Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

The rise of vishing‑driven credential theft marks a shift from classic phishing to real‑time social engineering. By convincing employees to disclose MFA tokens during phone calls, threat actors sidestep the protective layers of multi‑factor authentication. This approach is especially potent against cloud‑first organizations where a single compromised identity can unlock a suite of SaaS tools, from identity providers to collaboration platforms. The convergence of voice‑based deception and credential‑harvesting sites creates a low‑cost, high‑impact attack vector that traditional email filters cannot detect.

For security teams, the immediate challenge is visibility. Detecting MFA enrollment anomalies, unusual OAuth authorizations, and off‑hour identity actions can surface the early stages of an intrusion. Logging identity‑provider events, enforcing strict help‑desk verification—such as live video calls—and eliminating push‑based or SMS MFA reduce the attack surface. Moreover, segmenting access to management planes and applying device‑access controls limit lateral movement once credentials are compromised. These controls, combined with continuous monitoring of credential‑harvesting domains, help organizations stay ahead of the fluid tactics employed by groups like UNC6661 and UNC6671.

Long‑term, the industry must pivot toward phishing‑resistant authentication. FIDO2 security keys and passkeys, which rely on cryptographic proof rather than shared secrets, render vishing attempts ineffective. As extortion becomes a primary motive, attackers will likely refine their social engineering scripts, targeting high‑value sectors such as cryptocurrency firms. Enterprises that adopt robust MFA, enforce zero‑trust principles, and maintain rigorous identity hygiene will be better positioned to protect sensitive data and mitigate the financial fallout of extortion campaigns.