Introduction: A New Breed of Extortion
In early 2026, cybersecurity researchers at Google Threat Intelligence Group (GTIG) began tracking a highly active extortion campaign orchestrated by a threat actor known as UNC6671, operating under the BlackFile brand. This operation has targeted dozens of organizations across North America, Australia, and the United Kingdom, leveraging sophisticated voice phishing (vishing) and single sign-on (SSO) compromise to bypass traditional security controls. By combining adversary-in-the-middle (AiTM) techniques with social engineering, UNC6671 gains deep access to cloud environments—primarily Microsoft 365 and Okta—then exfiltrates sensitive data for extortion. This article breaks down the attack lifecycle and offers actionable guidance for defenders.
Notably, while UNC6671 has occasionally borrowed the ShinyHunters brand to lend false credibility to their threats, GTIG assesses that the two groups are independent. Evidence includes separate TOX communication channels, distinct domain registration patterns, and UNC6671's dedicated data leak site (DLS) called BlackFile. The campaign does not exploit any vendor product vulnerability; instead, it underscores the power of social engineering and the urgent need for phishing-resistant multi-factor authentication (MFA).
The Vishing Attack Vector
UNC6671's initial access relies on high-volume vishing calls, often placed by hired callers who meticulously social engineer targeted employees. These calls are typically made to the victim's personal mobile phone, bypassing corporate security tools and moving the conversation away from official support channels.
The IT Deployment Pretext
The callers pose as internal IT or help desk personnel, claiming a mandatory migration to passkeys or a required MFA update. This pretext serves a dual purpose: it justifies directing the victim to a credential harvesting site and provides a logical cover for any security alerts generated during the compromise. For example, if the victim receives an unexpected MFA approval request, the caller might claim it's part of the migration process.
By using this approach, UNC6671 can simultaneously harvest credentials and bypass MFA through AiTM techniques, all while the victim believes they are cooperating with a legitimate company initiative.
Credential Harvesting Infrastructure
UNC6671 has evolved its domain strategy. Instead of creating unique, organization-tailored domains for each target, they now use a subdomain-based model. These domains are typically registered through Tucows and frequently include subdomains referencing “passkey” or “enrollment” to appear authentic. For instance, a victim might be directed to enrollment.legitimate-looking-domain.com.
This infrastructure is paired with Python and PowerShell scripts that programmatically access and exfiltrate data from compromised cloud accounts. The scripts are designed to work with Microsoft 365 and Okta environments, extracting large volumes of sensitive information before triggering extortion demands.
Post-Compromise Activities
Once inside, UNC6671 leverages Access to SSO platforms to move laterally across the organization's cloud tenant. They use the victim's session tokens to access corporate email, file repositories, and other critical applications. The exfiltrated data is then used as leverage for extortion, often with threats to release it on the BlackFile data leak site.
GTIG notes that UNC6671 maintains a high operational cadence, indicating a well-resourced and organized group. The use of a dedicated DLS sets them apart from other threat actors and signals a long-term commitment to extortion.
Recommendations for Defenders
To protect against such attacks, organizations should prioritize the following measures:
- Deploy phishing-resistant MFA, such as FIDO2 security keys or certificate-based authentication, which cannot be intercepted by AiTM proxy tools.
- Educate employees about vishing tactics, especially unsolicited calls urging credential updates or MFA changes. Encourage reporting to IT via secure channels.
- Monitor for unusual domain registrations that mimic internal services or use subdomains with terms like “passkey” or “enrollment.”
- Implement conditional access policies that restrict sign-ins from unexpected locations or devices, even after successful authentication.
- Conduct regular security awareness training that includes realistic vishing simulations.
For more technical detection guidance, refer to the initial access section for common indicators of compromise, such as unusual MFA approval requests after a phone call.
Conclusion
UNC6671's BlackFile campaign is a stark reminder that social engineering remains one of the most effective attack vectors. By combining vishing with AiTM techniques, the group can bypass even robust MFA implementations. Organizations must evolve beyond simply checking the MFA box and instead adopt phishing-resistant methods. With the right training, technology, and monitoring, defenders can significantly reduce the risk of falling victim to such extortion operations.