Mandiant Finds ShinyHunters Using Vishing to Steal MFA and Breach SaaS Platforms

Key Findings

Mandiant has identified an "expansion in threat activity" using tactics consistent with extortion-themed attacks orchestrated by the ShinyHunters hacking group
The attacks leverage advanced voice phishing (vishing) and fake credential harvesting sites to gain unauthorized access to victim environments by collecting sign-on (SSO) credentials and multi-factor authentication (MFA) codes
The end goal is to target cloud-based software-as-a-service (SaaS) applications to steal sensitive data and communications, and extort victims

Mandiant is tracking this activity under multiple clusters, including UNC6661, UNC6671, and UNC6240 (aka ShinyHunters), to account for the possibility that these groups could be evolving their modus operandi or mimicking previously observed tactics
The methodology of targeting identity providers and SaaS platforms is consistent with prior observations of threat activity preceding ShinyHunters-branded extortion
The breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion

UNC6661 has been observed pretending to be IT staff in calls to employees at targeted victim organizations, directing them to credential harvesting links under the guise of instructing them to update their MFA settings
This activity was recorded between early and mid-January 2026
The stolen credentials are then used to register their own device for MFA and move laterally across the network to exfiltrate data from SaaS platforms
In at least one case, the threat actor weaponized their access to compromised email accounts to send more phishing emails to contacts at cryptocurrency-focused companies, which were subsequently deleted to cover up the tracks

UNC6671 has also been identified as impersonating IT staff to deceive victims as part of efforts to obtain their credentials and MFA authentication codes on victim-branded credential harvesting sites since early January 2026
In at least some instances, the threat actors gained access to Okta customer accounts
UNC6671 has also leveraged PowerShell to download sensitive data from SharePoint and OneDrive

The differences between UNC6661 and UNC6671 relate to the use of different domain registrars for registering the credential harvesting domains (NICENIC for UNC6661 and Tucows for UNC6671)
An extortion email sent following UNC6671 activity did not overlap with known UNC6240 indicators, indicating that different sets of people may be involved, illustrating the amorphous nature of these cybercrime groups
The targeting of cryptocurrency firms suggests that the threat actors may also be looking to explore further avenues for financial gain

Improve help desk processes, including requiring personnel to require a live video call to verify their identity
Limit access to trusted egress points and physical locations; enforce strong passwords; and remove SMS, phone call, and email as authentication methods
Restrict management-plane access, audit for exposed secrets and enforce device access controls
Implement logging to increase visibility into identity actions, authorizations, and SaaS export behaviors
Detect MFA device enrollment and MFA life cycle changes; look for OAuth/app authorization events that suggest mailbox manipulation activity using utilities like ToogleBox Email Recall

https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html
https://x.com/TheCyberSecHub/status/2017520534624538841
https://www.reddit.com/r/pwnhub/comments/1qs5t2r/mandiant_discovers_shinyhuntersstyle_vishing/
https://radar.offseq.com/threat/mandiant-finds-shinyhunters-style-vishing-attacks--65a0fc7e