• Posted by: Eng. Donya Bino
• January 31, 2026

ShinyHunters Ramp Up Vishing Attacks on SaaS Platforms

Mandiant (owned by Google) has reported seeing a troubling increase in these types of attacks - combining voice phishing (vishing) with fake login web pages for stealing credentials and MFA codes; with all of these utilizing techniques being utilized by the financially motivated group ShinyHunters, who appear to be increasing their level of attack in early 2026. 

These attacks will be accomplished without utilizing a publicized zero-day vulnerability in the software, but rather using phished social engineering attacks. Instead, they rely on good old social engineering tricking people into handing over access. 

Attackers pose as helpful IT support on phone calls, convince employees to "update" their MFA settings via a bogus company branded site, and suddenly they've got the keys to the kingdom: single sign-on (SSO) credentials and fresh MFA approvals. From there, they register their own devices, slip into cloud-based SaaS platforms like email, SharePoint, or OneDrive, quietly pull sensitive data and internal messages, then pivot to extortion demands.

Mandiant has identified this activity as falling into a number of overlapping clusters, including UNC6661, UNC6671, and the core UNC6240/ShinyHunters label, suggesting that the different groups are fluid in nature, perhaps forming a collaborative effort, which includes borrowing methods from one another, evolving together over time. For example, the UNC6661 variant was first identified in early to mid-January 2026 as posing as IT personnel and directing victims to phishing sites. 

Lateral movement, SaaS data exfiltration, and subsequent phishing attacks from compromised email accounts were then carried out using the stolen credentials of the previous victim. Meanwhile, the UNC6671 variant was targeting Okta customers by using PowerShell scripts to exfiltrate data from cloud storage. Despite noticeable differences in the use of domain registrars and extortion techniques between the two groups, both were ultimately looking to steal sensitive information (particularly information belonging to crypto-related companies) and extort payment for it.

What's escalated lately is the pressure after breach, some victims report harassment of staff alongside the usual ransom notes. It's a reminder that these aren't just data grabs; they're increasingly personal.

The good news? Mandiant stresses this isn't a vendor flaw, it's human-targeted. Their advice focuses on practical defenses:
1. Increase security for customer verification using video streaming as a form of identity verification (instead of only using telephone or premises callback).
2. Go with the stronger forms of verification over others such as SMS or phone verification to the more phishing resistant forms such as FIDO2 security keys and passkeys. 
3. More controls on devices and locations used for authentication, stronger passwords, and limiting administrative access.
4. Increase logging of identity creation events, service provider exports, unapproved OAuth creation, and off-hour activity.
5. Watch closely for new MFA device enrollments or signs of mailbox tampering.

In short, while the tactics are clever and persistent, they're beatable with better awareness, stricter processes, and moving away from easily social-engineered authentication. As one Mandiant note dryly put it, this wave just proves yet again how effective a convincing phone call can be, even in our hyper secure cloud era.

Source: The Hacker News