ShinyHunters Escalates Cloud Attacks Using Vishing and Stolen MFA Codes, Google Warns

Listen to this Post

Featured Image

A New Wave of Social Engineering-Fueled Cloud Breaches

Google’s Threat Intelligence Group (GTIG), alongside Mandiant, is sounding the alarm over a sharp increase in cyberattacks linked to the notorious ShinyHunters extortion group. Unlike traditional breach campaigns that exploit software vulnerabilities, these operations rely almost entirely on human manipulation. By combining convincing voice phishing calls with carefully crafted fake login portals, attackers are quietly bypassing modern security controls and walking straight into enterprise cloud environments.

Why These Attacks Are Different

What makes this surge particularly dangerous is not a newly discovered flaw in cloud platforms, but the attackers’ ability to exploit trust. Employees are tricked into handing over single sign-on (SSO) credentials and multi-factor authentication (MFA) codes, effectively neutralizing defenses that many organizations believe are “good enough.” GTIG tracks this activity across several clusters, including UNC6661, UNC6671, and UNC6240, each playing a distinct role in the overall operation.

From Initial Access to Full Cloud Visibility

Once attackers gain access, they move quickly and quietly. Cloud applications such as Microsoft SharePoint, Salesforce, Google Workspace, Slack, and DocuSign become prime targets. Sensitive internal documents, contracts, customer records, and private communications are siphoned off, packaged, and prepared for extortion. Victims are then faced with a brutal choice: pay the ransom or watch their data leak on underground forums.

Summary of the Original Report

Social Engineering as the Primary Weapon

According to Google and Mandiant, the ShinyHunters-linked groups are not exploiting bugs in Okta, Microsoft, or Google platforms. Instead, they rely on vishing—impersonating IT help desk staff and convincing employees that urgent MFA updates are required. These calls are often professional, confident, and timed during business hours to appear legitimate.

Fake Domains Built to Deceive

Victims are directed to malicious websites that closely mimic internal corporate portals. Domains such as sso.com or internal.com are registered through common registrars like NICENIC and Tucows. Once employees enter their credentials and MFA codes, attackers immediately register their own devices, ensuring persistent access.

UNC6661 and Early 2026 Activity

The cluster tracked as UNC6661 became particularly active in early January 2026. Initial access often began with Okta accounts, followed by lateral movement into SaaS platforms. Logs reviewed by researchers show extensive file downloads from SharePoint using PowerShell, suggesting automation and bulk exfiltration.

Evidence Hidden in Plain Sight

Detailed audit logs reveal OAuth-based authentication events, file downloads labeled as routine activity, and access originating from unmanaged devices. Browser strings and user agents were deliberately chosen to blend in with legitimate traffic, reducing the likelihood of immediate detection.

Salesforce and DocuSign in the Crosshairs

Beyond SharePoint, attackers accessed Salesforce from suspicious IP addresses and harvested DocuSign envelopes containing sensitive agreements. These actions indicate a clear focus on data that can increase extortion leverage, particularly customer records and legally binding documents.

Covering Tracks Inside Google Workspace

In at least one incident, attackers enabled ToggleBox Recall in Google Workspace to automatically delete Okta notifications about new MFA device registrations. This tactic allowed them to operate longer without raising alarms, highlighting a deep understanding of enterprise cloud ecosystems.

Multiple Clusters, One Goal

While UNC6661 focused on initial compromise and data theft, UNC6671 used similar vishing techniques with different infrastructure providers. UNC6240 handled the extortion phase, communicating through Tox chats, demanding Bitcoin payments, and even sharing LimeWire samples as proof of stolen data.

Abuse of Stolen Accounts

After gaining access, attackers sent phishing emails from compromised corporate accounts, often targeting cryptocurrency firms. These emails were later deleted to erase evidence, further complicating forensic investigations.

Public Shaming via Leak Sites

A newly observed “SHINYHUNTERS” leak site lists victims alongside contact emails hosted on privacy-focused providers. This public pressure tactic is designed to accelerate ransom payments by increasing reputational risk.

Systematic Data Hunting

Inside cloud environments, attackers searched for keywords such as “confidential,” “vpn,” “poc,” and “salesforce.” Salesforce records containing personally identifiable information (PII) and internal Slack conversations were prioritized.

Aggressive Extortion Tactics

Extortion notes typically include 72-hour deadlines, Bitcoin wallet addresses, and explicit threats. Some clusters escalate further by harassing employees directly or launching DDoS attacks against company websites.

Infrastructure Tied to Anonymization

Investigators traced activity to VPN services and proxy networks, including Mullvad and Oxylabs. Google has since added identified phishing domains to Chrome Safe Browsing, limiting their future effectiveness.

Defensive Recommendations

Google urges organizations to move toward phishing-resistant MFA methods such as FIDO2 security keys or passkeys. Monitoring Okta admin changes, PowerShell-based SharePoint downloads, and anomalous authentication patterns is critical for early detection.

What Undercode Say:

The Return of Human-Centric Hacking

This campaign is a reminder that as technical defenses improve, attackers increasingly target people instead of systems. ShinyHunters is not reinventing malware; it is refining persuasion. The success of these attacks highlights a persistent gap between security policy and everyday employee behavior.

MFA Alone Is No Longer a Silver Bullet

For years, MFA has been marketed as the ultimate safeguard against account compromise. These incidents show that MFA is only as strong as its implementation. If users can be tricked into approving requests or sharing codes, MFA becomes a speed bump rather than a barrier.

Cloud Centralization Raises the Stakes

Modern enterprises concentrate vast amounts of sensitive data inside cloud platforms. Once attackers gain SSO access, the blast radius is enormous. SharePoint, Salesforce, and DocuSign are not just tools—they are repositories of a company’s operational memory.

Attackers Understand Enterprise Workflows

The use of PowerShell for SharePoint downloads and the manipulation of Google Workspace settings suggest attackers who deeply understand how IT teams operate. This is not opportunistic crime; it is informed, deliberate intrusion.

Extortion Is Becoming More Psychological

Beyond data theft, harassment and public leak sites are designed to break organizational resolve. By targeting employees directly and threatening reputational damage, attackers are applying pressure where it hurts most: trust and credibility.

Security Monitoring Must Become Context-Aware

Traditional alerts often flag malware signatures or unusual binaries. These attacks generate “normal-looking” logs—OAuth authentications, file downloads, admin changes. Detecting them requires behavioral baselines and correlation, not just rule-based alerts.

Passkeys and Hardware Tokens Are the Future

Phishing-resistant MFA methods significantly reduce the effectiveness of vishing. Even if an employee is fooled, a hardware-backed authentication flow cannot be replayed or registered remotely by an attacker.

Training Needs to Match Reality

Annual security awareness videos are not enough. Employees need realistic simulations of vishing attacks, including phone-based social engineering, to recognize pressure tactics in real time.

Incident Response Windows Are Shrinking

With attackers able to exfiltrate data within hours of access, detection delays can be catastrophic. Rapid response, automated containment, and continuous log analysis are no longer optional for cloud-first organizations.

Leak Sites Change Negotiation Dynamics

Public-facing leak portals remove privacy from ransom negotiations. Once a victim is listed, the damage is already underway, reducing incentives to pay and increasing regulatory and legal exposure.

A Blueprint Other Groups Will Copy

ShinyHunters’ success will not go unnoticed. Expect similar tactics from other extortion groups, especially those seeking higher returns without investing in complex exploit development.

Fact Checker Results

Vendor Vulnerability Claims ❌

No evidence suggests these attacks relied on flaws in Okta, Google, or Microsoft software.

Use of Vishing and Fake Domains ✅

Multiple logs and investigations confirm social engineering and domain impersonation as the primary access vector.

Data Exfiltration from Cloud Apps ✅

Verified activity shows large-scale downloads from SharePoint, Salesforce, and DocuSign.

Prediction

Wider Adoption of Passkeys 🔐

Organizations will accelerate the shift toward phishing-resistant authentication after seeing MFA bypassed at scale.

Increased Focus on Phone-Based Threats 📞

Security teams will expand training and monitoring to cover vishing, not just email phishing.

More Public Leak Sites from Extortion Groups ⚠️

As pressure tactics prove effective, more groups will adopt public shaming platforms to force faster payouts.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon