Vishing in the cloud that steals MFA for extortion in SaaS

In recent weeks, Google and Mandiant security intelligence teams have detected a wave of targeted attacks that combine social engineering by voice - the call vishing- with suplanting pages that imitate legitimate companies to steal credentials and authentication codes. The stated objective of the attackers is to access SaaS-like cloud applications, extract sensitive information and then extort the affected organizations.

According to public analysis, the activity is grouped into several clusters that researchers are monitoring separately, suggesting that they may be different teams that share tactics or that the same criminal network is diversifying their methods. Some campaigns have been observed in early January 2026 and all start with the same idea: to deceive employees by posing as support staff or IT to get them to deliver credentials and MFA codes on fraudulent pages that reproduce the victim's brand.

The typical attack begins with a legitimate call in appearance, in which the interlocutor pretends to be technical and asks the employee to access a link to "update" his authentication. In many cases, attackers do not just steal user and password: they record their own device for the additional factor and thus prevent MFA measures from blocking their access. With this initial entry, the intruders move laterally through corporate environments, download service data such as SharePoint or OneDrive and sometimes use committed mail accounts to send new phishing emails to relevant contacts and then delete the tests.

There is also evidence that certain actors have exploited access to identity platforms such as Okta and downloaded information through PowerShell scripts. The pattern also includes an escalation in extortion techniques: after the removal of information the demands arrive and, in some reported incidents, harassment directed against staff of the affected organization to press the payment.

Researchers have observed operational differences between groups: some use a domain recorder while others use a different domain recorder to create the suplanting pages, and phishing campaigns do not always lead to the same extortion format. That detail suggests that behind the label "ShinyHunters" there could be multiple teams with different degrees of coordination, which complicates attribution and response.

The reason these campaigns are particularly dangerous is that they point to the identity accounts and entry doors of cloud applications, where the most valuable information and internal communications are often stored. Persistent access to SaaS services allows an attacker to collect data silently and build a case of pressure to ask for rescue.

In view of this scenario, security teams recommend that user support processes be hardened and that special attention be given to monitoring events related to identity management. Google Cloud published a guide with concrete measures that include demanding stronger identity checks in phone or help desk interactions, limiting reliable output points and applying device-based access controls, among other actions. You can consult it on the official Google Cloud blog: expansion of activity linked to ShinyHunters and in the mitigation article: recommendations to defend SaaS platforms.

These are not technical failures in suppliers, but the effectiveness of social engineering. This is why authorities and experts insist on migration to authentication methods that resist phishing: FIDO2 security keys and passwords substantially reduce the possibility for an attacker to gain access even if he can deceive a user. To deepen these standards you can visit the website of the FIDO Alliance and the NIST technical guide on authentication: NIST SP 800-63B.

In addition to adopting phishing-resistant authenticators, organizations must strengthen registration and telemetry: activate audits that detect unusual MFA device inscriptions, changes in the life cycle of authenticators and OAuth authorizations to handle mailboxes. The visibility of identity actions and exports from SaaS is key to detecting early exfiltration. Public security agencies also provide practical anti-phishing guidelines that remain relevant to companies and users: for example, the guide to CISA on phishing.

On a day-to-day basis, there are simple but effective measures: distrust of unsolicited requests for credentials or codes, verify the identity of the interlocutor by channels other than the initial call, and avoid the use of SMS and calls as the only recovery factor. It is also recommended to limit privileges, audit exposed secrets and block administrative efforts from unreliable locations.

These events highlight an uncomfortable reality: criminals evolve their methods to the cloud and extortion, and combine technical and psychological techniques to overcome traditional security barriers. The response must also be hybrid, mixing technology, stricter internal processes and continuing training of staff to recognize and report attempts at deception.

In short, the threat observed in January 2026 is a mixture of sophisticated vishing, fraudulent domains that mimic brands and abuses of MFA to persist in SaaS environments, all of which are aimed at extracting information that is then used to extort. There is no single solution, but best practices by suppliers and authorities, along with the adoption of phishing-resistant authentication mechanisms, significantly reduce the risk and opportunity window of these attackers.