BlackFile Vishing Extortion: A Complete Q&A Guide to UNC6671's Campaign

This Q&A guide breaks down the BlackFile vishing extortion campaign operated by the threat actor group UNC6671, as tracked by Google Threat Intelligence Group (GTIG). Covering tactics from voice phishing to cloud exfiltration, it provides defenders with clear answers on how the group operates, who they target, and how to defend against these sophisticated attacks. Below are key questions and detailed answers based on GTIG's findings.

1. What is the BlackFile vishing extortion operation?

The BlackFile operation is a persistent extortion campaign conducted by the threat actor group UNC6671. First detected in early 2026, the group uses sophisticated voice phishing (vishing) combined with adversary-in-the-middle (AiTM) techniques to compromise single sign-on (SSO) platforms like Microsoft 365 and Okta. By tricking employees into providing credentials on fake phishing sites, UNC6671 bypasses multi-factor authentication (MFA) and traditional perimeter defenses. Once inside, they deploy Python and PowerShell scripts to systematically steal sensitive corporate data, which they then use as leverage for extortion. The group publicizes stolen data on a dedicated BlackFile data leak site (DLS) and has targeted dozens of organizations across North America, Australia, and the UK.

2. How does UNC6671 relate to the ShinyHunters group?

GTIG previously linked UNC6671 to ShinyHunters (UNC6240) in a report on SaaS data-theft techniques, but now assesses the operations are independent. Although UNC6671 has co-opted the ShinyHunters brand at least once to add false credibility to threats, several differences set them apart. They use separate TOX communication channels, register domains with unique patterns (often via Tucows), and operate a distinct BlackFile data leak site. These differences confirm that while both groups target cloud environments, UNC6671 operates as a separate entity with its own infrastructure and extortion methodology.

3. What tactics does UNC6671 use for initial access?

Initial access relies on high-volume vishing calls made by hired callers. They often target employees' personal mobile phones to bypass corporate security tools. The callers impersonate internal IT or help desk staff, using a pretext of a mandatory passkey migration or required MFA update. This excuse directs the victim to a fake credential harvesting website. The threat actor continuously refines this approach: they have moved from organization-specific credential harvesting domains to a subdomain-based model (e.g., subdomains with “passkey” or “enrollment” in the name), making detection harder. Domains are typically registered through Tucows, and the real-time phishing pages capture both passwords and session tokens, enabling AiTM attacks.

4. How does BlackFile bypass multi-factor authentication?

The group uses adversary-in-the-middle (AiTM) phishing kits that act as reverse proxies between the victim and legitimate services like Microsoft 365 or Okta. When the victim enters their credentials and completes MFA, the session token is captured by the attacker in real time. This token is then reused by the threat actor to access the victim’s cloud environment without triggering any new authentication prompts. Since the token appears to come from a legitimate session, MFA is effectively bypassed. This method does not exploit any vendor vulnerability; it exploits the human element through social engineering. GTIG emphasizes the need for phishing-resistant MFA, such as FIDO2 security keys, to mitigate this threat.

5. Which organizations are most commonly targeted?

UNC6671 primarily targets Microsoft 365 and Okta infrastructure across organizations in North America, Australia, and the UK. Since early 2026, GTIG has observed the group targeting dozens of organizations spanning various sectors, though specific industries are not explicitly listed. The campaign is broad, with high operational cadence implying opportunistic assaults rather than sector-specific focus. The attackers favor companies that use SSO and MFA, relying on vishing to trick employees rather than exploiting technical vulnerabilities. Any organization using cloud-based identity platforms—especially those with remote workers or high staff turnover—could be at risk. Defenders should audit their SSO configurations and train employees to recognize vishing attempts.

6. What defensive measures can organizations take?

Key defenses include deploying phishing-resistant MFA (e.g., hardware security keys), implementing strict conditional access policies, and monitoring for unusual login patterns such as geographically improbable logins or token replay. Organizations should also train employees to verify any IT or help desk calls, especially if contacted on personal devices. Because UNC6671 uses real-time AiTM kits, session token expiration should be shortened, and token binding to the device can help. Additionally, monitor for unauthorized use of Python or PowerShell scripts in cloud environments, and flag abnormal data exports. GTIG recommends reviewing logs for access from suspicious IPs or user agents after known vishing incidents. For a deeper dive into indicators, see internal section on initial access tactics.

7. What is the overall significance of this campaign?

The BlackFile campaign underscores that sophisticated identity-based attacks can circumvent even well-configured MFA through pure social engineering. UNC6671 demonstrates how vishing—voice phishing with detailed pretexts—remains a highly effective initial vector. The group’s use of subdomain-based credential harvesting domains, dedicated data leak sites, and separate communication channels shows a mature operation capable of targeting dozens of high-value organizations globally. Because the attacks don’t rely on vendor product vulnerabilities, every organization using cloud SSO must assume they could be targeted. This campaign reinforces the urgency of moving to phishing-resistant authentication and implementing robust employee awareness training as part of an identity-security strategy.