The security promised by multi-factor authentication has created a dangerous sense of complacency within many organizations, a weakness that a sophisticated threat group is now ruthlessly exploiting. A comprehensive intelligence analysis by Mandiant and the Google Threat Intelligence Group (GTIG) has brought to light a significant expansion of cyberattacks linked to threat actors affiliated with the notorious ShinyHunters collective. This meticulously orchestrated campaign employs a multi-stage extortion strategy, leveraging advanced social engineering to bypass corporate defenses and exfiltrate highly sensitive data directly from cloud-based Software-as-a-Service (SaaS) applications. The findings underscore a disturbing evolution in the attackers’ operational scope, the diversity of platforms they target, and the escalating aggression of their extortion methods. GTIG is actively monitoring this activity across several interconnected threat clusters—identified as UNC6661, UNC6671, and UNC6240—to better map their evolving partnerships, operational nuances, and potential impersonations. Critically, the investigation concludes that these security incidents are not the result of inherent vulnerabilities within the targeted vendors’ products. Instead, the campaign’s success hinges entirely on the exploitation of human trust through carefully planned social engineering attacks, highlighting an urgent, industry-wide need to transition from phishable multi-factor authentication methods to more robust, phishing-resistant alternatives like FIDO2 security keys and passkeys.
The Anatomy of an Attack
The campaign exhibits a consistent and well-defined attack lifecycle, which can be broken down into several key stages, each marked by specific tactics, techniques, and procedures. The overarching themes identified are the primacy of social engineering for initial access, the opportunistic yet targeted exfiltration of data from a growing list of SaaS platforms, and a subsequent, highly aggressive extortion phase designed to maximize pressure and compel payment from victim organizations.
Stage 1 Gaining Initial Access
The threat actors’ primary method for gaining initial access to a target organization’s network is through a potent combination of voice phishing, commonly known as vishing, and the deployment of victim-branded credential harvesting websites. This initial phase is characterized by a high degree of personalization and deception, designed to circumvent both technical controls and employee security awareness training. Operatives from the threat clusters, particularly UNC6661 and UNC6671, initiate contact with employees of a targeted organization by telephone. They meticulously craft a pretext, posing as legitimate members of the company’s internal IT or helpdesk staff. By creating a sense of urgency—often claiming the company is performing a mandatory update to its multi-factor authentication (MFA) settings or that the employee’s account requires immediate attention to avoid being locked out—they manipulate the employee into a state of compliance. This human-centric approach is highly effective because it sidesteps technical defenses, relying instead on social currency and the inherent trust employees place in their internal support teams. The attackers’ ability to sound professional, knowledgeable, and authoritative is central to their success in this crucial first stage.
During the vishing call, the targeted employee is skillfully guided to a fraudulent website meticulously designed to mimic the organization’s authentic single sign-on (SSO) portal. These sites are not generic templates; they are highly convincing, incorporating the victim’s company branding, logos, and familiar user interface elements to lull the user into a false sense of security. The threat actors frequently register domains that closely resemble legitimate corporate portals to enhance their credibility, with common patterns observed including
Stage 2 Data Exfiltration and Evasion
Once initial access is secured, the threat actors pivot to their primary objective: locating and exfiltrating valuable data for extortion. Their movement within the victim’s environment appears to be largely opportunistic, dictated by the permissions and application access granted to the compromised user’s SSO session. However, the search for data is deliberate and targeted, aimed at maximizing the value of the haul for subsequent ransom negotiations. The investigation revealed a significant expansion in the types of cloud platforms targeted. While past operations focused heavily on Salesforce, a rich source of customer data, this campaign saw actors exfiltrating data from a much wider array of services. This includes Microsoft 365, where log evidence shows threat actors using PowerShell to systematically download files from SharePoint and OneDrive. They conducted specific searches for documents containing keywords such as “poc,” “confidential,” “internal,” “proposal,” “salesforce,” and “vpn,” indicating a clear intent to find proprietary business information, intellectual property, and sensitive internal communications. The compromise also extended to platforms like DocuSign, where they downloaded archived legal and contractual documents, and even Slack, where they claimed to have exfiltrated sensitive internal conversations.
The threat actors demonstrated a keen awareness of security monitoring and took active steps to cover their tracks and maintain their foothold. In a notable incident involving a compromised Okta customer account, the UNC6661 cluster leveraged their access to the user’s Google Workspace to authorize a third-party add-on called “ToogleBox Recall.” This tool, designed to search for and permanently delete emails, was used to find and erase the automated notification email sent by Okta titled “Security method enrolled.” This was a strategic move to prevent the legitimate employee from discovering that a new, unauthorized MFA device had been added to their account, thus delaying detection and giving the attackers more time to operate. In at least one other case, UNC6661 used a compromised employee’s email account to launch a secondary phishing campaign, specifically targeting contacts at cryptocurrency-focused companies. After sending the malicious emails, they meticulously deleted them from the “Sent Items” folder, further attempting to obfuscate their activities. This suggests a potential expansion of their objectives beyond simple data extortion, possibly to build relationships for future intrusions or to engage in direct cryptocurrency theft.
The Extortion Playbook and Evolving Threat
The final stage of the attack involves leveraging the stolen data to extort a ransom payment from the victim organization. The extortion tactics have become increasingly aggressive and multifaceted, moving beyond simple data leakage threats to a more holistic pressure campaign designed to cripple a victim’s operations and reputation until the ransom is paid.
Stage 3 The Pressure Campaign
GTIG attributes the extortion activity following UNC6661 intrusions to a separate, specialized cluster, UNC6240. This critical link is established through strong operational overlaps, including the use of a common Tox account for negotiations, the consistent branding of extortion emails with the ShinyHunters name, and the use of the Limewire platform to host samples of stolen data as proof of the breach. This specialization suggests a sophisticated cybercrime ecosystem where different groups handle distinct phases of the attack. Victims receive extortion emails that detail the stolen data, specify a ransom amount in Bitcoin (BTC), and provide a wallet address for payment. These demands come with a strict deadline, typically 72 hours, and threaten severe consequences for non-compliance, including the public release of all exfiltrated information. This initial contact is designed to create immediate panic and pressure the victim’s leadership into making a hasty decision. The specificity of the data mentioned in the email serves to validate the attackers’ claims and amplify the perceived severity of the breach.
In a significant escalation, the threat actors have expanded their pressure tactics far beyond the simple threat of data leakage. Recent incidents have involved direct and personal harassment of victim company personnel, including sending threatening text messages to the mobile phones of employees and executives. This tactic blurs the line between a corporate incident and a personal threat, increasing psychological stress on key decision-makers. Furthermore, the attackers have begun launching powerful distributed denial-of-service (DDoS) attacks against the victim’s public-facing websites to disrupt business operations and add another layer of financial and reputational pressure. In late January 2026, a new data leak site (DLS) named “SHINYHUNTERS” emerged, serving as a public shaming mechanism that lists alleged victims of these recent operations. The DLS also includes contact information previously associated with the UNC6240 extortion cluster, further solidifying the link between the initial intrusion and the final extortion phases and completing a “quadruple extortion” model that involves data theft, public data leakage, DDoS attacks, and personal harassment.
Detection and Defense Strategies
The comprehensive intelligence gathered on this campaign provides a wealth of actionable data for security teams to hunt for and detect this activity within their own environments. A primary focus for defenders should be monitoring for newly registered domains that match the specific naming conventions used for the attackers’ credential harvesting sites. Threat actors consistently use patterns that incorporate the target company’s name to add a veneer of legitimacy, such as
Organizations can operationalize this intelligence by creating detailed detection and hunting queries within their security information and event management (SIEM) platforms. For example, security teams can hunt for Okta authentication events that are flagged by Okta’s own threat intelligence as originating from an anonymized IP address, or they can monitor Google Workspace logs for authorization events specifically for the “ToogleBox Recall” application, which was used for defense evasion. Other effective hunting strategies include searching M365 logs for SharePoint file access events where the User-Agent string contains “PowerShell,” indicating programmatic, non-interactive data access characteristic of bulk exfiltration. Similarly, creating alerts for sessions where a single user accesses or downloads an unusually high number of distinct documents from SharePoint within a short time frame can detect bulk data theft in progress. Monitoring SearchQueryPerformed events for sensitive keywords like “confidential” or “vpn,” and hunting for deletion events in Exchange logs where email subjects relate to MFA method enrollment, are also strong indicators of an attacker attempting to find valuable data and hide their persistence mechanisms. This proactive hunting is a critical component of a resilient defense.
The Path to Resiliency
The expansion of ShinyHunters-branded extortion operations represented a formidable and evolving threat to organizations that rely heavily on cloud-based SaaS platforms. The campaign’s success was a stark reminder that even with modern identity solutions like SSO and MFA, organizations remained vulnerable if they had not adopted phishing-resistant authentication methods. The threat actors demonstrated adaptability by expanding their target scope and escalating their extortion tactics to inflict maximum pressure on their victims. For defenders, the path forward required a multi-layered strategy that addressed both the technical and human elements of these attacks. This included the urgent technical imperative to deploy phishing-resistant MFA, such as FIDO2 security keys or passkeys, which are structurally designed to be impervious to the social engineering techniques observed. It also involved continuous user education on sophisticated social engineering schemes and the operationalization of proactive threat hunting using the specific indicators and detection logic outlined in security intelligence. By understanding the full attack lifecycle—from the initial vishing call to the final extortion demand—organizations could build a more resilient defense capable of detecting and disrupting these advanced, human-driven attacks.
