THE article discusses an extortion campaign led by the threat actor UNC6671, operating under the name "BlackFile", which primarily targets organizations through voice phishing (vishing) and single sign-on (SSO) compromise. Key tactics include sophisticated social engineering techniques, adversary-in-the-middle (AiTM) attacks to bypass multi-factor authentication (MFA), and automated data exfiltration methods using scripts in environments such as Microsoft 365 and Okta.
Following successful breaches, they conduct aggressive extortion campaigns, initially sending unbranded ransom notes and later escalating pressure with threats if victims do not respond. The article emphasizes the importance of organizations implementing phishing-resistant MFA and robust monitoring strategies to defend against such threats. The group's data leak site has since gone offline, indicating a possible transition phase rather than a complete cessation of their activities.