Multi-factor authentication (MFA) is supposed to defend against phishing attacks, but threat actors operating under the ShinyHunters banner are using it as a pretext in ongoing social engineering attacks aimed at bypassing it.
Among those successfully targeted in these latest hacking spree are Panera Bread, SoundCloud, Match Group (owner of online dating services Tinder, Hinge, Match and OkCupid) and Crunchbase.
There will likely be many more victims, as Silent Push researchers detected active targeting or infrastructure preparation directed at domains of a wide variety of organizations in the tech and fintech, financial services, real estate, energy, healthcare, logistics, retail, and many other sectors.
Synchronized vishing-phishing attacks
Ten days ago, Okta warned about a new tool used by threat actors who specialize in voice phishing: custom-made phishing kits that allow them to syncronize the authentication flow on phishing pages with the request they make over the phone.
“It’s worth noting that these hybrid phishing operations are also capable of bypassing push notifications that use number challenge/number matching as an additional method of verification,” Okta researchers noted.
“A social engineer interacting on the phone with a targeted user can simply request a user to choose or enter a specific number.”
Identifying the attack groups
Mandiant, Google Cloud’s threat intelligence and incident response arm, says there are several seemingly independent groups that are using the same or a similar approach: UNC6661 and UNC6671.
“In incidents spanning early to mid-January 2026, UNC6661 pretended to be IT staff and called employees at targeted victim organizations claiming that the company was updating MFA settings. The threat actor directed the employees to victim-branded credential harvesting sites to capture their SSO credentials and MFA codes, and then registered their own device for MFA. In at least some cases, the threat actor gained access to accounts belonging to Okta customers,” the researchers noted.
The attackers moved laterally through victim customer environments to access various SaaS platforms and exfiltrate specific data from them: they searched for documents containing personally identifiable information, but also containing words such as “poc,” “confidential,” “internal,” “proposal,” “salesforce,” and “vpn”.
In at least one incident where these attacker gained access to an Okta customer account, the group tried to minimize the possibility of detection by deleting a “Security method enrolled” email from Okta, and by deleting phishing emails sent from compromised email accounts to contacts working at cryptocurrency-focused companies.
Around the same time, the UNC6671 threat actor impersonated IT staff over the phone and directed victims to enter their credentials and MFA authentication codes into phishing sites that were made to look like they belonged to their employer.
Once they gained access to Okta customer accounts, the group leveraged PowerShell to download sensitive data from SharePoint and OneDrive. And after they made off with the data, during the extortion process, they used aggressive tactics such as harassing the victimized personnel.
Based on details such as phishing domain hosting, Tox Chat accounts used for negotiation and other indicators, Mandiant researchers believe these are two separate groups or individuals.
Based on overlapping tactics, techniques, and procedures used, UNC6661 can be tied to UNC6040, i.e., the ShinyHunters cyber extortion group.
“GTIG also observed extortion text messages sent to employees and received reports of victim websites being targeted with distributed denial-of-service (DDoS) attacks,” the researchers also shared.
The researchers have shared indicators of compromise related to the attacks as well as threat hunting queries. Mandiant has also published thorough guidance for organizations on how to avoid becoming a victim in these attacks, how to detect intrusions, and how to minimize the scope of the compromise if they do become a victim.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
