Mandiant, part of Google, is warning organisations of an active and ongoing cybercrime campaign attributed to actors operating under the ShinyHunters name, leveraging advanced voice phishing (vishing) techniques to compromise enterprise identity environments.

Mandiant has observed attackers using evolved social engineering methods to successfully capture single sign-on (SSO) credentials and enrol attacker-controlled devices into victims’ multifactor authentication (MFA) frameworks. Once initial access is achieved, threat actors pivot rapidly into SaaS environments to access and exfiltrate sensitive data.

“Mandiant is tracking a new, ongoing ShinyHunters-branded campaign using evolved vishing techniques to successfully compromise SSO credentials from victim organizations, and enroll threat actor controlled devices into victim MFA solutions,” said Charles Carmakal, CTO, Mandiant Consulting.

“This is an active and ongoing campaign. After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organizations with an extortion demand.”

No Vendor Exploit, Identity Abuse at the Core

Mandiant emphasises that this activity does not stem from vulnerabilities in vendors’ products or infrastructure. Instead, the campaign relies on human-centric social engineering, impersonating IT support or security teams over the phone to manipulate users into disclosing credentials or approving authentication requests.

This approach allows attackers to bypass traditional detection mechanisms and establish persistence through legitimate identity controls, rather than malware deployment or network exploitation.

Widespread Targeting Observed

Mandiant has identified broad targeting across sectors and regions, with attackers tailoring phishing infrastructure to specific organisations and commonly used identity providers and SaaS platforms. In multiple cases, compromised organisations were subsequently contacted with extortion demands following unauthorised access to cloud-based data.

Mandiant Recommendations

In response to this activity, Mandiant strongly advises organisations to prioritise identity-centric security controls, including:

“While this is not the result of a security vulnerability in vendors’ products or infrastructure, we strongly recommend moving toward phishing-resistant MFA, such as FIDO2 security keys or passkeys where possible, as these protections are resistant to social engineering attacks in ways that push-based or SMS authentication are not,” Carmakal said.

“Administrators should also implement strict app authorization policies and monitor logs for anomalous API activity or unauthorized device enrollments.”

Additional defensive measures include strengthening helpdesk verification procedures, increasing employee awareness of vishing threats, and treating anomalous identity behaviour as a high-priority security signal.

Identity Remains a Primary Attack Vector

This campaign reinforces a growing trend observed by Mandiant: identity systems are now a primary attack surface for financially motivated threat actors. As organisations increasingly rely on SSO and cloud platforms, attackers are adapting their techniques to exploit trust, authentication workflows, and user behaviour.

Mandiant continues to monitor this activity and will provide further updates as the campaign evolves.