ShinyHunters Expands Scope of SaaS Extortion Attacks
Summary
Security researchers at Mandiant report that ShinyHunters has broadened its extortion campaigns beyond Salesforce to target a wide range of SaaS platforms, including Microsoft 365, SharePoint and Slack. The collective (tracked across clusters UNC6661, UNC6671 and UNC6240) uses vishing and company-branded credential‑harvesting sites to capture SSO credentials and MFA codes, register attacker devices for persistent access, move laterally in cloud environments and exfiltrate sensitive data to leverage in ransom demands. Post-intrusion activity has included phishing to third parties, harassment, and hosting proof on services such as Limewire. Google, Okta and Mandiant have published defensive guidance and added identified phishing domains to protective lists.
Key Points
- ShinyHunters has extended attacks from Salesforce to multiple SaaS platforms (Microsoft 365, SharePoint, Slack, etc.).
- Primary initial-access vector is social engineering: vishing calls impersonating IT and victim-branded credential‑harvesting sites.
- Attackers harvest SSO credentials and MFA codes, then register their own MFA devices to retain access.
- Clusters UNC6661, UNC6671 and UNC6240 display different tactics and registrars, suggesting multiple operators within the collective.
- Once inside, actors search for high‑value terms (eg “confidential”, “proposal”, “vpn”, “salesforce”) to prioritise data for extortion.
- Extortion methods include ShinyHunters‑branded emails, Tox messaging for negotiations, Limewire-hosted proofs and DDoS threats with tight deadlines.
- Some clusters used harassment and deleted evidence of outbound phishing to cover tracks; PowerShell was used to pull data from SharePoint/OneDrive.
- Defensive guidance published: hardening and detection steps from Mandiant, Chrome Safe Browsing additions, and Okta recommendations such as phishing‑resistant auth (passkeys), network zones and tenant ACLs.
Why should I read this?
Short version: attackers are phoning your staff and tricking them into giving up SSO and MFA codes, then nicking cloud data for ransom. If your organisation runs SaaS apps, skim the details now — it’s exactly the sort of scam that can lead to a painful data extortion incident.
Context and Relevance
This activity shows a clear evolution in ShinyHunters’ playbook: moving from high‑profile Salesforce intrusions to a broader, more opportunistic assault on popular cloud services. It underlines two ongoing trends — attackers favouring social‑engineering (vishing) to defeat authentication, and extortion groups monetising stolen SaaS data. For security teams, the report emphasises the importance of phishing domain detection, enforcing phishing‑resistant authentication, monitoring device registrations for MFA, and applying cloud‑centric lateral‑movement detection and data‑exfiltration controls.