Google-owned Mandiant has reported a significant rise in threat activity involving sophisticated voice phishing operations designed to compromise cloud-based software-as-a-service platforms. The activity shows strong tradecraft similarities to extortion campaigns historically associated with the financially motivated cybercrime group known as ShinyHunters.
These attacks rely on advanced vishing techniques combined with fake credential harvesting websites that closely mimic legitimate company login portals. The primary objective is to steal single sign-on credentials and multi-factor authentication codes, enabling attackers to bypass identity protections and gain unauthorized access to SaaS environments.
Focus on SaaS Data Theft and Extortion
According to Mandiant, the attackers are focused on infiltrating cloud platforms to extract sensitive business data and internal communications. Once access is achieved, victims are subjected to extortion attempts, often accompanied by increasingly aggressive tactics.
The threat intelligence team is tracking this activity under multiple internal clusters, including UNC6661, UNC6671, and UNC6240, also known as ShinyHunters. This clustering reflects either an evolution in tactics or the possibility that multiple groups are imitating previously observed ShinyHunters methods.
Mandiant noted that while targeting identity providers and SaaS platforms aligns with past ShinyHunters-linked campaigns, the range of affected cloud services continues to grow as attackers seek higher-value data for extortion. Recent incidents also show signs of escalation, including direct harassment of employees at victim organizations.
How the Vishing Operations Work
UNC6661 Activity
UNC6661 has been observed impersonating internal IT staff during phone calls to employees at targeted organizations. Victims are instructed to follow credential harvesting links under the pretense of updating MFA settings. This activity was observed from early to mid January 2026.
Once credentials are stolen, attackers enroll their own devices for MFA access and move laterally within the environment. They then exfiltrate data from SaaS platforms. In at least one incident, compromised email accounts were used to send additional phishing emails to contacts in cryptocurrency-focused companies, after which the emails were deleted to conceal evidence. Extortion efforts following these intrusions have been linked to UNC6240.
UNC6671 Activity
UNC6671 has also been impersonating IT personnel since early January 2026, directing victims to branded credential harvesting sites to obtain login details and MFA codes. In several cases, this resulted in unauthorized access to Okta customer accounts.
This cluster has additionally used PowerShell scripts to download sensitive data from SharePoint and OneDrive environments.
Key Differences Between the Clusters
Mandiant highlighted several distinctions between UNC6661 and UNC6671. These include the use of different domain registrars for malicious infrastructure, with NICENIC associated with UNC6661 and Tucows linked to UNC6671. Additionally, extortion emails sent after UNC6671 intrusions did not overlap with known UNC6240 indicators.
These variations suggest that different individuals or subgroups may be operating under a loosely connected ecosystem, underscoring the fragmented and adaptive nature of modern cybercrime groups. The consistent targeting of cryptocurrency firms further indicates a strong financial motivation behind the campaigns.
Google’s Security Recommendations for SaaS Protection
To reduce the risk posed by these attacks, Google has issued a comprehensive set of hardening, logging, and detection recommendations for organizations using SaaS platforms:
- Strengthen help desk verification processes, including mandatory live video calls to confirm user identity
- Restrict access to trusted network egress points and physical locations
- Enforce strong password policies and eliminate SMS, phone call, and email-based authentication
- Limit management-plane access, audit exposed secrets, and apply strict device access controls
- Expand logging to improve visibility into identity actions, authorization changes, and SaaS data export activity
- Monitor MFA device enrollment events and MFA lifecycle changes
- Detect suspicious OAuth or application authorization events that may indicate mailbox manipulation
- Watch for identity-related activity occurring outside normal business hours
Google emphasized that these incidents are not the result of software vulnerabilities in vendor products or infrastructure. Instead, they highlight the continued effectiveness of social engineering attacks and the urgent need for phishing-resistant authentication methods.
Technologies such as FIDO2 security keys and passkeys offer stronger protection against social engineering than push-based or SMS authentication, making them a critical component of modern identity security strategies.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
