""Mandiant is tracking a new, ongoing ShinyHunters-branded campaign using evolved vishing techniques to successfully compromise SSO credentials from victim organisations, and enrol threat actor controlled devices into victim MFA solutions," he told Computer Weekly via email. "This is an active and ongoing campaign. After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organisations with an extortion demand."
""While this is not the result of a security vulnerability in vendors' products or infrastructure, we strongly recommend moving toward phishing-resistant MFA, such as FIDO2 security keys or passkeys where possible," said Carmakal. "These protections are resistant to social engineering attacks in ways that push-based or SMS authentication are not. Administrators should also implement strict app authorisation policies and monitor logs for anomalous API activity or unauthorised device enrolments.""
Google Cloud's Mandiant is tracking a ShinyHunters-branded campaign using evolved vishing techniques to compromise SSO credentials and enroll attacker-controlled devices into victim MFA solutions. The campaign targets Google, Microsoft and Okta environments and has affected Crunchbase, SoundCloud, and Betterment. After initial access, threat actors pivot into SaaS environments to exfiltrate sensitive data, and some victims have received extortion demands. Sophos CTU has tracked roughly 150 hacker-controlled domains linked to the activity, with many domains created in December 2025. Recommended mitigations include adopting phishing-resistant MFA (FIDO2 or passkeys), enforcing strict app authorization policies, and monitoring logs for anomalous API activity and unauthorized device enrollments.
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]