Perceptive Security
SOC/SIEM Consultancy
Mandiant details how ShinyHunters abuse SSO to steal cloud data
Published:
31 januari 2026 om 15:02:12
Alert date:
31 januari 2026 om 17:01:16
Source:
bleepingcomputer.com
Identity & Access, Data Breach & Exfiltration, Cloud & Virtualization
Mandiant reports on ShinyHunters threat group conducting SaaS data-theft attacks by abusing single sign-on (SSO) systems. The attacks involve targeted voice phishing (vishing) and company-branded phishing sites to steal SSO credentials and multi-factor authentication (MFA) codes. This represents an active campaign targeting cloud infrastructure through credential theft techniques. The attacks specifically focus on bypassing modern security controls like MFA to gain unauthorized access to cloud-based services and steal sensitive data.
Technical details
ShinyHunters conducts targeted voice phishing (vishing) attacks where threat actors impersonate corporate IT staff and direct employees to company-branded phishing sites. These sites use advanced phishing kits with interactive dialogs that capture SSO credentials and MFA codes in real time during phone calls. Attackers relay stolen credentials, trigger MFA challenges, and guide victims through authentication steps including push notifications. Once authenticated, attackers enroll their own MFA devices and access SSO dashboards (Okta, Microsoft Entra, Google) to reach multiple SaaS applications. They use PowerShell scripts for data downloads and tools like ToogleBox Recall to delete security notification emails.
Mitigation steps:
Prioritize behavior detection for SSO account compromise followed by rapid data exfiltration
Monitor for PowerShell User-Agent accessing SharePoint or OneDrive
Watch for unexpected Google Workspace OAuth authorization for ToogleBox Recall
Monitor deletion of MFA modification notification emails
Implement hardening of identity workflows and authentication resets
Ensure proper logging and telemetry collection
Deploy detections to find post-vishing behavior before data theft occurs
Use Google SecOps rules to detect ShinyHunters activity
Follow Mandiant's hardening, logging, and detection recommendations
Affected products:
Okta
Microsoft Entra
Google SSO
Salesforce
Microsoft 365
SharePoint
DocuSign
Slack
Atlassian
Dropbox
Google Drive
Google Workspace
OneDrive
ToogleBox Recall
Related links:
https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/
https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/
https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/
https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
https://www.tooglebox.com/features/email-recall
https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/
https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas
https://security.googlecloudcommunity.com/community-blog-42/new-to-google-secops-leveraging-okta-curated-detections-to-detect-shinyhunters-related-activity-6693
Related CVE's:
Related threat actors:
IOC's:
Phishing domain patterns: <companyname>sso.com, <companyname>internal.com, Domain patterns: my<companyname>sso.com, my-<companyname>sso.com, Support themes: <companyname>support.com, ticket-<companyname>.support, Identity provider impersonation: <companyname>okta.com, <companyname>azure.com, Access portals: <companyname>access.com, my<companyname>access.com, Example domain: matchinternal.com, Domains registered through NICENIC and Tucows, VPN services: Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, nsocks, PowerShell User-Agent accessing SharePoint/OneDrive, Unexpected Google Workspace OAuth authorization for ToogleBox Recall
This article was created with the assistance of AI technology by Perceptive.