Google-owned Mandiant reported an expansion in extortion-style attacks tied to ShinyHunters that use vishing and fake credential-harvesting sites to steal SSO credentials and MFA codes. The attackers — tracked as UNC6661, UNC6671, and UNC6240 — are targeting cloud SaaS platforms (including Okta, SharePoint, and OneDrive) to exfiltrate sensitive data and extort victims, prompting guidance to adopt phishing-resistant MFA and stronger help-desk and logging controls. #ShinyHunters #Okta
Keypoints
- Attackers use advanced vishing and branded credential-harvesting sites to capture SSO credentials and MFA codes.
- Activity is tracked across clusters UNC6661, UNC6671, and UNC6240, suggesting multiple actors or evolving tactics.
- Stolen credentials are used to register attacker devices for MFA, move laterally, and exfiltrate data from SaaS apps like Okta, SharePoint, and OneDrive.
- Threat actors have escalated tactics to include harassment, targeting cryptocurrency firms, PowerShell-based data theft, and mailbox manipulation.
- Google recommends phishing-resistant MFA (FIDO2/passkeys), stricter help-desk identity verification, restricted management-plane access, and enhanced logging and detection.
Read More: https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html