The Google Threat Intelligence Group (GTIG) has been monitoring an extensive extortion campaign executed by UNC6671, known as the BlackFile group. This threat actor employs advanced voice phishing (vishing) techniques and compromises single sign-on (SSO) systems to infiltrate organizations. By utilizing adversary-in-the-middle (AiTM) strategies to circumvent traditional security measures, including multi-factor authentication (MFA), UNC6671 gains significant access to cloud environments, primarily targeting Microsoft 365 and Okta infrastructures.
Since its emergence in early 2026, UNC6671 has demonstrated a consistent operational pace, reportedly targeting numerous organizations across North America, Australia, and the UK. GTIG previously identified UNC6671 as a distinct entity from other threat groups, despite their occasional use of the ShinyHunters brand to lend credibility to their threats. This distinction is further supported by their unique communication methods and the establishment of a dedicated BlackFile data leak site (DLS).
Initial Access Strategies
UNC6671's initial access methods heavily rely on high-volume vishing operations, characterized by sophisticated social engineering tactics. The attackers often employ hired callers who impersonate IT or help desk personnel, contacting victims on their personal phones to evade security protocols.
- Pretext for Calls: Callers present themselves as internal support staff, citing mandatory updates to passkeys or MFA, which directs victims to credential harvesting sites.
- Domain Models: Recent campaigns have shifted towards using subdomains that enhance the legitimacy of their pretext, such as
.enrollms[.]com.
Real-Time Credential Interception
During vishing calls, the attackers execute a live adversary-in-the-middle (AiTM) attack:
- Redirection: Victims are led to a fake SSO portal.
- Credential Capture: As victims enter their credentials, attackers capture and submit them to the actual SSO provider.
- MFA Bypass: Victims unknowingly provide MFA codes to the attackers.
- Device Registration: Attackers register a new MFA device to maintain access.
Data Theft Operations
Once authenticated, UNC6671 exploits SSO access to navigate through the victim's SaaS applications, focusing on platforms like Microsoft 365 and Okta. They utilize compromised accounts to access sensitive information stored in SharePoint, OneDrive, and other applications.
Key tactics include:
- Automated scripts for data exfiltration, allowing for rapid access to high-value data.
- Utilization of APIs and libraries like Microsoft Graph and PowerShell to conduct stealthy data retrieval.
Extortion Tactics
UNC6671 initiates extortion campaigns with unbranded ransom notes sent from consumer email accounts. Once a victim responds, the attackers reveal their identity as BlackFile and negotiate ransom amounts, often starting in the millions before settling for lower figures.
When victims do not engage, the group escalates pressure through aggressive tactics, including:
- Spam campaigns targeting employee inboxes.
- Threatening voicemails to executives.
- In extreme cases, swatting tactics against personnel.
Recommendations for Defense
To mitigate risks associated with these attacks, organizations are advised to:
- Implement Phishing-Resistant MFA: Transition to FIDO2-compliant security keys.
- Monitor Identity Provider Logs: Look for unusual authentication patterns.
- Audit SaaS API Activity: Keep an eye on high-volume file access events.
Future Outlook
The recent shutdown of the BlackFile data leak site indicates a potential transition rather than a complete end to their operations. Historically, threat groups often rebrand or disperse after disruptions, suggesting that the techniques used by UNC6671 may persist under a different guise.
Organizations should remain vigilant and review existing security measures to adapt to evolving threats in the cybercrime landscape.
