Top Highlights
- UNC6671 employs sophisticated voice phishing (vishing) combined with real-time adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication and gain deep access to cloud environments, primarily targeting Microsoft 365 and Okta.
- The group leverages automated scripting and API misuse, such as Python and PowerShell, to exfiltrate high-value data from SaaS platforms stealthily by mimicking legitimate user activity and exploiting session cookies.
- Indicators of compromise include script-driven access with User-Agent mismatches, origin from non-standard infrastructure, and use of tailored subdomains referencing passkey and enrollment themes, highlighting the importance of phishing-resistant MFA.
Threat Summary, Attack Techniques, and Targets
Google Threat Intelligence Group (GTIG) tracks a complex extortion campaign by UNC6671, also known as BlackFile. The group mainly targets organizations through voice phishing (vishing) and Single Sign-On (SSO) compromise. They use adversary-in-the-middle (AiTM) techniques to bypass defenses and multi-factor authentication (MFA). These tactics allow UNC6671 to access cloud environments, especially Microsoft 365 and Okta. They employ scripts built with Python and PowerShell to extract sensitive data from corporate cloud services. This campaign has been active since early 2026 and has targeted organizations in North America, Australia, and the UK. The attack process starts with vishing calls, where the attacker pretends to be IT staff. They lure victims into revealing credentials by claiming a need for MFA setup or passkey updates. During the live attack, the attacker redirects victims to lookalike login pages. The attacker then captures credentials in real-time, intercepts MFA challenges, and registers malicious MFA devices to maintain access.
Impact, Security Implications, and Remediation Guidance
This operation can lead to severe consequences. Once inside, UNC6671 can move laterally within cloud applications. They access critical data stored in SharePoint, OneDrive, and other SaaS apps like Zendesk and Salesforce. They search for high-value information, such as confidential files or social security numbers, and use scripts to exfiltrate this data discreetly. The exfiltration includes using APIs like Microsoft Graph or direct HTTP requests, which can blend into normal network traffic. These sophisticated methods make detection difficult. The activities produce forensic artifacts such as User-Agent mismatches and access from third-party hosting providers, indicating scripting and automated attack activity.
Organizations should understand that this campaign does not rely on existing vendor vulnerabilities but on social engineering. To defend against it, organizations need to implement phishing-resistant MFA solutions. If organizations detect or suspect an intrusion, they should consult their security vendors or authorities for specific remediation steps.
Stay Ahead with the Latest Tech Trends
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Stay inspired by the vast knowledge available on Wikipedia.
ThreatIntel-V1
