Mandiant describes an expansion of ShinyHunters-branded extortion operations that leverage vishing and victim-branded credential harvesting to compromise single sign‑on (SSO) credentials and enroll unauthorized devices into victim MFA, enabling access to cloud SaaS environments. Immediate containment (revoke sessions, pause MFA registration, restrict password resets) plus long‑term hardening (phishing‑resistant MFA, IdP/SaaS logging and detections) are recommended to stop exfiltration and persistence. #ShinyHunters #Okta
Keypoints
- ShinyHunters‑branded campaigns use evolved voice phishing (vishing) and victim‑branded credential harvesting to bypass identity controls and gain access to cloud SaaS via compromised SSO credentials.
- These intrusions rely on social engineering rather than product vulnerabilities, often enrolling unauthorized devices into MFA or manipulating help‑desk workflows to gain persistence.
- Immediate containment priorities include revoking active sessions/OAuth tokens, pausing MFA registration, restricting public password resets, and limiting remote access and device enrollment.
- Long‑term hardening recommends phishing‑resistant MFA (FIDO2/passkeys/security keys), restricting access to managed/compliant devices, and reducing scope of non‑human accounts and long‑lived keys.
- Comprehensive logging across IdPs (Okta, Microsoft Entra), Google Workspace, Salesforce, Atlassian, DocuSign, and Microsoft 365 is essential to detect MFA lifecycle events, OAuth authorizations, large exports (e.g., Google Takeout), and scripted downloads.
- Mandiant provides detection playbooks (YARA‑L pseudo‑rules) for high‑fidelity signals such as MFA enrollments after login, OAuth app authorizations (ToogleBox/recall), PowerShell user‑agent downloads from SharePoint/OneDrive, and Takeout/export events.
MITRE Techniques
- [T1566 ] Phishing – Social engineering via voice phishing (vishing) and credential‑harvesting to trick users and help‑desk staff (‘vishing’ / ‘voice phishing’)
- [T1078 ] Valid Accounts – Use of legitimately obtained SSO credentials and OAuth tokens to access SaaS and pivot (‘compromise single sign-on (SSO) credentials’)
- [T1556 ] Modify Authentication Process – Manipulation/enrollment of MFA and unauthorized device registration to bypass or persist despite MFA protections (‘enroll unauthorized devices into victim multi-factor authentication (MFA) solutions’)
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – Use of PowerShell to download sensitive data from SharePoint and OneDrive (‘PowerShell to download sensitive data from SharePoint and OneDrive’)
- [T1567 ] Exfiltration Over Web Service – Large‑scale exports and cloud native export tools (Google Takeout, bulk SaaS exports) used to exfiltrate data (‘Google Takeout export’ / ‘bulk exports’)
Indicators of Compromise
- [IP / ASN ] campaign infrastructure and anonymized networks – SHINYHUNTERS_PROXY_IPS, VPN_TOR_ASNS (used to detect auth attempts and admin actions from proxy/VPN/TOR networks)
- [OAuth/App Authorizations ] suspicious app authorizations enabling mailbox/config changes – example: ToogleBox / “recall” OAuth app authorization, and other unauthorized connected apps
- [User Agent Strings ] scripted access signatures – WindowsPowerShell / PowerShell user‑agent observed during SharePoint/OneDrive downloads
- [Export Job IDs / Takeout ] bulk export indicators – Google Takeout export start/complete events and job IDs (used to detect large corporate data exports)
- [API Keys / Service Account Keys ] programmatic credential artifacts and misconfigurations – references to service account key creation (e.g., iam.disableServiceAccountKeyCreation guardrail) and long‑lived access keys
- [Email Subjects / Message Deletion ] targeted mailbox cleanup indicators – deletion of security notification emails with subjects like ‘Security method enrolled’ or ‘new sign‑in’ (observed in Gmail/Exchange audit logs)