Google warns UNC6671 vishing campaign

Google Threat Intelligence Group said on May 15 that UNC6671, a threat cluster operating under the BlackFile name, has been running an extortion campaign built around voice phishing and single sign-on compromise. The campaign has targeted Microsoft 365 and Okta environments since early 2026, according to Google’s advisory. Google said the group has hit dozens of organizations across North America, Australia and the UK. The company said the intrusions were not tied to a software flaw in Microsoft, Okta or other vendors, but to social engineering aimed at identity systems. ### How are the attackers getting in? Google said UNC6671 relies on high-volume vishing calls, often placed to employees’ personal cellphones, to move targets away from normal support channels. The callers pose as internal IT or help desk staff and tell employees they need to complete a passkey migration or a multi-factor authentication update. That pretext is used to steer the victim to a credential-harvesting site while the attacker stays on the phone. (cloud.google.com) CrowdStrike said its Cordial Spider cluster, which it maps to UNC6671, has used the same pattern since at least October 2025: a vishing call, an SSO-themed phishing page and rapid access into SaaS applications. Okta said in a December 2024 advisory that legitimate Okta Support will not ask for a password or an MFA token, a warning that matches the tradecraft Google described this week. (cloud.google.com) ### Why do passkey and MFA “upgrades” work as a lure? Google said the passkey or MFA-migration story gives the caller a plausible reason to explain away security prompts and login checks that appear during the session. In practice, the victim is interacting with an adversary-in-the-middle page that relays credentials and session data to the attackers in real time. Google said that lets UNC6671 bypass traditional perimeter defenses and gain access to cloud environments even when MFA is in place. (crowdstrike.com) Okta has previously described real-time phishing as a key identity threat and said phishing-resistant methods such as FastPass can give defenders stronger signals when adversary-in-the-middle tooling is in use. Google’s new report similarly says the BlackFile campaign shows why organizations are moving toward phishing-resistant MFA for SaaS and identity platforms. ### What do the attackers do after the first login? (cloud.google.com) Google said UNC6671’s operators register attacker-controlled MFA devices after harvesting credentials, giving them a way to maintain access later. The group then uses Python and PowerShell scripts to exfiltrate corporate data from compromised cloud environments, according to the advisory. Google said the operation is geared toward subsequent extortion attempts. (sec.okta.com) CrowdStrike said comparable SaaS-focused crews remove or replace enrolled devices and suppress warning messages by creating inbox rules that delete email alerts tied to unauthorized device registration. That sequence helps explain why identity teams are focusing not only on login protection, but on who can enroll authenticators, reset factors and approve device changes. (cloud.google.com) ### Is BlackFile the same thing as ShinyHunters? Google said no. The company said UNC6671 previously appeared as a distinct cluster in reporting on SaaS data-theft techniques associated with ShinyHunters, also tracked as UNC6240, but assessed the operations as independent. Google said that assessment was based on separate TOX communication channels, different domain-registration patterns and the launch of a dedicated BlackFile data leak site. Google also said UNC6671 had used the ShinyHunters brand in at least one case to add credibility to threats. (crowdstrike.com) CyberScoop reported in April that Unit 42 and RH-ISAC linked BlackFile to active extortion in retail and hospitality, with ransom demands typically in the seven figures. BleepingComputer separately reported that Unit 42 had tied the group to attacks since February 2026 in those sectors. ### What is Google telling defenders to do now? Google said the campaign is a problem of identity verification and device registration controls as much as credential theft. (cloud.google.com) The company’s advisory says the compromises stem from social engineering rather than a vendor-side vulnerability, and it frames phishing-resistant MFA as a priority control for Microsoft 365 and Okta tenants. (cyberscoop.com) Okta has published separate guidance on validating support interactions, including phone-and-email verification for authorized representatives and tighter controls around sensitive account operations. Google’s May 15 post includes the latest BlackFile indicators and attack-lifecycle details for defenders reviewing Microsoft 365 and Okta logs now. (sec.okta.com) (cloud.google.com)