Welcome to BlackFile: Inside a Vishing Extortion Operation

Vishing, once a niche social‑engineering vector, has surged in sophistication as threat actors like UNC6671 combine voice phishing with real‑time adversary‑in‑the‑middle (AiTM) techniques. By impersonating internal IT staff and directing victims to look‑alike SSO portals, the group captures credentials and MFA codes within seconds. This rapid credential harvest enables attackers to register their own MFA devices, effectively locking legitimate users out and establishing a foothold that traditional perimeter defenses struggle to block. The rise of AiTM underscores a broader shift toward identity‑centric attacks that exploit human trust as much as technical vulnerabilities.

Once inside, BlackFile leverages automated scripts written in Python and PowerShell to pull data from Microsoft 365 services via Microsoft Graph and direct HTTP requests. By reusing valid session cookies, the actors stream files in a way that registers as FileAccessed rather than FileDownloaded, blending into normal user activity and evading many Security Operations Centers that prioritize download alerts. Audit logs reveal tell‑tale user‑agent strings and unusual VPN‑origin IPs, but without refined detection rules, these indicators can be missed. Organizations that rely solely on file‑download thresholds risk blind spots, making it essential to treat scripted file‑access events with the same severity as explicit downloads.

The business impact is stark: compromised data includes confidential contracts, PII, and extensive CRM records, which are then leveraged in high‑pressure extortion notes demanding millions, often settling for six‑figure sums. To counter this, experts recommend deploying phishing‑resistant MFA such as FIDO2 security keys, enabling credential‑guarding tools that flag password entry on unauthorized domains, and tightening log monitoring for anomalous user‑agent activity and rapid, high‑volume file accesses. As threat actors adapt and rebrand, a proactive identity‑security posture—combining technical controls with user education—remains the most effective defense against these evolving extortion campaigns.