connected apps to harvest data and issue extortion demands, with ShinyHunters claiming responsibility and posting breaches on its Tor leak site. #ShinyHunters #Okta #MicrosoftEntra #Google #Salesforce #Crunchbase #SoundCloud #Betterment
Keypoints
- Attackers use vishing calls impersonating IT support to trick employees into entering credentials and MFA codes on phishing sites.
- Phishing kits include a live control panel that dynamically changes pages to guide victims through login and MFA steps in real time.
- A compromised SSO account exposes an inventory of connected services, providing a gateway to corporate SaaS apps and data.
- ShinyHunters claims responsibility and leverages previously stolen breach data to make social-engineering calls more convincing.
- Targeted organizations have received extortion demands, while vendors like Okta, Microsoft, and Google have issued limited or no public details.