← All briefs
critical January 1, 2025

Vishing for Access: ShinyHunters SaaS Data Theft Expansion

Source report →

Google Threat Intelligence tracks expanded activity consistent with prior ShinyHunters-branded extortion: voice phishing posing as IT (e.g., false “MFA settings update”), victim-branded phishing domains (<company>sso.com, internal, support, and IdP-themed patterns), and theft of SSO credentials plus MFA codes followed by registration of attacker-controlled MFA devices.

UNC6661 (early–mid January 2026) and UNC6671 (early January 2026) overlap on TTPs; UNC6671 more often used Tucows for registration and PowerShell-based SharePoint/OneDrive download. Post-intrusion collection includes high-volume or programmatic SharePoint file access, keyword searches (e.g., confidential, Salesforce, VPN), Salesforce and DocuSign downloads, and in one case Google Workspace ToogleBox Recall authorization to find and delete email—including an Okta “Security method enrolled” message. Follow-on phishing to cryptocurrency contacts from compromised mailboxes and deletion of sent items is described. Extortion is attributed to UNC6240 (Tox overlap, Limewire samples, SHINYHUNTERS DLS, tutanota/onionmail contacts).

Network IOCs are often commercial VPN/residential proxies; Mandiant recommends hunting over broad blocking. The article is not a product vulnerability story—it stresses phishing-resistant MFA (FIDO2/passkeys).

IOCs (11)

Scan your environment for IOCs →
IP ADDRESS 9
24.242.93.122
73.135.228.98
157.131.172.74
67.21.178.234
142.127.171.133
76.70.74.63
104.32.172.247
85.238.66.242
198.52.166.197
EMAIL 2
shinycorp@tutanota.com
shinygroup@onionmail.com

Detections

Enable detections →
Library detections (7)
  • MFA Bypass Attempt
  • Administrator Role Granted Detected
  • Network Zone Tampering
  • SharePoint High Volume File Access or Download
  • Suspicious Use of an Okta Session Cookie
  • Security Compliance Center eDiscovery Content Search Started
  • SharePoint Excessive Search Query Volume by User
Additional detection ideas (5)
  • Monitor for unusual access patterns to cloud storage — bulk downloads, new access keys, or cross-account access
  • Detect phishing attempts via email link analysis and sender reputation scoring
  • Monitor for new MFA device registrations, especially shortly after password resets or from untrusted devices
  • Monitor for mass download or enumeration of SharePoint documents and site collections
  • Detect cloning or bulk access to internal code repositories from unfamiliar hosts or service accounts