In recent weeks, a wave of intrusions has emerged that combines the old crafts of telephone deception with very sophisticated phishing tools, and whose aim is not to take a single account but to open the door to the entire cloud ecosystem of a company. Mandiant and Google's intelligence team researchers have been tracking multiple campaigns that, according to their analysis, take advantage of directed calls - the well-known vishing - and false portals with the company's brand to steal unique start-up credentials (SSO) and multi-factor authentication codes or approvals (MFA). The public report describing this activity is available on the Google Cloud blog. Here..
The modus operandi combines two elements: on the one hand, the attacker contacts the victim by posing as IT personnel or support; on the other, he directs it to an access page that imitates exactly the corporate portal. Identity companies such as Okta have shown how phishing kits have evolved to incorporate interactive dialogues that guide the attacker and victim in real time during the call, which facilitates receiving credentials and manipulating MFA responses while the employee is still on the line.
Once the offender has access to an SSO account - for example in Okta, Microsoft Enter or Google - the picture changes radically: from that central panel you can reach dozens of applications in the cloud that the user has authorized. Documents in Salesforce, mailboxes and files in Microsoft 365 and SharePoint, contracts in DocuSign, files in Dropbox or Google Drive, Slack channels and spaces in Atlassian are common objectives. For groups focused on theft and extortion, that board acts as a launch ramp to copy large volumes of data with a single compromised account.
The teams investigating these campaigns have categorized several groups of actors. Mandiant speaks of clusters identified as UNC6661, UNC6671 and the extortion band known as ShinyHunters (sometimes referred to as UNC6240). In some incidents, initial access and exfiltration seem to be the work of an opportunist group, and subsequent rescue demands are claimed by ShinyHunters or by members who replicate the technique. BleepingComputer was one of the media that advanced details about calls pretending to be corporate support; its chronicle offers context on how calls and false pages develop, and can be consulted Here..
Researchers have published technical evidence to identify malicious activity after intrusion. These include records of mass downloads from SharePoint or OneDrive where the user agent is PowerShell, login to Salesforce from IP addresses linked to attackers and mass downloads in DocuSign. In at least one case, the intruders activated a Google Workspace plugin called the TogleBox Recall to search for and delete emails that would report the registration of a new MFA method, a maneuver to prevent the victim from receiving the notifications that might alert it; the function of that plugin is described on the supplier's site. Here..
Fraudulent domains are often registered with names that simulate legitimate portals of the company: variants with words such as "sso," "internal," "support" or even combinations that include names of identity providers to gain credibility. Mandiant has observed records through registration entities and the use of commercial residential proxy or VPN networks to hide the origin of the connections, which complicates immediate IP blocking.
From the point of view of detection, experts recommend prioritizing the identification of behavioral patterns rather than relying only on lock lists. Behaviour as a SSO commitment followed by quick or massive downloads from several SaaS applications, PowerShell's presence accessing SharePoint and OneDrive, unexpected OAuth authorizations in third-party applications and the removal of MFA change reporting emails are signs that should activate deeper research.
Mandiant has published practical recommendations to tighten identity flows, ensure authentication restoration processes and improve telemetry registration to be able to detect post-vishing activity before data theft is completed. They have also made available rules for security operations platforms that can help find indicators related to ShinyHunters; a summary of those rules for Google SecOps is available in this link.
For companies, the central lesson is that MFA is no longer a panacea on its own: when attackers control social dialogue and present convincing interfaces in real time, they can persuade an employee to deliver what is required to register an adversary device or approve access. For this reason, in addition to maintaining MFA, it is appropriate to tighten the telephone support procedures, require additional checks on changes in authentication methods and closely monitor any OAuth authorisation records or new MFA device inscriptions.
In the field of operation, it is appropriate to review the SaaS application access policies to limit the required permissions, activate alerts to abnormal download patterns and maintain long audit records to enable the activity to be rebuilt. Coordination between security teams, identity providers and cloud application managers is essential to reduce the exposure window when an account is compromised.
The campaign that ShinyHunters and associated actors have launched shows how business security must be adapted to hybrid attacks that mix social engineering and technical automation. Understanding the path that follows the attacker - the call of vishing, the falsified portal, the capture of credentials, the handling of MFA and the use of SSO as a lever - helps to design controls that, together, will close many of the access routes that are being exploited today.
If you want to deepen the findings and specific recommendations for defenders, the report and the guides of Mandiant and Google Cloud are a good starting point; the main research is on Google Cloud's blog published by Mandiant / Google, and Okta shares analysis on the evolution of interactive phishing kits on your intelligence blog. For a journalistic summary of the first public cases, you can read the coverage of BleepingComputer.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...