Google Warns of New Threat Group Targeting BPOs and Helpdesks
Cybersecurity

Google Warns of New Threat Group Targeting BPOs and Helpdesks

Infosecurity Magazine
Infosecurity MagazineApr 9, 2026

Companies Mentioned

Google

Google

GOOG

Deichman

Deichman

ZEN

Okta

Okta

OKTA

Proton

Proton

Why It Matters

The campaign demonstrates a novel attack surface—live‑chat—that can compromise high‑value corporate data and extort organizations, raising urgent security concerns for BPOs and internal support teams.

Key Takeaways

  • UNC6783 exploits live‑chat to deliver spoofed Okta login pages
  • Phishing kit steals clipboard data to bypass MFA verification
  • Attackers masquerade domains as *.zendesk‑support.com to trick users
  • Fake security updates distribute remote‑access malware during support sessions
  • Recommend FIDO2 hardware keys and domain blocking for BPO protection

Pulse Analysis

The emergence of UNC6783 underscores a shifting threat landscape where attackers abandon traditional email phishing in favor of real‑time communication channels. By hijacking live‑chat sessions, the group can guide unsuspecting employees to malicious login portals that mimic trusted identity providers such as Okta. This technique not only harvests credentials but also captures clipboard data, effectively neutralizing standard multi‑factor authentication methods. Security teams must therefore expand their monitoring beyond email to include chat logs, looking for anomalous link redirects and domain patterns like *.zendesk‑support.com.

Beyond credential theft, UNC6783 employs a sophisticated phishing kit that delivers counterfeit security‑software updates during support interactions. These updates install remote‑access trojans, granting attackers persistent footholds within corporate networks. The use of ProtonMail for ransom communications adds a layer of anonymity, complicating attribution and response efforts. Organizations with extensive BPO relationships are especially vulnerable, as third‑party staff often lack the same security training and controls as internal employees. Implementing granular access controls and isolating BPO environments can limit the blast radius of such compromises.

Mitigation strategies focus on hardening authentication and tightening domain controls. Deploying phishing‑resistant MFA solutions—such as FIDO2 hardware security keys—prevents attackers from leveraging stolen clipboard data. Proactive domain blocking of known malicious patterns, combined with continuous auditing of newly enrolled MFA devices, reduces the attack surface. Additionally, regular security awareness programs that simulate live‑chat phishing scenarios can equip helpdesk personnel to recognize and report suspicious activity before it escalates. By addressing both technological and human factors, enterprises can better defend against this evolving extortion model.

Google Warns of New Threat Group Targeting BPOs and Helpdesks

Read Original Article

Comments

Want to join the conversation?

Loading comments...