ShinyHunters’ New MFA Bypass Fuels Data Theft
▼ Summary
– Threat actors, including groups linked to ShinyHunters, are using social engineering to bypass MFA by posing as IT staff and directing victims to fake login pages.
– Major companies like Panera Bread, SoundCloud, and Match Group have been successfully targeted, with attacks prepared against many sectors including tech, finance, and healthcare.
– The attacks combine voice phishing (vishing) with synchronized phishing kits, allowing attackers to bypass push notifications by requesting specific verification codes over the phone.
– Identified groups UNC6661 and UNC6671 steal credentials and MFA codes, access SaaS platforms to exfiltrate sensitive data, and use aggressive extortion tactics like harassment and DDoS attacks.
– Mandiant has published indicators of compromise and guidance for organizations on how to detect, prevent, and minimize the impact of these intrusions.
A sophisticated new social engineering campaign is actively bypassing multi-factor authentication (MFA) protections, turning a key security measure into a tool for data theft. Threat actors associated with the ShinyHunters cyber extortion group are orchestrating synchronized voice and email phishing attacks, successfully compromising major organizations. Recent victims include Panera Bread, SoundCloud, Match Group, the parent company of Tinder and Hinge, and Crunchbase. Security analysts warn that many more companies across technology, finance, healthcare, and retail sectors are currently being targeted or have had attack infrastructure prepared against them.
The core of this threat is a synchronized vishing-phishing attack. As detailed in a recent Okta warning, attackers use custom phishing kits that perfectly align a fake login page with a live phone call. A social engineer, pretending to be from the IT department, guides the victim through entering credentials on the fraudulent site. This method is alarmingly effective, even against systems using number-matching push notifications, as the caller can simply ask the user to input a specific code displayed on the phishing page.
Research from Mandiant, Google Cloud’s threat intelligence unit, identifies at least two distinct groups employing this method: UNC6661 and UNC6671. While they operate separately, their tactics are strikingly similar. In early 2026, UNC6661 conducted calls claiming a company was updating its MFA settings. They directed employees to convincing, company-branded phishing sites to steal single sign-on credentials and MFA codes. After gaining access, the attackers registered their own devices for MFA and moved through the victim’s network.
Once inside, these groups hunt for valuable data. They systematically search SaaS platforms like SharePoint and OneDrive for documents containing sensitive keywords such as “confidential,” “internal,” “proposal,” and “PII” (personally identifiable information). In attempts to cover their tracks, they have been observed deleting security notification emails from services like Okta and purging sent items from compromised email accounts used in further phishing attempts.
The related group, UNC6671, follows a nearly identical playbook of IT impersonation to harvest login details. After breaching accounts, they use PowerShell scripts to download troves of sensitive corporate data. During the subsequent extortion phase, these actors employ aggressive tactics, including harassing victim personnel directly and launching distributed denial-of-service (DDoS) attacks against company websites.
Mandiant analysts have connected UNC6661 to the known ShinyHunters operation (also tracked as UNC6040) based on overlapping techniques and infrastructure. This link underscores the professional and persistent nature of this threat. In response to the escalating attacks, security researchers have published detailed indicators of compromise and threat-hunting queries. They strongly advise organizations to enhance employee training on these hybrid social engineering tactics, implement stricter verification processes for IT requests, and monitor for unusual authentication events or data access patterns to detect and contain such intrusions quickly.
(Source: HelpNet Security)
