- Google’s Mandiant reported a surge in advanced voice phishing attacks by the ShinyHunters group, targeting SaaS applications for data theft and extortion on January 31, 2026.
- The hackers impersonate IT staff to steal single sign-on credentials and MFA codes, subsequently accessing and exfiltrating sensitive corporate data from platforms like SharePoint and OneDrive.
- Cryptocurrency-focused companies are among the targets, with actors using compromised email accounts to launch further phishing campaigns and then deleting the evidence.
- Google recommends moving to phishing-resistant MFA like FIDO2 security keys and improving help desk verification processes, as detailed in its hardening guide.
On January 31, 2026, Google‘s threat intelligence arm Mandiant identified a dangerous expansion in financially motivated cyberattacks, according to a new report. The activity, linked to the ShinyHunters extortion group, uses sophisticated voice phishing to steal employee credentials and hijack cloud-based applications.
Attackers, tracked as UNC6661 and UNC6671, pose as IT support staff in phone calls directing victims to fake login pages. Once they obtain multi-factor authentication codes, they register their own devices and move laterally across corporate networks.
Consequently, the hackers siphon sensitive data from software-as-a-service platforms to extort the victims. In some cases, they even weaponize access to compromised email accounts for additional phishing, specifically targeting cryptocurrency firms.
Meanwhile, Google has outlined extensive defensive measures to counter this rising threat to SaaS security. Recommendations include enforcing device access controls and monitoring for suspicious OAuth authorization events with tools like ToogleBox Email Recall.
“This activity is not the result of a security vulnerability in vendors’ products or infrastructure,” Google stated. The company stressed that the attacks highlight the critical need for organizations to adopt phishing-resistant authentication methods.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
