The ShinyHunters SSO attack campaign detailed in Mandiant’s latest report highlights a dangerous evolution in financially motivated cybercrime. Single Sign-On (SSO) has revolutionized how organizations manage access to cloud applications—providing convenience, centralized control, and seamless user experiences across tools like Microsoft 365, Salesforce, Google Workspace, Okta-integrated apps, and more. But as Mandiant’s threat intelligence reveals, this same convenience makes SSO a prime target for groups like ShinyHunters.
In a detailed January 31, 2026, report, Mandiant (part of Google Cloud) outlined an expanding campaign by the extortion group ShinyHunters (and affiliated clusters tracked as UNC6661, UNC6671, and UNC6240). These actors are leveraging sophisticated voice phishing (vishing) attacks combined with company-branded phishing sites to steal SSO credentials and bypass multi-factor authentication (MFA) in real time.
How the ShinyHunters SSO Attack Unfolds
The campaign relies on social engineering rather than traditional exploits:
- Attackers impersonate corporate IT or helpdesk personnel via phone calls, claiming urgent issues like MFA resets, security updates, or account verifications.
- Victims are directed to phishing domains cleverly mimicking the company’s legitimate login portals (e.g., <companyname>sso.com, my<companyname>okta.com, or <companyname>azure.com).
- These sites use advanced phishing kits that enable interactive, real-time credential relay during the call. Attackers capture usernames/passwords, trigger legitimate MFA prompts (push notifications, one-time codes), and coach victims on approving them or entering codes—effectively enrolling attacker-controlled devices into the victim’s MFA setup.
- With authenticated access, attackers log into the organization’s SSO dashboard (Okta, Microsoft Entra ID, Google SSO), which serves as a centralized hub listing all linked SaaS applications the compromised user can access.
From there, the pivot to data theft is straightforward:
- Primary targets include Salesforce (a frequent focus for bulk customer/sales data exfiltration), Microsoft 365/SharePoint/OneDrive (often via PowerShell scripts for downloads), DocuSign (bulk document grabs), Slack, Atlassian tools, Dropbox, and Google Drive.
- In at least one Okta incident, attackers enabled the ToogleBox Recall add-on in Google Workspace to search and permanently delete emails—including MFA notification alerts—to cover their tracks.
- Exfiltration is opportunistic but efficient, leveraging the victim’s own permissions for stealthy downloads.
ShinyHunters brands these operations with extortion demands via Tox messenger, leaking samples on data-leak sites when unpaid. Activity has hit sectors like dating apps (e.g., Match Group breach affecting Hinge, Tinder, etc.), telecom/finance-adjacent firms, and broad SaaS users. The campaign remains active and evolving, with attackers escalating tactics like personnel harassment in some cases.
Key Lessons from the ShinyHunters SSO Attack for Modern Organizations
This isn’t a vulnerability in SSO protocols themselves—it’s a human-centric attack exploiting trust, urgency, and the interconnected nature of cloud ecosystems. Traditional defenses like email phishing filters fall short against live vishing coordination.
Critical risks highlighted:
- MFA fatigue or guidance enables real-time bypass and device enrollment.
- SSO as a single point of compromise grants broad SaaS access.
- Native tool abuse (e.g., PowerShell, add-ons) blends malicious activity with legitimate admin behaviors.
Mandiant recommends:
- Transition to phishing-resistant MFA (e.g., FIDO2 security keys or passkeys) over push/SMS.
- Enhance logging/telemetry for anomalous SSO logins, rapid SaaS access, unexpected OAuth grants, or email deletions.
- Implement behavior-based detections for vishing indicators and post-compromise exfiltration patterns.
- Harden identity workflows, enforce IP restrictions where feasible, and train staff on verifying unsolicited IT calls.
At Black Belt Secure, our managed security services include advanced endpoint detection and response (EDR/MDR), identity threat monitoring, SaaS security posture management, and employee awareness training tailored to these exact scenarios. We help clients detect unusual SSO behaviors, enforce phishing-resistant auth, and respond swiftly to vishing-driven compromises before data hits extortion sites.
If your organization relies heavily on SSO for cloud tools like Salesforce or Microsoft 365, now is the time to audit your identity controls and add layers of defense against these human-targeted threats like the ShinyHunters SSO attack. Contact us for a no-obligation assessment.
Stay secure, verify every call, and protect your cloud crown jewels.