Multi-factor authentication was once hailed as a nearly impenetrable shield for digital accounts, but a sophisticated wave of social engineering attacks is proving that even this robust defense mechanism has a critical vulnerability: the human element. Recent intelligence has revealed an alarming expansion in threat activity where cybercriminals use advanced voice phishing, or vishing, to manipulate employees into compromising their own accounts. These attackers, employing tradecraft consistent with the notorious financially motivated group ShinyHunters, orchestrate elaborate schemes involving bogus credential harvesting sites that perfectly mimic a company’s legitimate login portals. Their objective is to bypass MFA by tricking employees into providing not just their passwords but also the one-time codes needed to gain unauthorized access. The ultimate goal is to infiltrate cloud-based software-as-a-service (SaaS) applications, exfiltrate sensitive data, and hold victim organizations for ransom, demonstrating that the weakest link in the security chain remains a person on the other end of a phone call.
1. The Anatomy of a Modern Vishing Campaign
The methodology behind these advanced vishing campaigns is deceptively simple yet highly effective, relying on social engineering rather than technical exploits. Threat actors, operating under clusters such as UNC6661, have been observed initiating contact by pretending to be members of the target company’s IT department. During these calls, they create a sense of urgency or procedural necessity, directing employees to credential harvesting links under the guise of requiring them to update their multi-factor authentication settings. The websites they use are often meticulously crafted to mirror the company’s actual single sign-on (SSO) page, lulling the victim into a false sense of security. Once the employee enters their credentials and MFA code, the attackers capture them in real-time. They then immediately use this information to register their own device for MFA, effectively hijacking the account and gaining persistent access. From there, they move laterally across the network, targeting sensitive data stored in SaaS platforms for exfiltration.
The evolution of these tactics reveals a troubling escalation in both scope and aggression, moving beyond simple data theft to more coercive strategies. While the initial compromise relies on sophisticated social engineering, the attackers’ post-access activities show a continuous expansion of their objectives. They are no longer content with just one type of cloud platform; they are actively targeting a broader range of SaaS applications to maximize the amount of sensitive data they can steal for extortion purposes. Furthermore, these threat actors have begun to escalate their extortion tactics, engaging in direct harassment of victim personnel to increase pressure. In at least one documented case, attackers weaponized their access to a compromised email account to send further phishing messages to contacts at cryptocurrency-focused companies, demonstrating a calculated effort to broaden their attack surface. To cover their tracks, they subsequently deleted the sent emails, making the malicious activity harder to detect and trace.
2. Identifying the Threat Actors and Their Nuances
Security researchers are tracking this activity across multiple distinct but related clusters, including UNC6661, UNC6671, and the well-known extortion group UNC6240, also known as ShinyHunters. This multi-cluster tracking approach accounts for the possibility that these groups are either evolving their methods or mimicking each other’s successful tactics. While their core strategy of vishing and credential theft is similar, subtle differences in their operations provide insight into their structure. For example, UNC6671 has also been identified impersonating IT staff to deceive victims into providing credentials and MFA codes on victim-branded harvesting sites. In some instances, they successfully gained access to Okta customer accounts and leveraged PowerShell to download sensitive data from SharePoint and OneDrive. A key distinction between UNC6661 and UNC6671 lies in their infrastructure; they use different domain registrars for their credential harvesting sites—NICENIC for UNC6661 and Tucows for UNC6671—suggesting separate operational cells or supply chains.
The subtle variations between these threat groups highlight the amorphous and decentralized nature of modern cybercrime. The use of different domain registrars and the fact that an extortion email sent following UNC6671 activity did not overlap with known UNC6240 indicators suggest that different sets of individuals may be involved. This illustrates that these are not necessarily monolithic organizations but rather a fluid network of attackers who may share tools and tactics or operate under a common brand while maintaining distinct operational teams. The specific targeting of cryptocurrency firms further suggests that these actors are not limited to a single extortion model. They appear to be actively exploring additional avenues for financial gain, potentially looking to steal digital assets directly or leverage compromised communications for insider trading or other schemes. This adaptability makes attribution challenging and defense more complex, as organizations must prepare for a threat that is constantly changing its form and objectives.
3. Proactive Defense and Hardening Strategies
Strengthening defenses against these sophisticated social engineering attacks requires a multi-layered approach that goes beyond technology to include robust internal processes and employee training. It is crucial to improve help desk procedures to prevent impersonation. One effective measure is to require personnel to verify their identity through a live video call before any sensitive actions, such as MFA resets, are performed. On the access control front, organizations should limit network access to trusted egress points and physical locations whenever possible. Enforcing strong, unique passwords remains a foundational security practice, but it is equally important to phase out weaker MFA methods. SMS, phone calls, and email-based authentication are all susceptible to interception or social engineering and should be replaced with more secure alternatives. Additionally, organizations must restrict management-plane access, conduct regular audits for exposed secrets, and enforce strict device access controls to minimize the potential attack surface available to an intruder.
From a technical standpoint, enhanced logging and detection capabilities are essential for identifying and responding to these threats in real time. Organizations must implement comprehensive logging to increase visibility into identity actions, authorizations, and, critically, SaaS export behaviors that could indicate data exfiltration. Proactive monitoring should focus on detecting MFA device enrollment and other life cycle changes, as an unexpected new device registration is a strong indicator of account takeover. Security teams should also look for OAuth or application authorization events that suggest mailbox manipulation activity, which attackers may use to set up forwarding rules or hide their tracks. Monitoring for identity events occurring outside of normal business hours or from unusual geolocations can also provide early warnings of a compromise. It is important to note that this activity is not the result of a security vulnerability in any vendor’s products or infrastructure but rather a testament to the enduring effectiveness of social engineering.
A Call for Phishing Resistant Authentication
The recent surge in vishing-based MFA bypasses served as a critical reminder that security is an ever-evolving challenge. It highlighted that threat actors had successfully adapted their social engineering tactics to overcome one of the most widely adopted security controls. The incidents underscored the importance of moving beyond traditional, push-based authentication methods. Organizations that began to address this threat recognized that the path forward involved implementing phishing-resistant MFA, such as FIDO2 security keys or passkeys. These methods, by their design, are resistant to the social engineering techniques that trick users into revealing codes or approving fraudulent requests. This shift represented a significant step in hardening the human element of the security chain, closing a vulnerability that attackers had proven all too willing and able to exploit.
