Threat Intelligence Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft January 30, 2026 Mandiant Google Threat Intelligence Visibility and context on the threats that matter most. Contact Us & Get a Demo Introduction Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations. These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. Once inside, the threat actors target cloud-based software-as-a-service (SaaS) applications to exfiltrate sensitive data and internal communications for use in subsequent extortion demands. Google Threat Intelligence Group (GTIG) is currently tracking this activity under multiple threat clusters (UNC6661, UNC6671, and UNC6240 ) to enable a more granular understanding of evolving partnerships and account for potential impersonation activity. While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion. Further, they appear to be escalating their extortion tactics with recent incidents including harassment of victim personnel, among other tactics . This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, it continues to highlight the effectiveness of social engineering and underscores the importance of organizations moving towards phishing-resistant MFA where possible. Methods such as FIDO2 security keys or passkeys are resistant to social engineering in ways that push-based or SMS authentication are not. Mandiant has also published a comprehensive guide with proactive hardening and detection recommendations , and Google published a detailed walkthrough for operationalizing these findings within Google Security Operations. Figure 1: Attack path diagram UNC6661 Vishing and Credential Theft Activity In incidents spanning early to mid-January 2026, UNC6661 pretended to be IT staff and called employees at targeted victim organizations claiming that the company was updating MFA settings. The threat actor directed the employees to victim-branded credential harvesting sites to capture their SSO credentials and MFA codes, and then registered their own device for MFA. The credential harvesting domains attributed to UNC6661 commonly, but not exclusively, use the format <companyname>sso.com or <companyname>internal.com and have often been registered with NICENIC. In at least some cases, the threat actor gained access to accounts belonging to Okta customers. Okta published a report about phishing kits targeting identity providers and cryptocurrency platforms, as well as follow-on vishing attacks. While they associate this activity with multiple threat clusters, at least some of the activity appears to overlap with the ShinyHunters-branded operations tracked by GTIG. After gaining initial access, UNC6661 moved laterally through victim customer environments to exfiltrate data from various SaaS platforms (log examples in Figures 2 through 5). While the targeting of specific organizations and user identities is deliberate, analysis suggests that the subsequent access to these platforms is likely opportunistic, determined by the specific permissions and applications accessible via the individual compromised SSO session. These compromises did not result from security vulnerabilities in the vendors' products or infrastructure. In some cases, they have appeared to target specific types of information. For example, the threat actors have conducted searches in cloud applications for documents containing specific text including "poc," "confidential," "internal," "proposal," "salesforce," and "vpn" or targeted personally identifiable information (PII) stored in Salesforce. Additionally, UNC6661 may have targeted Slack data at some victims' environments, based on a claim made in a ShinyHunters-branded data leak site (DLS) entry. { "AppAccessContext": { "AADSessionId": "[REDACTED_GUID]", "AuthTime": "1601-01-01T00:00:00", "ClientAppId": "[REDACTED_APP_ID]", "ClientAppName": "Microsoft Office", "CorrelationId": "[REDACTED_GUID]", "TokenIssuedAtTime": "1601-01-01T00:02:56", "UniqueTokenId": "[REDACTED_ID]" }, "CreationTime": "2026-01-10T13:17:11", "Id": "[REDACTED_GUID]", "Operation": "FileDownloaded", "OrganizationId": "[REDACTED_GUID]", "RecordType": 6, "UserKey": "[REDACTED_USER_KEY]", "UserType": 0, "Version": 1, "Workload": "SharePoint", "ClientIP": "[REDACTED_IP]", "UserId": "[REDACTED_EMAIL]", "ApplicationId": "[REDACTED_APP_ID]", "AuthenticationType": "OAuth", "BrowserName": "Mozilla", "BrowserVersion": "5.0", "CorrelationId": "[REDACTED_GUID]", "EventSource": "SharePoint", "GeoLocation": "NAM", "IsManagedDevice": false, "ItemType": "File", "ListId": "[REDACTED_GUID]", "ListItemUniqueId": "[REDACTED_GUID]", "Platform": "WinDesktop", "Site": "[REDACTED_GUID]", "UserAgent": "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.20348.4294", "WebId": "[REDACTED_GUID]", "DeviceDisplayName": "[REDACTED_IPV6]", "EventSignature": "[REDACTED_SIGNATURE]", "FileSizeBytes": 31912, "HighPriorityMediaProcessing": false, "ListBaseType": 1, "ListServerTemplate": 101, "SensitivityLabelId": "[REDACTED_GUID]", "SiteSensitivityLabelId": "", "SensitivityLabelOwnerEmail": "[REDACTED_EMAIL]", "SourceRelativeUrl": "[REDACTED_RELATIVE_URL]", "SourceFileName": "[REDACTED_FILENAME]", "SourceFileExtension": "xlsx", "ApplicationDisplayName": "Microsoft Office", "SiteUrl": "[REDACTED_URL]", "ObjectId": "[REDACTED_URL]/[REDACTED_FILENAME]" } Figure 2: SharePoint/M365 log example "Login","20260120163111.430","SLB:[REDACTED]","[REDACTED]","[REDACTED]","192","25","/index.jsp","","1jVcuDh1VIduqg10","Standard","","167158288","5","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/IP_ADDRESS_REMOVED Safari/537.36","","9998.0","user@[REDACTED_DOMAIN].com","TLSv1.3","TLS_AES_256_GCM_SHA384","","https://[REDACTED_IDP_DOMAIN]/","[REDACTED].my.salesforce.com","CA","","","0LE1Q000000LBVK","2026-01-20T16:31:11.430Z","[REDACTED]","76.64.54[.]159","","LOGIN_NO_ERROR","76.64.54[.]159","" Figure 3: Salesforce log example { "Timestamp": "2026-01-21T12:5:2-03:00", "Timestamp UTC": "[REDACTED]", "Event Name": "User downloads documents from an envelope", "Event Id": "[REDACTED_EVENT_ID]", "User": "[REDACTED]@example.com", "User Id": "[REDACTED_USER_ID]", "Account": "[REDACTED_ORG_NAME]", "Account Id": "[REDACTED_ACCOUNT_ID]", "Integrator Key": "[REDACTED_KEY]", "IP Address": "73.135.228[.]98", "Latitude": "[REDACTED]", "Longitude": "[REDACTED]", "Country/Region": "United States", "State": "Maryland", "City": "[REDACTED]", "Browser": "Chrome 143", "Device": "Apple Mac", "Operating System": "Mac OS X 10", "Source": "Web", "DownloadType": "Archived", "EnvelopeId": "[REDACTED_ENVELOPE_ID]" } Figure 4: Docusign log example In at least one incident where the threat actor gained access to an Okta customer account, UNC6661 enabled the ToogleBox Recall add-on for the victim's Google Workspace account, a tool designed to search for and permanently delete emails. They then deleted a "Security method enrolled" email from Okta, almost certainly to prevent the employee from identifying that their account was associated with a new MFA device. { "Date": "2026-01-11T06:3:00Z", "App ID": "[REDACTED_ID].apps.googleusercontent.com", "App name": "ToogleBox Recall", "OAuth event": "Authorize", "Description": "User authorized access to ToogleBox Recall for specific Gmail and Apps Script scopes.", "User": "user@[REDACTED_DOMAIN].com", "Scope": "https://www.googleapis.com/auth/gmail.addons.current.message.readonly, https://www.googleapis.com/auth/gmail.addons.execute, https://www.googleapis.com/auth/script.external_request, https://www.googleapis.com/auth/script.locale, https://www.googleapis.com/auth/userinfo.email", "API name": "", "Method": "", "Number of response bytes": "0", "IP address": "149.50.97.144", "Product": "Gmail, Apps Script Runtime, Apps Script Api, Identity, Unspecified", "Client type": "Web", "Network info": "{\n \"Network info\": {\n \"IP ASN\": \"201814\",\n \"Subdivision code\": \"\",\n \"Region code\": \"PL\"\n }\n}" } Figure 5: ToogleBox Recall auth log entry example In at least one case, after conducting the initial data theft, UNC6661 used their newly obtained access to compromised email accounts to send additional phishing emails to contacts at cryptocurrency-focused companies. The threat actor then deleted the outbound emails, likely in an attempt to obfuscate their malicious activity. GTIG attributes the subsequent extortion activity following UNC6661 intrusions to UNC6240 , based on several overlaps, including the use of a common Tox account for negotiations, ShinyHunters-branded extortion emails, and Limewire to host samples of stolen data. In mid-January 2026 extortion emails, UNC6240 outlined what data they allegedly stole, specifying a payment amount and destination BTC address, and threatening consequences if the ransom was not paid within 72 hours, which is consistent with prior extortion emails (Figure 6). They also provided proof of data theft via samples hosted on Limewire. GTIG also observed extortion text messages sent to employees and received reports of victim websites being targeted with distributed denial-of-service (DDoS) attacks. Notably, in late January 2026 a new ShinyHunters-branded DLS named "SHINYHUNTERS" emerged listing several alleged victims who may have been compromised in these most recent extortion operations. The DLS also lists contact in