ON 4 February 2026, a new Mandiant report details how sophisticated voice phishing rings are bypassing MFA and stealing data from corporate environments. The activity, which bears the hallmarks of the ShinyHunters extortion group, uses live calls and personalised credential harvesting sites to trick employees into handing over SSO credentials and MFA codes.
According to Mandiant Report, these campaigns target cloud-based SaaS applications to exfiltrate sensitive data and internal communications, with clusters UNC6661, UNC6671 and UNC6240 sharing a common playbook of impersonating IT support. The groups are described as abusing the human element rather than exploiting cloud vulnerabilities, and the report notes that victims are directed to victim-branded credential harvesting sites where credentials and MFA codes are entered.
The attackers then pivot to the cloud for data access, and in campaigns linked to UNC6671 they have been observed registering domains and even accessing Okta customer accounts, with Mandiant emphasising the extortion tactics include harassment of victim personnel.