ShinyHunters-Linked Hackers Escalate SaaS Data Theft With Vishing Attacks and MFA Bypass Tactics

CyberDefender 7 mins0

In early 2026, cybersecurity investigators observed a significant expansion in a series of cloud-focused cybercrime operations linked to the ShinyHunters threat persona. These campaigns mark a shift in tactics: from traditional database breaches and data dumps to highly targeted attacks against enterprise cloud platforms and identity systems.

At the heart of this activity are ShinyHunters-branded crews using advanced social engineering techniques — notably voice phishing (often called vishing) and victim-branded credential harvesting sites — to bypass strong technical protections and gain the keys to cloud environments.

From Social Engineering to Cloud Access

Rather than exploiting software bugs, these operations rely on tricking real people. Attackers pose as legitimate IT staff or trusted internal resources and call employees at target organizations. During these conversations, victims are coerced into visiting phishing sites crafted to look like their company’s own login portals. Once there, users are prompted to enter both single sign-on (SSO) credentials and multi-factor authentication (MFA) codes, giving attackers full access to their authenticated sessions.

This approach lets threat actors register their own devices or sessions as authorized without needing to crack passwords or break cryptography, effectively defeating the purpose of MFA if it’s based on push notifications or SMS codes.

Importantly, this is not due to any vulnerability in cloud platforms themselves — Google’s analysis makes clear that the exploited weakness lies in the human element, not in the underlying infrastructure.

Tracking Multiple Threat Clusters

To better understand and respond to this growing threat, Google Threat Intelligence Group (GTIG) is tracking these operations under several clusters including:

  • UNC6661: Early 2026 activity focused on vishing, credential harvesting, and unauthorized registration of MFA devices.
  • UNC6671: Similar tradecraft with credential theft and MFA bypass, occasionally followed by harassment-based extortion.
  • UNC6240: Historically associated with extortion campaigns, including data theft and ransom demands following access via compromised accounts.

These clusters show that while the specific operators or infrastructure may vary, they share a common playbook: exploit trust, harvest credentials, and exfiltrate sensitive data for extortion purposes.

Inside the Attack Path

Once initial access is gained via stolen SSO credentials, attackers often leverage those sessions to explore the victim’s cloud environment. Logs analyzed from compromised organizations reveal access to platforms such as:

  • Salesforce and its CRM objects
  • Microsoft 365 and SharePoint file repositories
  • Other enterprise SaaS applications where sensitive documents, internal communications, or personally identifiable information (PII) reside.

In some situations, attackers have even used compromised email accounts to launch follow-on phishing campaigns from inside the victim’s own systems — making detection and response more difficult.

Extortion emails sent by these actors include ransomware-style deadlines and proof of stolen data, often backed by samples hosted externally to pressure victims into paying.

Data Loss Isn’t the Only Impact

Beyond theft, the threat actors have also escalated their tactics by engaging in harassment of victim personnel and launching distributed denial-of-service (DDoS) attacks against organizational websites — a blend of psychological pressure and technical disruption intended to coerce compliance.

The emergence of new ShinyHunters-branded data leak sites further indicates a shift toward more public post-compromise pressure campaigns — essentially combining extortion with reputational risk.

Key Technical Indicators

Google’s analysis highlights clear patterns that defenders can use to identify potential compromises:

  • Phishing domains that mimic company SSO portals (e.g., <company>sso.com, my<company>internal.com).
  • OAuth token usage and session authorization anomalies.
  • Suspicious registered applications and MFA enrollments initiated outside normal channels.

These indicators, when combined with log analysis and user behavior monitoring, can help security teams detect malicious activity early.

What This Means for Organizations

This expansion of ShinyHunters-branded activity underscores a sobering reality: even well-defended organizations with strong perimeter security can fall victim to attacks that exploit human trust.

To defend against these evolving threats, security professionals increasingly recommend phishing-resistant MFA methods such as FIDO2 security keys or passkeys, which are less susceptible to credential harvesting or real-time interception.

In addition, robust employee awareness training, anomaly detection for authentication behavior, and rapid response procedures are critical components of a resilient defense strategy.

CyberDefender