Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

Google-owned Mandiant on Friday said it identified an “expansion in threat activity” that uses tradecraft consistent with extortion-themed attacks orchestrated by a financially motivated hacking group known as ShinyHunters.

The attacks leverage advanced voice phishing (aka vishing) and bogus credential harvesting sites mimicking targeted companies to gain unauthorized access to victim environments by collecting sign-on (SSO) credentials and multi-factor authentication (MFA) codes.

The end goal of the attacks is to target cloud-based software-as-a-service (SaaS) applications to siphon sensitive data and internal communications and extort victims.

The tech giant’s threat intelligence team said it’s tracking the activity under multiple clusters, including UNC6661, UNC6671, and UNC6240 (aka ShinyHunters), so as to account for the possibility that these groups could be evolving their modus operandi or mimicking previously observed tactics.

“While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion,” Mandiant noted.

“Further, they appear to be escalating their extortion tactics with recent incidents, including harassment of victim personnel, among other tactics.”

Details of the vishing and credential theft activity are as follows –

• UNC6661 has been observed pretending to be IT staff in calls to employees at targeted victim organizations, directing them to credential harvesting links under the guise of instructing them to update their multi-factor authentication (MFA) settings. The activity was recorded between early and mid-January 2026.
• The stolen credentials are then used to register their own device for MFA and then move laterally across the network to exfiltrate data from SaaS platforms. In at least one case, the threat actor weaponized their access to compromised email accounts to send more phishing emails to contacts at cryptocurrency-focused companies. The emails were subsequently deleted to cover up the tracks. This is followed by extortion activity conducted by UNC6240.
• UNC6671 has also been identified as impersonating IT staff to deceive victims as part of efforts to obtain their credentials and MFA authentication codes on victim-branded credential harvesting sites since early January 2026. In at least some instances, the threat actors gained access to Okta customer accounts. UNC6671 has also leveraged PowerShell to download sensitive data from SharePoint and OneDrive.
• The differences between UNC6661 and UNC6671 relate to the use of different domain registrars for registering the credential harvesting domains (NICENIC for UNC6661 and Tucows for UNC6671), as well as the fact that an extortion email sent following UNC6671 activity did not overlap with known UNC6240 indicators.
• This indicates that different sets of people may be involved, illustrating the amorphous nature of these cybercrime groups. What’s more, the targeting of cryptocurrency firms suggests that the threat actors may also be looking to explore further avenues for financial gain.