AI Autopsy: ShinyHunters Go on a Vishing-Fuelled SSO Rampage

The modern enterprise perimeter hasn’t simply been breached; intruders have talked it into submission. In January, ShinyHunters returned with a campaign targeting numerous companies, including Match Group, Panera Bread, and potentially SoundCloud, Crunchbase, and Betterment. Tens of millions of records may have been compromised. In doing so, ShinyHunters has doubled down on its core strength: social engineering.

Deception as an offensive cybersecurity technique is nothing new, but the ShinyHunters group has turned it into an industrial-scale process. Google Threat Intelligence researchers have been tracking this escalation under threat clusters UNC6661, UNC6671, and UNC6240 – all of which operate under the ShinyHunters banner. They’ve refined spear phishing to a fine art, targeting single sign-on (SSO) credentials and multi-factor authentication (MFA) codes through a hybrid approach to social engineering.

From vishing to real-time manipulation

The attack chain begins with a high-pressure voice phishing (vishing) call. The attacker impersonates internal IT staff, telling the victim that their employer is updating MFA settings. What makes vishing even more powerful in campaigns like these is live coupling with online social engineering, says Brandon Potter, CTO at cybersecurity consultancy ProCircular.

“They’re timing their vishing scripts to the MFA prompts they’re triggering in the background” Brandon Potter

“What we’re seeing now is not just a phone call. It’s vishing paired with real-time interception,” he tells Assured Intelligence.

If the victim bites, the criminal directs them to a phishing site, often with a deceptive URL like <companyname>sso.com. These sites are built using ‘as-a-service’ phishing kits that help criminals dupe people into handing over their credentials while on voice calls.

“They’re using these phishing kits to act as a live proxy,” says Potter. “They’re timing their script to the MFA prompts they’re triggering in the background.”

The attacker can script which pages the victim sees in real time, as they guide them through what seems like a routine account update. The attacker triggers an MFA challenge (e.g., a number-matching prompt) from a legitimate online service that the victim uses. Then they update the phishing page to show that challenge to the victim. It looks like a completely legitimate request, because it is; the attacker is just sitting in the middle.

When the victim enters the code, the attacker uses it to authenticate their own device. This shadow enrolment ensures that even if a password is changed, the attacker remains the authoritative owner of the identity. It bypasses even modern push-based authentication.

ShinyHunters has become adept at using this technique to steal SSO session tokens. Once they’re in, threat actors can begin to move laterally through the target company’s application infrastructure. Google Mandiant says that these excursions are typically opportunistic. The attackers will just pick up whatever they can find, using search terms like “confidential” and “internal” to sniff out the juiciest pickings.

Choose engineering, not just education

For years, the industry mantra has been “users are the weakest link”. This has helped to create a huge industry around cybersecurity awareness training tools. But ShinyHunters has proven that, even after all this time, a real-time script and some decent target research can manipulate employees.

Organisations should mandate ‘out-of-band’ approval from a user’s known manager before any password or MFA reset is processed. High-risk changes, such as MFA resets for privileged accounts, should be temporarily routed through these manual workflows during periods of heightened threat, Mandiant has previously urged.

“SSO controls should align with data boundaries, not just apps” George Gerchow

However, more work will be necessary beyond these policies. Cory Michal, CSO at SaaS security company AppOmni, says that these awareness practices must evolve. “CISOs should redefine awareness from ‘teach employees to spot scams’ to engineering controls that assume some employees will be convincingly deceived,” he tells Assured Intelligence.

What should those controls look like? “Security has to rely less on user judgment and more on phishing-resistant MFA/passkeys, verified IT support workflows, least privilege, step-up authentication for sensitive actions, and strong identity monitoring so a single call or link can’t become a full compromise,” Michal continues.

Rethinking controls around SSO is important in limiting damage from an attack, argues George Gerchow, faculty at cybersecurity advisory company IANS and CSO at BedRock Data.

“SSO controls should align with data boundaries, not just apps,” he tells Assured Intelligence. “Conditional access, per-app session controls, and identity segmentation should ensure that a compromise in one app doesn’t automatically expose multiple data stores.”

An effective technical defence against real-time proxy kits is the transition to phishing-resistant MFA, specifically FIDO2/WebAuthn passkeys, or hardware security keys, says ProCircular’s Potter. Legacy MFA methods, including SMS, email, and even standard push notifications, are easily intercepted by an attacker acting as a manipulator in the middle. By contrast, FIDO2 keys rely on public-key cryptography and are cryptographically bound to the legitimate domain, making them immune to the current generation of ShinyHunters kits.

Potter also points to continuous access evaluation (CAE) as a way to spot misuse of session tokens. This concept solves the problem of one-time authentication when issuing a session token, leaving it vulnerable to abuse if stolen. CAE regularly checks how that token is being used throughout its life cycle.

“You’re continually assessing that, not only as the authentication happens, but also from a user behaviour standpoint: what that user is trying to do, what that user is trying to access, or what actions have happened in a sequence,” he says. This helps security teams spot erratic behaviour that you wouldn’t normally expect from a session token’s user.

Check your telemetry

Relying on human weakness might be a weakness in itself. These attacks operate at the speed of a phone conversation and a manual data search. This provides a window for detection, as long as the CISO has invested in the right telemetry.

“Vendor-side anomaly alerts won’t save you at scale,” AppOmni’s Michal warns. “To be accountable for your tenant security, you need complete, high-fidelity audit logs from every SaaS app, delivered quickly enough to detect and stop bulk access/exfil before it’s done, then run your own detections/UEBA and automated response on top of that telemetry.”

So what clues should CISOs look for in telemetry from SaaS applications and other parts of their infrastructure?

“It’s clear from these attacks that you cannot train a human being to spot a coordinated, real-time deception”

“Watch for rapid expansion of data access after authentication, new OAuth grants followed by exports, abnormally high read volumes, and access to high-value datasets shortly after identity recovery events, such as MFA resets,” says IANS’ Gerchow.

He also advises increased scrutiny of SaaS vendors themselves. While the ShinyHunter breaches are not necessarily the fault of SaaS vendors, they can be helpful for detection and response.

“CISOs should demand tenant-level visibility into exports, API pulls, and abnormal access patterns, and ensure those signals are available in real time, not just in after-the-fact reports,” Gerchow suggests.

If organisations do detect a vishing campaign, Gerchow recommends three immediate “break-glass” steps. CISOs should freeze all identity changes that expand data access, revoke and re-authenticate sessions for any users touching sensitive datasets, and throttle bulk API pulls or exports across all SaaS platforms.

Identity is the new perimeter

The ShinyHunters campaign is a reminder that in a SaaS-first world, identity is the only perimeter that matters. “Whoever controls sessions, controls your data,” concludes ProCircular’s Potter. “If you’re worried about data exfiltration, it’s time to look at the identity plane.”

It’s clear from these attacks that you cannot train a human being to spot a coordinated, real-time deception. It is possible, however, to “out-engineer” the attacker by enforcing phishing-resistant authentication and monitoring SaaS telemetry with the same rigour once reserved for the network core. The goal is to ensure that, even if a user is fooled, the system will spot the incident before data leaves the building.