A new wave of cloud data theft is being driven by voice phishing attacks that trick employees into handing over login details and security codes. Security researchers say these attacks target single sign-on systems, turning one stolen account into a gateway to multiple business apps.
Investigators report that attackers pose as company IT or helpdesk staff and call employees directly. Victims are told their multi-factor authentication settings must be updated. They are then guided to fake login pages that look like real company portals. These phishing sites can show live, interactive dialogs while the attacker stays on the call.
During the call, the attacker uses stolen credentials in real time, triggers real MFA requests, and tells the victim how to respond, such as approving a push alert or entering a one-time code. This allows the attacker to log in and register their own MFA device.
Once inside, attackers access the victim’s SSO dashboard, which lists all permitted SaaS apps. Targets include Salesforce, Microsoft 365, SharePoint, DocuSign, Slack, Atlassian, Dropbox, and Google Drive. For data theft and extortion, the SSO panel becomes a direct path to large volumes of cloud data.
The ShinyHunters extortion group has confirmed that it and some partners are behind these phishing attacks. Soon after the campaign became public, the group launched a data-leak site and began publishing stolen files.
A new report tracks this activity under threat clusters UNC6661, UNC6671, and UNC6240. UNC6661 impersonates IT staff and uses branded phishing domains to steal SSO and MFA data. It then enrolls attacker devices for continued access. Logs show PowerShell-based downloads from Microsoft services, suspicious Salesforce logins, and bulk DocuSign exports.
In 1 case involving an identity provider customer, attackers enabled a Google Workspace add-on called “ToogleBox Recall” and deleted a “Security method enrolled” email to hide the new MFA device.
Phishing domains often mimic real portals, using formats like <companyname>sso.com, <companyname>internal.com, and <companyname>support.com. One example, matchinternal.com, was tied to a breach affecting multiple dating platforms.
Some attacks used VPN and proxy services, including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and nsocks. Another cluster, UNC6671, used similar methods but different domains and more aggressive extortion tactics.
Defenders are urged to watch for rapid SaaS data downloads after SSO compromise, PowerShell access to SharePoint, unexpected ToogleBox Recall authorization, and deleted MFA alert emails. New security rules and guidance have been released to help detect and stop these attacks.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
