Skip to Content

ShinyHunters Vishing Attacks Target SaaS SSO Credentials and MFA

Mandiant reveals how ShinyHunters uses voice phishing and branded phishing sites to steal SSO credentials and MFA codes from SaaS platforms, and provides detection and hardening guidance.
31 January 2026 by
TechStora Editorial Board

Overview of the Campaign

Mandiant reports a wave of data‑theft attacks attributed to the ShinyHunters extortion group that rely on targeted voice‑phishing (vishing) calls combined with company‑branded phishing sites.

Tactics Used: Vishing and Interactive Phishing Kits

Attackers call a victim, relay stolen credentials in real time, and trigger legitimate MFA challenges while the victim is on the phone. Advanced phishing kits display interactive dialogs that guide the user to approve push notifications or enter one‑time passcodes.

Targeted SaaS Applications

  • Salesforce (primary focus)
  • Microsoft 365 and SharePoint
  • DocuSign
  • Slack
  • Atlassian
  • Dropbox
  • Google Drive
  • Other internal and third‑party platforms

Impact and Data Theft

Compromised SSO accounts become a springboard to multiple cloud services, allowing attackers to exfiltrate data and later extort victims. In one case, attackers enabled a Google Workspace add‑on ToogleBox Recall to search for and delete emails, erasing evidence of the new MFA device enrollment.

Threat Actor Attribution

  • UNC6661 – initial intrusion and data theft.
  • UNC6240 (ShinyHunters) – extortion demands, Tox messenger ID.
  • UNC6671 – similar vishing technique, phishing domains registered via Tucows.

Detection and Mitigation Recommendations

  • Monitor for real‑time credential relay and MFA challenge responses.
  • Log and alert on creation of unknown add‑ons in Google Workspace.
  • Block phishing domains that mimic corporate portals; watch for naming patterns.
  • Identify traffic from commercial VPNs or residential proxies (Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, nsocks).
  • Implement strict device enrollment policies and enforce MFA push approval verification.
  • Deploy Mandiant’s Google SecOps detection rules and follow hardening guidance.

Conclusion

ShinyHunters’ combination of vishing and sophisticated phishing kits makes SSO credential theft highly effective. Organizations must prioritize behavior‑based detection, strict MFA controls, and thorough logging to mitigate this evolving threat.