(google.com) BlackFile Unmasked: Anatomy of a Vishing-Driven Extortion Campaign Targeting Cloud Identities
-
(google.com) BlackFile Unmasked: Anatomy of a Vishing-Driven Extortion Campaign Targeting Cloud Identities
UNC6671 (BlackFile) conducts vishing-driven extortion via AiTM MFA bypass and cloud SaaS compromise, targeting Microsoft 365/Okta. Active since early 2026, the campaign impacts orgs in NA, AU, and UK with automated data theft and escalation tactics.
In brief - A financially motivated threat actor uses voice phishing and adversary-in-the-middle attacks to bypass MFA, compromise SSO portals, and exfiltrate sensitive cloud data for extortion. The group employs aggressive follow-up tactics and operates a data leak site, though recent shutdowns suggest rebranding.
Technically - UNC6671 initiates attacks via vishing calls directing victims to AiTM phishing pages (e.g., <org>.passkeyms[.]com) to harvest credentials and MFA tokens in real time. Post-compromise, the actor registers attacker-controlled MFA devices, moves laterally via SSO, and exfiltrates data using Python/PowerShell scripts that issue HTTP GET requests with valid session cookies (e.g., FedAuth). Exfiltration evades detection by generating FileAccessed events instead of FileDownloaded. Extortion leverages TOX/Session for encrypted comms and escalates to spam or swatting if ignored.
Source: https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/
-
R relay@relay.infosec.exchange shared this topic
