Welcome to BlackFile: Inside a Vishing Extortion Operation

MITRE Techniques

• [T1566.004] Phishing: Voice Phishing – Used callers to trick victims into sharing credentials and MFA approvals by phone (‘high-volume voice phishing (vishing)’).
• [T1133] External Remote Services – Gained access through SSO portals and identity infrastructure such as Microsoft 365 and Okta (‘targets organizations via … single sign-on (SSO) compromise’).
• [T1557.002] Adversary-in-the-Middle: Rogue Ingress Tool Transfer – Intercepted credentials and MFA in real time during the vishing flow (‘live adversary-in-the-middle (AiTM) attack’).
• [T1078] Valid Accounts – Used stolen username/password pairs and session cookies to authenticate as the victim (‘captures these in real-time and immediately submits them to the legitimate SSO provider’).
• [T1098.005] Additional Cloud Credentials – MFA Device Registration – Registered attacker-controlled MFA devices for persistence (‘register a new, attacker-controlled MFA device’).
• [T1213] Data from Information Repositories – Accessed SharePoint, OneDrive, Salesforce, Zendesk, and other SaaS repositories for theft (‘move laterally across the victim’s SaaS applications’).
• [T1087.004] Account Discovery: Cloud Account – Queried internal search and tenant data to identify valuable information (‘queried internal search functions for string literals such as “confidential” and “SSN”‘).
• [T1041] Exfiltration Over C2 Channel – Streamed file content to attacker infrastructure using scripts and APIs (‘stream” file content directly to attacker-controlled infrastructure’).
• [T1105] Ingress Tool Transfer – Used scripts and libraries to retrieve data from cloud services via direct requests (‘python-requests library and PowerShell to issue direct HTTP GET requests’).
• [T1119] Automated Collection – Automated high-volume harvesting of files and records (‘access and download over a million individual files’).