Google Warns of New Campaign Targeting BPOs to Steal Corporate Data

The rise of supply‑chain attacks has pushed business process outsourcing providers into the crosshairs of sophisticated threat actors. Google’s Threat Intelligence Group (GTIG) flagged UNC6783, a financially motivated group that exploits the trust relationship between BPOs and their corporate clients. By infiltrating help‑desk and support teams, the actors can harvest credentials that grant them a foothold in a wide array of industries without targeting each company directly. This approach mirrors earlier campaigns that leveraged third‑party vendors to amplify impact while keeping the attackers’ footprint comparatively small.

UNC6783’s playbook blends social engineering with technical subversion. Victims are drawn into live‑chat conversations that redirect them to counterfeit Okta login portals, while a custom phishing kit captures clipboard data to sidestep standard multi‑factor authentication. The group also deploys fake Zendesk support pages and bogus security‑software updates to deliver remote‑access trojans. Once inside, the actors enroll their own devices for persistent access and exfiltrate data before sending ransom demands through ProtonMail. The use of widely trusted SaaS interfaces makes detection especially challenging for traditional security controls.

The campaign underscores the urgent need for zero‑trust architectures and hardened vendor‑risk programs. Enterprises should enforce MFA that resists clipboard‑based attacks, monitor anomalous login patterns on cloud identity providers, and segment BPO access to limit lateral movement. Continuous verification of third‑party security postures, combined with real‑time threat‑intel feeds like GTIG’s alerts, can reduce exposure to similar extortion schemes. As the Adobe breach claim illustrates, the financial and reputational stakes of BPO compromise are substantial, prompting regulators and boards to demand stronger supply‑chain safeguards.