ShinyHunters Abuses SSO via Vishing for Cloud Data Theft

Executive Summary

Multiple threat clusters, including the notorious extortion group ShinyHunters, are actively exploiting Single Sign-On (SSO) environments through a sophisticated vishing (voice phishing) campaign. Adversaries impersonate corporate IT staff to socially engineer employees, directing them to phishing sites to harvest SSO credentials and Multi-Factor Authentication (MFA) codes in real-time. Once initial access is achieved, the threat actors pivot through SSO dashboards to exfiltrate sensitive data from connected cloud and SaaS applications for extortion purposes. Mandiant is tracking this activity across clusters identified as UNC6661, UNC6671, and UNC6240 (ShinyHunters).

Threat Actor Analysis

UNC6661 & UNC6240 (ShinyHunters)

Mandiant attributes the initial intrusion and data theft activity to a threat cluster tracked as UNC6661. This actor executes the vishing calls, manages the phishing infrastructure, and performs the data exfiltration. The subsequent extortion and data leakage operations are handled by ShinyHunters (UNC6240), who use a known Tox messenger ID for communication. This indicates a potential division of labor or affiliate model.

UNC6671

A separate cluster, UNC6671, employs similar vishing TTPs but utilizes different infrastructure and extortion methods. Their phishing domains are registered through Tucows, and their extortion demands are not issued under the ShinyHunters brand. This group has been observed using aggressive pressure tactics, including harassing company personnel.

Attack Vector & Kill Chain

Phase 1: Vishing & Credential Theft

The attack originates with a vishing call where the adversary, posing as IT or helpdesk personnel, claims the target must update their MFA settings. The employee is directed to a company-branded phishing site. These sites utilize advanced phishing kits that allow the attacker to capture credentials and MFA codes in real-time while coaching the victim on the phone to approve push notifications or provide one-time passcodes.

Phase 2: SSO Pivot & MFA Enrollment

Upon successful authentication, the adversary immediately enrolls their own device for MFA to establish persistence. They then access the organization's Okta, Microsoft Entra, or Google SSO dashboard. This dashboard serves as a centralized springboard, granting them access to all SaaS applications authorized for the compromised user account.

Phase 3: Data Exfiltration & Defense Evasion

From the SSO dashboard, the threat actors target and exfiltrate data from available SaaS platforms, including Salesforce, Microsoft 365, SharePoint, DocuSign, Slack, and Google Drive. To cover their tracks, actors have been observed using a Google Workspace add-on named ToogleBox Recall to search for and permanently delete security alert emails, such as the "Security method enrolled" notification from Okta.

Technical Details & IOCs

Phishing Domain Patterns

Adversaries register domains designed to impersonate corporate portals. Observed patterns include:

• <companyname>sso[.]com
• <companyname>internal[.]com
• ticket-<companyname>[.]support
• <companyname>okta[.]com
• <companyname>access[.]com

An example provided is matchinternal[.]com, used in the Match Group breach.

Adversary Infrastructure

Threat actors leverage commercial VPN services and residential proxy networks to obfuscate their origin. Services used include Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and nsocks.

Observed Tools & Techniques

Data exfiltration from Microsoft 365 and SharePoint has been observed with a PowerShell User-Agent, indicating scripted download activity. Audit logs from platforms like DocuSign have shown bulk document downloads originating from adversary-controlled IP addresses.

Mitigation & Detection

Behavioral Detection Rules

Mandiant recommends prioritizing detections for the following post-vishing behaviors:

• SSO account compromise immediately followed by high-volume data exfiltration from one or more SaaS platforms.
• A PowerShell User-Agent accessing SharePoint or OneDrive for file downloads.
• Unexpected Google Workspace OAuth authorization for the ToogleBox Recall application.
• Deletion of automated security notification emails related to MFA device modifications.

Strategic Hardening

Organizations are advised to harden identity workflows and authentication reset processes. This includes enhancing employee awareness training regarding vishing threats and implementing more robust, phishing-resistant MFA methods where possible. Ensure comprehensive logging is enabled for all SaaS and identity provider platforms to retain telemetry necessary for forensic investigation.