ACCORDING to Google Threat Intelligence Group, UNC6671—operating under the BlackFile brand—has run an extensive vishing extortion campaign that targets organisations via social engineering and single sign-on compromise. The group uses adversary-in-the-middle techniques to bypass MFA and gains deep access to cloud environments, with a focus on Microsoft 365 and Okta infrastructure.
GTIG notes that the operation exfiltrates sensitive corporate data using Python and PowerShell scripts for subsequent extortion attempts. Since emerging in early 2026, UNC6671 has maintained a high operational cadence and targeted dozens of organisations across North America, Australia, and the UK.
The campaign is not traced to a vulnerability in vendor products but rather highlighted as a by-product of socially engineered compromises, underscoring the need for phishing-resistant MFA to protect SaaS and identity platforms. GTIG also mentions the creation of a dedicated BlackFile data leak site and notes occasional co-option of the ShinyHunters branding to bolster credibility, though the operations are assessed as independent.