63/69 Monday, February 2, 2026
Mandiant has observed an increase in activity from financially motivated cybercriminal groups using tactics similar to those of ShinyHunters. These actors rely on vishing (voice phishing) attacks, calling victims while impersonating IT support staff and convincing employees to visit fake websites to “update” their MFA settings. As a result, attackers are able to steal Single Sign-On (SSO) credentials and MFA authentication codes, with the primary objective of gaining access to cloud-based SaaS platforms to exfiltrate sensitive data and carry out extortion.
Once access is obtained, the attackers register their own devices with the victim’s MFA system to fully take over the account. The group tracked as UNC6671 was observed accessing Okta customer accounts and using PowerShell to download data from SharePoint and OneDrive. Meanwhile, UNC6661 leveraged compromised email accounts to send phishing messages to companies in the cryptocurrency sector, then deleted the messages to cover their tracks. Researchers also noted an escalation in extortion tactics, including direct threats against employees of victim organizations, highlighting the groups’ continued evolution in tactics and pressure methods.
Google emphasized that these attacks stem from social engineering techniques, not product vulnerabilities. Organizations are advised to strengthen help desk identity verification processes, such as requiring video call verification, and to adopt phishing-resistant MFA solutions like FIDO2 security keys or passkeys, instead of SMS, phone-based authentication, or push notifications, which remain susceptible to social engineering attacks.
Source https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html