2026-05-156 minhigh

Welcome to BlackFile: Inside a Vishing Extortion Operation

UNC6671, operating under the BlackFile brand, conducts sophisticated vishing and Adversary-in-the-Middle (AiTM) attacks to bypass MFA and compromise SSO platforms like Microsoft 365 and Okta. Once inside, the group uses automated Python and PowerShell scripts to rapidly exfiltrate sensitive data via APIs, often masking their activity as routine file access events, before launching aggressive extortion campaigns.

Conf:highAnalyzed:2026-05-15Google

Authors: Austin Larsen, Tyler McLellan, Genevieve Stark, Dan Ebreo

ActorsUNC6671BlackFileShinyHunters

Persistence AitM MFA Bypass Social Engineering Lateral Movement ShinyHunters Initial Access Vishing Extortion Exfiltration UNC6671 BlackFile Data Extortion

Source:Mandiant

IOCs · 2

ip
179[.]43[.]185[.]226Client IP address observed in Microsoft 365 Unified Audit Log telemetry conducting automated file access and downloads via Python scripts.
url
hxxp://blacknbsxfdmjtx4yn533zzm4bemtdfl6dyopbmhg46ckhn4qy7i77id[.]onion/index[.]htmlBlackFile Data Leak Site (DLS) Tor hidden service URL observed in extortion operations.

Detection / HunterGoogle

What Happened

A cybercriminal group known as BlackFile is calling employees on their personal phones, pretending to be IT support, to steal their login credentials. By tricking employees into handing over security codes, the attackers bypass multi-factor authentication and gain access to company systems like Microsoft 365. Once inside, they use automated programs to quickly steal massive amounts of sensitive company data and then demand a ransom, threatening to release the data or harass employees if unpaid. Organizations should train employees on these phone-based scams and upgrade to stronger, phishing-resistant security keys.

Key Takeaways

UNC6671 (BlackFile) uses vishing and AiTM techniques to bypass traditional MFA and compromise SSO environments like Microsoft 365 and Okta.
Upon gaining access, threat actors immediately register a new, attacker-controlled MFA device to establish persistence.
Data exfiltration is highly automated using Python and PowerShell scripts, often masking activity as routine 'FileAccessed' events rather than 'FileDownloaded'.
Extortion tactics are aggressive, including spamming employee mailboxes, threatening voicemails to executives, and swatting company personnel.
Although the BlackFile Data Leak Site (DLS) recently announced a shutdown, the group's cloud-centric data theft techniques remain a significant ongoing threat.

Affected Systems

Microsoft 365
Okta
SharePoint
OneDrive
Salesforce
Zendesk
Entra ID

Attack Chain

UNC6671 initiates attacks via vishing, contacting employees on personal phones under the guise of IT support to direct them to lookalike SSO portals. Using real-time adversary-in-the-middle (AiTM) techniques, the actors capture credentials and MFA codes to authenticate and immediately register a new attacker-controlled MFA device for persistence. The actors then utilize automated Python and PowerShell scripts to rapidly exfiltrate data from SaaS applications like SharePoint and OneDrive via direct API calls. Finally, the group launches aggressive extortion campaigns using Tox, Session, and hijacked internal email accounts, threatening data publication and employing harassment tactics like swatting.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: Yes
Platforms: Google Security Operations (SecOps)

Google SecOps provides broad category rules under the Okta and O365 rule packs to detect the behaviors outlined, such as suspicious Okta admin actions and high-volume SharePoint file access.

Detection Engineering Assessment

EDR Visibility: Low — The attack primarily targets cloud SaaS environments (M365, Okta) and utilizes legitimate APIs for exfiltration, bypassing traditional endpoint telemetry. Network Visibility: Low — Traffic is encrypted and occurs directly between the threat actor's infrastructure and the cloud provider's APIs, not traversing the corporate network. Detection Difficulty: Moderate — Requires correlating identity provider logs with SaaS audit logs, specifically looking for anomalous MFA registrations and high-volume 'FileAccessed' events from scripting user agents.

Required Log Sources

Microsoft 365 Unified Audit Log (UAL)
Okta System Logs
Identity Provider (IdP) Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Threat actors are using automated scripts to access or download large volumes of files from SharePoint/OneDrive.	Microsoft 365 UAL (FileAccessed, FileDownloaded)	Exfiltration	Medium
An attacker has bypassed MFA and immediately registered a new MFA device to maintain persistence.	IdP Logs (system.multifactor.factor.setup preceded by user.authentication.auth_via_mfa failures)	Persistence	Low
Authentication attempts are originating from commercial VPNs or hosting providers that deviate from the user's typical baseline.	IdP Logs, Entra ID Sign-in Logs	Initial Access	Medium

Control Gaps

Lack of phishing-resistant MFA (FIDO2/Passkeys)
Over-reliance on 'FileDownloaded' events while ignoring 'FileAccessed' events for data exfiltration monitoring
Insufficient monitoring of new MFA device registrations

Key Behavioral Indicators

User-Agent strings indicating scripting engines (e.g., python-requests/2.28.1, WindowsPowerShell/5.1) accessing SharePoint/OneDrive.
ClientAppId spoofed as 'Microsoft Office' combined with a scripting User-Agent.
High volume of FileAccessed events in a short time window exceeding human browsing capabilities.
Subdomains registered with Tucows containing 'passkey', 'enrollment', or 'setupsso' themes.

False Positive Assessment

Medium

Recommendations

Immediate Mitigation

Verify against your organization's incident response runbook and team escalation paths before acting.
Consider reviewing identity provider logs for recent anomalous MFA device registrations, particularly those following failed authentication attempts.
Evaluate whether to implement conditional access policies that block or challenge authentications from known commercial VPN exit nodes and hosting providers.

Infrastructure Hardening

Evaluate transitioning to phishing-resistant MFA, such as FIDO2-compliant security keys or passkeys, to mitigate AiTM attacks.
Consider configuring environment-specific credential guarding, such as Google Workspace Password Alert or Microsoft Defender SmartScreen, to intercept credential submissions on low-reputation sites.

User Protection

If supported by your IdP, consider monitoring for specific IdP SDK User-Agents on devices not previously associated with a user's profile.
Evaluate implementing strict session timeout policies for critical SaaS applications to limit the window of opportunity for hijacked session cookies.

Security Awareness

Consider updating security awareness training to specifically address vishing tactics, emphasizing that IT support will never ask for MFA codes over the phone.
Evaluate establishing and communicating a clear, out-of-band verification process for employees to confirm the identity of IT personnel requesting security changes.

MITRE ATT&CK Mapping

T1566.004 - Phishing: Spearphishing Voice
T1111 - Two-Factor Authentication Interception
T1078.004 - Valid Accounts: Cloud Accounts
T1556 - Modify Authentication Process
T1530 - Data from Cloud Storage Object
T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.006 - Command and Scripting Interpreter: Python