Full Report
Possible link to Mr. Raccoon's claimed Adobe break-in A new extortion crew has targeted “several dozen high-value” corporations through phishing and helpdesk social-engineering, according to Google.…
Analysis Summary
# Incident Report: UNC6783 Phishing and Social Engineering Campaign
## Executive Summary
A financially motivated threat actor tracked as UNC6783 (possibly linked to the "Mr. Raccoon" persona) has targeted several dozen high-value corporations. The group utilizes sophisticated social engineering and helpdesk-themed phishing to compromise Business Process Outsourcers (BPOs) and call centers to gain downstream access to corporate environments. The campaign has resulted in significant data theft and extortion attempts, most notably a reported breach at Adobe involving millions of support tickets.
## Incident Details
- **Discovery Date:** April 2026 (Reported by Google Threat Intelligence)
- **Incident Date:** Ongoing (Active through April 2026)
- **Affected Organization:** Several dozen high-value corporations (including Adobe, per reports)
- **Sector:** Technology, Business Process Outsourcing (BPO), Call Centers
- **Geography:** Global (Mentions of entities in India and the US)
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026 and prior.
- **Vector:** Phishing and Social Engineering via Live Chat.
- **Details:** Attackers use live chat to direct employees to spoofed Okta login pages (e.g., `[company].zendesk-support[.]com`) and deploy fake security software updates to deliver remote access malware.
### Lateral Movement
- Attackers compromise BPOs/Call Centers first.
- Using stolen legitimate credentials from BPO employees, the group pivots into the IT environments of the BPO’s corporate customers.
- Phishing is escalated within organization hierarchies (e.g., compromising an employee to phish their manager).
### Data Exfiltration/Impact
- Large-scale theft of sensitive data, including support tickets, employee records, and internal documentation.
- Extortion notes are delivered via Proton Mail accounts.
### Detection & Response
- **Detection:** Identified by Google Threat Intelligence Group.
- **Response Actions:** Public disclosure of tactics and domain patterns; investigation into reported breaches by security researchers (e.g., vx-underground).
## Attack Methodology
- **Initial Access:** Helpdesk social engineering; malicious live chat links; spoofed login pages.
- **Persistence:** Enrollment of attacker-controlled devices for MFA; use of remote access tools (RATs).
- **Privilege Escalation:** Phishing of management-level employees using compromised subordinate accounts.
- **Defense Evasion:** Use of legitimate-looking domain patterns (Zendesk masquerading).
- **Credential Access:** Phishing kits designed to steal credentials and clipboard contents.
- **Discovery:** Identifying BPO-to-Customer relationships to facilitate downstream attacks.
- **Lateral Movement:** Transitioning from BPO provider networks to client corporate networks using stolen credentials.
- **Collection:** Gathering support tickets, PII, and internal documentation.
- **Exfiltration:** Unauthorized transfer of corporate databases and ticket logs.
- **Impact:** Financial extortion; broad data disclosure.
## Impact Assessment
- **Financial:** Extortion demands via encrypted email; potential regulatory fines related to PII.
- **Data Breach:** High volume; approximately 13 million support tickets and 15,000 employee records (Adobe case).
- **Operational:** Disruption to helpdesk operations and BPO trust.
- **Reputational:** Public disclosure of vulnerability in the supply chain; loss of customer trust due to leaked support interactions.
## Indicators of Compromise
- **Network indicators:**
- `[target-name].zendesk-support[.]com`
- Proton Mail accounts used for ransom delivery.
- **Behavioral indicators:**
- Unauthorized MFA device enrollments.
- Helpdesk employees receiving unsolicited live chat links to "Okta" or "Security Updates."
- Clipboard content theft during login sequences.
## Response Actions
- **Containment:** Domain take-downs of spoofed Zendesk/Okta pages.
- **Eradication:** Removal of unauthorized MFA devices; termination of compromised BPO access tokens.
- **Recovery:** Restoration of secure communication channels between BPOs and corporate clients.
## Lessons Learned
- **BPO Vulnerability:** Attackers are increasingly viewing BPOs and call centers as the "path of least resistance" to reach high-value targets.
- **MFA Bypass:** Standard MFA is insufficient against modern phishing kits that incorporate device enrollment and clipboard theft.
- **Social Engineering:** Helpdesk/Support staff remain a primary target for sophisticated social engineering due to the nature of their access.
## Recommendations
- **Identity Security:** Implement FIDO2-compliant hardware security keys to prevent MFA bypass via phishing kits.
- **Supply Chain Management:** Enforce strict conditional access policies for third-party BPO providers (e.g., IP whitelisting, managed device requirements).
- **Employee Training:** Conduct specialized social engineering simulations for live chat support and helpdesk staff.
- **Monitoring:** Set up alerts for new MFA device enrollments, especially those originating from outside the employee's usual geographic location.