Cybercriminals operating under the ShinyHunters brand have launched a sophisticated extortion campaign targeting corporate cloud systems through voice-phishing attacks that bypass multi-factor authentication, according to a joint investigation by Mandiant and Google’s Threat Intelligence Group. The attackers impersonate IT staff to trick employees into entering credentials on fake login pages, then steal sensitive data from platforms like Salesforce and SharePoint for extortion.
The attacks follow a calculated pattern that has already compromised multiple organizations, with victims appearing on a new SHINYHUNTERS data leak site that emerged in late January 2026, according to the Mandiant and Google investigation. The site lists breached companies and features contact information previously associated with the group.
During these attacks, criminals call employees claiming to be from their company’s IT department, citing a need to update multi-factor authentication settings. Victims are then directed to fake login pages that closely mimic legitimate single sign-on portals, often using domains like “companyname-sso.com” or “companyname-internal.com,” registered through services including NICENIC and Tucows.
Once employees enter their credentials and MFA codes, attackers immediately hijack their accounts and enroll their own devices as valid authentication methods, granting them persistent access to corporate systems. To avoid detection, the criminals delete security notification emails that would alert victims to the new device enrollment, according to the report.
Escalating Extortion Tactics
After gaining access, the attackers target whatever data is available through platforms including Salesforce, SharePoint, Docusign, and Slack. They use PowerShell commands to download files from SharePoint and OneDrive, specifically searching for documents containing keywords like “confidential,” “internal,” and “salesforce,” investigators found.
The extortion phase begins with ShinyHunters-branded emails demanding Bitcoin payment within 72 hours. Attackers provide samples of stolen data hosted on services like Limewire as proof of the breach. When victims don’t comply, the group escalates with harassing text messages to employees and distributed denial-of-service attacks against company websites.
Security researchers have linked these operations to the group known as Scattered Spider (also tracked as UNC3944), which has been identified as affiliated with or the same as ShinyHunters. The campaign demonstrates that even organizations with modern security controls remain vulnerable to sophisticated social engineering attacks.
To defend against these threats, security experts recommend migrating to phishing-resistant MFA methods such as FIDO2 security keys or passkeys. Organizations should also require high-assurance verification for password resets, including live video calls where users present government-issued identification. Detection teams should monitor for suspicious patterns, including MFA device enrollments immediately following logins from new locations and the use of PowerShell for bulk downloads from cloud storage platforms.
Sources
- Google Cloud
- Varonis
