Full Report
Google Threat Intelligence Group (GTIG) has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the "BlackFile" brand, that targets organizations via sophisticated voice phishing (vishing) and single sign-on (SSO) compromise. By leveraging adversary-in-the-middle (AiTM) techniques to bypass traditional perimeter defenses and multi-factor authentication (MFA), UNC6671 gains deep access to cloud environments. The group primarily targets Microsoft 365 and Okta infrastructure, leveraging Python and PowerShell scripts to programmatically exfiltrate sensitive corporate data for subsequent extortion attempts. This post details UNC6671’s attack lifecycle and provides defenders with actionable guidance to detect and mitigate these identity-centric threats. Since emerging in early 2026, UNC6671 has maintained a high operational cadence. GTIG assesses that the group has targeted dozens of organizations across North America, Australia, and the UK. GTIG previously highlighted UNC6671 as a distinct cluster in a prior report detailing similar SaaS data-theft techniques utilized by ShinyHunters (UNC6240). While UNC6671 has co-opted the ShinyHunters brand in at least one instance to inject artificial credibility into their threats, GTIG assesses that the operations are independent. This distinction is supported by UNC6671's use of separate TOX communication channels, unique domain registration patterns, and the launch of a dedicated "BlackFile" data leak site (DLS).
Analysis Summary
# Threat Actor: UNC6671 (BlackFile)
## Attribution & Identity
* **Name/Alias:** UNC6671, BlackFile.
* **Known Associations:** GTIG identified UNC6671 as a distinct cluster from **ShinyHunters (UNC6240)**. Although UNC6671 has co-opted the ShinyHunters brand for credibility, they are assessed to be independent.
* **Identification Markers:** Use of separate TOX communication channels, unique domain registration patterns, and a dedicated "BlackFile" data leak site (DLS).
## Activity Summary
* **Emergence:** Early 2026.
* **Campaign Nature:** Expansive vishing and extortion campaign targeting cloud environments and single sign-on (SSO) infrastructure.
* **Operational Cadence:** High; the group has targeted dozens of organizations within a short timeframe.
## Tactics, Techniques & Procedures
* **Social Engineering:** High-volume voice phishing (vishing) using "callers" who masquerade as internal IT/Help Desk.
* **Pretexting:** Claims of mandatory passkey migrations or MFA updates to move victims to malicious sites.
* **Adversary-in-the-Middle (AiTM):** Real-time interception of credentials and MFA tokens (Push, SMS, TOTP) to bypass perimeter defenses.
* **Persistence:** Immediate registration of attacker-controlled MFA devices upon successful account access.
* **Data Exfiltration:** Programmatic theft of data from SharePoint, OneDrive, and Zendesk using Python and PowerShell scripts.
* **Extortion:** Use of a dedicated Data Leak Site (DLS) to pressure victims into payment.
* **MITRE ATT&CK IDs (Inferred from TTPs):**
* T1566.004 (Phishing: Voice)
* T1557 (Adversary-in-the-Middle)
* T1098.005 (Account Manipulation: Device Registration)
* T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage)
## Targeting
* **Sectors:** Organizations utilizing Microsoft 365, Okta, and major SaaS platforms (e.g., Zendesk).
* **Geography:** North America, Australia, and the United Kingdom.
* **Victims:** Dozens of organizations; specific names were not disclosed in the text.
## Tools & Infrastructure
* **Scripts:** Custom Python and PowerShell scripts for automated data exfiltration.
* **Communication:** TOX channels for negotiations.
* **Phishing Infrastructure:** Subdomain-based model registered predominantly through Tucows.
* **Infrastructure Examples (Defanged):**
* `.enrollms[.]com`
* `.passkeyms[.]com`
* `.setupsso[.]com`
* **Network:** Heavy reliance on commercial VPN nodes to mask source IP addresses.
## Implications
* **Brand Evolution:** The threat actor may retire the "BlackFile" brand to evade scrutiny but is expected to pivot to new brands while maintaining the same identity-centric techniques.
* **Cloud Vulnerability:** The campaign highlights that SaaS data-theft is a highly successful and trending threat model that bypasses traditional network-based security.
## Mitigations
* **Phishing-Resistant MFA:** Implement FIDO2/WebAuthn-based authentication (passkeys/security keys) to negate the effectiveness of AiTM attacks.
* **User Training:** Educate employees that legitimate IT support will not direct them to non-standard subdomains for security updates.
* **Monitoring & Detection:**
* Audit Okta/O365 logs for sessions originating from known commercial VPNs or anonymized IPs.
* Enable alerts for "Bulk File Access" or "High Volume Downloads" via PowerShell in SharePoint/OneDrive.
* Monitor for the registration of new MFA devices by existing users.
* **Technical Hardening:** Utilize Google Safe Browsing and review SaaS app permissions to limit the scope of lateral movement.