Mandiant and Google Threat Intelligence report that ShinyHunters and affiliated clusters are running vishing campaigns that use company-branded phishing sites to steal SSO credentials and MFA codes, allowing attackers to enroll their own devices and maintain access. Compromised accounts provide attackers with centralized access to SaaS dashboards (Okta, Microsoft Entra, Google SSO) to exfiltrate data from services like Salesforce and enable extortion. #ShinyHunters #Okta
Keypoints
- Attackers use targeted vishing calls and company-branded phishing sites to capture SSO credentials and MFA codes.
- Phishing kits display interactive dialogs so attackers can guide victims in real time to approve MFA prompts.
- Compromised accounts let attackers enroll their own MFA devices and access SSO dashboards (Okta, Microsoft Entra, Google SSO).
- Stolen access is used to exfiltrate cloud data from services like Salesforce, Microsoft 365, SharePoint, and DocuSign for extortion.
- Mandiant tracks clusters UNC6661, UNC6671, and UNC6240 and recommends identity hardening, logging, and behavior detection to mitigate these attacks.