Inside BlackFile: A Defender's Guide to Detecting Vishing Extortion Attacks

Introduction

The BlackFile extortion campaign, operated by UNC6671, relies on sophisticated voice phishing (vishing) and single sign-on (SSO) compromise to bypass multi-factor authentication (MFA) and gain deep access to cloud environments. Targeting Microsoft 365 and Okta infrastructure, the group uses adversary-in-the-middle (AiTM) techniques to harvest credentials and session tokens, followed by automated data exfiltration using Python and PowerShell scripts. This guide provides actionable steps for defenders to detect, mitigate, and respond to these identity-centric threats. Since early 2026, UNC6671 has targeted dozens of organizations across North America, Australia, and the UK. While the group has borrowed brands like ShinyHunters for credibility, its operations are independent, using separate TOX channels and its own BlackFile data leak site. Note that no product vulnerabilities are exploited—success hinges on social engineering.

What You Need

• Access to Microsoft 365 and Okta administrative consoles
• Identity provider logs (e.g., Azure AD sign-in logs, Okta system logs)
• Email security or secure email gateway (SEG) logs
• Network traffic logs (especially for unusual outbound connections)
• Endpoint detection and response (EDR) or SIEM platform for correlation
• User awareness training materials on vishing
• Knowledge of conditional access policies and session management
• Ability to create custom alert rules for suspicious authentication patterns

Step-by-Step Guide

Step 1: Understand the Attack Lifecycle

UNC6671’s attack begins with high-volume vishing calls to employees’ personal mobile phones. Callers impersonate internal IT or help desk, using a pretext of mandatory migration to passkeys or MFA updates. This directs victims to credential-harvesting subdomains (e.g., containing “passkey” or “enrollment”) registered via Tucows. The AiTM proxy captures credentials and session tokens in real-time, bypassing MFA. Once inside, the attacker uses PowerShell and Python to exfiltrate sensitive data from M365/Okta and demand extortion. Recognize that initial access is social—not technical—so defenses must address human factors first.

Step 2: Implement Phishing-Resistant MFA

Standard MFA (like SMS or app-based codes) is vulnerable to AiTM attacks. Deploy phishing-resistant methods such as FIDO2 security keys or platform passkeys (e.g., Windows Hello, Apple Face ID). Require these for all cloud applications, especially Microsoft 365 and Okta. Enforce through conditional access policies—block authentication attempts that lack phishing-resistant factors. This removes the attacker’s ability to replay session tokens even if credentials are stolen.

Step 3: Train Users to Recognize Vishing

UNC6671 calls often target personal phones to evade corporate security tooling. Educate employees to verify any unexpected IT request by hanging up and calling the official help desk number. Emphasize that legitimate IT will never ask for passwords, MFA codes, or direct you to external login pages. Simulate vishing attacks during training to build awareness. Encourage reporting of suspicious calls to the security team immediately.

Step 4: Monitor for Suspicious Domain Registrations

UNC6671 uses subdomain-based credential harvesting pages, typically registered with Tucows and referencing “passkey” or “enrollment” in the URL. Set up alerts for newly registered domains containing these keywords, especially if they match your organization’s brand or common misspellings. Integrate threat intelligence feeds that monitor Tucows registrations. When found, block the domains at your proxy/DNS layer and flag for investigation.

Step 5: Enable Advanced Logging and AiTM Detection

Configure verbose logging for all sign-in attempts: record IP addresses, device fingerprints, browser user agents, and session token details. Look for anomalies like authentication from unfamiliar IP ranges (especially those associated with VPN/proxy services) or sudden changes in device profile during a single session. AiTM proxies often reuse tokens that appear legitimate but originate from suspicious infrastructure. Use SIEM rules to correlate failed MFA challenges followed by successful authentication—a hallmark of credential harvesting.

Step 6: Detect Post-Compromise Activity

After gaining access, UNC6671 uses PowerShell and Python scripts to programmatically enumerate and exfiltrate data from Microsoft 365 (Exchange Online, SharePoint) and Okta (user directories, group memberships). Monitor for unusual API calls—e.g., high volumes of Get-Mailbox, Get-AzureADUser, or Okta /api/v1/users requests. Look for automated bulk downloads by service accounts or users with atypical geography. Enable alerts on data exfiltration patterns: large egress traffic to foreign IPs, compression of files before transfer, or use of anonymous file-sharing services.

Step 7: Develop an Incident Response Playbook

Upon suspicion of compromise: isolate affected accounts by revoking session tokens and forcing password reset. Rotate application secrets if any were exposed. Check for unauthorized Okta API tokens or OAuth consent grants. Run a full review of M365 and Okta administrator logs for unexplained changes. Notify your legal and communications teams for extortion threats (UNC6671 uses TOX channels). Preserve logs for forensic analysis. Coordinate with law enforcement if needed.

Step 8: Strengthen Identity Infrastructure

Enforce conditional access policies that require trusted devices or compliant endpoints for sensitive actions. Set session length restrictions for cloud apps—shorten timeouts to reduce token reuse windows. Restrict administrator roles to individuals who specifically need them. Monitor for changes to authentication policies (especially relaxing MFA). Regularly audit Okta and Azure AD for unused or legacy credentials that could be exploited.

Tips

• Personal phone risk: UNC6671 bypasses corporate defenses by calling personal mobiles. Consider a policy that requires all IT-related communications to go through official channels only.
• Use dedicated threat intelligence: Subscribe to feeds that track BlackFile’s data leak site and TOX channels. New victim announcements can help you spot similar patterns in your environment.
• User reporting incentives: Reward employees who report suspicious vishing calls. Early detection can prevent a full compromise.
• Test your detection regularly: Run tabletop exercises simulating an AiTM vishing attack to validate logging and alert coverage.
• Do not rely solely on brand-based blocking: UNC6671 uses subdomain models and can quickly change domains. Focus on behavior and anomaly detection.
• Monitor for multiple login attempts: Attackers often try different credentials from the same IP after harvesting—this may appear as a password spray. Tune your detection accordingly.
• Remember the independence: Although UNC6671 sometimes uses ShinyHunters branding, treat them as a separate threat. Their tactics, infrastructure, and extortion methods are distinct.