Google’s Threat Intelligence Group (GTIG) and Mandiant have spotted a big rise in attacks linked to the ShinyHunters extortion group. These cybercriminals obtain employees' single sign-on (SSO) credentials and multi-factor authentication (MFA) codes through voice phishing (vishing) calls and phony login websites. Once inside company networks, they grab sensitive data from cloud apps like SharePoint, Salesforce, and DocuSign.

Then, they demand ransom or leak the info on dark web sites. Vendor software defects are not the cause of this. It's just social engineering. It is tracked by GTIG under the UNC6661, UNC6671, and UNC6240 clusters.

The attacks now target more cloud platforms, demonstrating ShinyHunters' desire for richer data in order to maximize rewards. They’ve added nasty tricks like harassing victims and DDoS attacks on company sites.

Techniques for Credential Theft and Vishing Threat actors pose as IT help desk staff. They contact employees, claim that MFA updates are required, and direct them to phony websites such as sso.com or internal.com. These domains frequently originate from registrars such as Tucows or NICENIC.

By entering MFA codes and SSO logins, victims allow attackers to register their own devices. Early in January 2026, UNC6661 struck. After attacking Okta users, they moved on to SaaS apps.

{ "AppAccessContext": { "AADSessionId": "[REDACTED_GUID]"). "AuthTime": "1601-01-01T00:00:00"; "ClientAppId": "[REDACTED_APP_ID]"). "ClientAppName": "Microsoft Office" "CorrelationId": "[REDACTED_GUID]").

"TokenIssuedAtTime": "1601-01-01T00:02:56"; "UniqueTokenId": “REDACTED_ID,” "CreationTime": "Id": "[REDACTED_GUID]", "Operation": "2026-01-10T13:17:11" "FileDownloaded", "RecordType": 6, "OrganizationId": "[REDACTED_GUID]", "UserKey": [REDACTED_USER_KEY]The "Version": 1, "UserType": 0, "Workload": "SharePoint" "ClientIP": "[REDACTED_IP]". "UserId": "[REDACTED_EMAIL]". "ApplicationId": "[REDACTED_APP_ID]", "AuthenticationType": "OAuth", "BrowserName": "Mozilla", "BrowserVersion": "5.0", "CorrelationId": "[REDACTED_GUID]", "EventSource": "SharePoint", "GeoLocation": "NAM", "IsManagedDevice": false, "ItemType": "File", "ListId": "[REDACTED_GUID]", "ListItemUniqueId": "[REDACTED_GUID]", "Platform": "WinDesktop", "Site": "[REDACTED_GUID]", "UserAgent": "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.20348.4294", "WebId": "[REDACTED_GUID]", "DeviceDisplayName": "[REDACTED_IPV6]", "EventSignature": "[REDACTED_SIGNATURE]", "FileSizeBytes": 31912, "HighPriorityMediaProcessing": false, "ListBaseType": 1, "ListServerTemplate": 101, "SensitivityLabelId": "[REDACTED_GUID]", "SiteSensitivityLabelId": "", "SensitivityLabelOwnerEmail": "[REDACTED_EMAIL]", "SourceRelativeUrl": "[REDACTED_RELATIVE_URL]", "SourceFileName": "[REDACTED_FILENAME]", "SourceFileExtension": "xlsx", "ApplicationDisplayName": "Microsoft Office", "SiteUrl": "[REDACTED_URL]", "ObjectId": "[REDACTED_URL]/[REDACTED_FILENAME]" } Logs show downloads from SharePoint via PowerShell, Salesforce logins from suspicious IPs, and DocuSign envelope grabs.

In one instance, they concealed their tracks by turning on ToogleBox Recall in Google Workspace to remove Okta's "new MFA device" emails. Similar vishing was employed by UNC6671, but the domain registrars were different. Additionally, they used PowerShell to extract SharePoint data.

Following the theft, UNC6661 used stolen accounts to send phishing emails to cryptocurrency companies before deleting them. Using Tox chats, Bitcoin demands, and LimeWire samples, UNC6240 combats extortion. Victims with emails like shinycorp@tutanota.com are listed on a new "SHINYHUNTERS" leak site. Phishing Domain Patterns Examples (Defanged) Corporate SSO sso[.

]com, mysso[. ]com Internal Portals internal[. ]com, Support/Helpdesk support[. ]com, support-[.

]com Identity Providers okta[. ]com, azure[. ]com Access Portal access[. ]com, myaccess[.

]com Data Exfiltration and Extortion Escalation Attackers search cloud apps for keywords like “poc,” “confidential,” “salesforce,” or “vpn.” They target PII in Salesforce and Slack chats.

Threats, Bitcoin addresses, and 72-hour deadlines are all included in extortion notes. UNC6671 harasses employees while ignoring ShinyHunters branding. IPs linked to VPNs such as Mullvad, Oxylabs, and proxies are extracted from ransom notes (Source: Google Cloud).

Google updated Chrome Safe Browsing to include phishing domains. Key Network IOCs ASN Association 24.242.93[. ]122 11427 UNC6661 73.135.228[. ]98 33657 UNC6661 76.64.54[.

]159 577 UNC6671 142.127.171[. ]133 577 UNC6671 Switch to phishing-resistant MFA like FIDO2 keys or passkeys. They outperform push alerts or SMS. Keep an eye out for ToogleBox auths, SharePoint bulk downloads using PowerShell, and admin role changes from anonymized IPs in Okta.

Google Security Operations has rules like “Okta Suspicious Actions from Anonymized IP” and SharePoint high-volume queries. Make Cyberpress a Google Preferred Source.