Social Engineering Attacks Targeting Enterprise SaaS Environments

Since mid-2025, financially motivated threat actors, potentially including ShinyHunters, have shifted their focus towards social-engineering-driven attacks targeting enterprise SaaS platforms and identity services. These campaigns bypass traditional vulnerability exploitation, instead relying on techniques like voice phishing (vishing), brand impersonation, credential harvesting, and abuse of help-desk processes to compromise user accounts. Once inside, the attackers prioritize data exfiltration and extortion, often operating without deploying malware. This approach makes detection more challenging because their activity blends in with legitimate user behavior. The attackers target a wide range of SaaS applications, including email, document repositories, CRM systems, HR platforms, and analytics tools. They exploit trusted third-party SaaS integrations and OAuth tokens to access downstream systems.

Attack Chain

1. Initial Contact: The attacker initiates contact with an employee via phone, impersonating IT staff, an identity provider, or a trusted vendor.
2. Social Engineering: The attacker claims urgent account or MFA changes are required and directs the victim to an attacker-controlled portal.
3. Credential Harvesting: The victim enters their SSO credentials and MFA codes into the fake portal, which the attacker captures. Alternatively, the attacker uses an adversary-in-the-middle (AiTM) framework to capture a valid session in real time.
4. Session Hijacking: The attacker uses the stolen credentials or session tokens to gain access to the victim’s SaaS accounts.
5. Lateral Movement: Using the compromised SSO identity, the attacker pivots to other SaaS applications, such as email, document repositories, and CRM systems.
6. Data Exfiltration: The attacker exfiltrates large volumes of sensitive data using legitimate APIs and export functions.
7. Abuse of Third-Party Integrations: The attacker exploits trusted third-party SaaS integrations and stored authentication tokens to access downstream systems.
8. Extortion: The attacker threatens public disclosure or sale of the stolen data if ransom demands are not met.

Impact

Successful attacks lead to the exfiltration of sensitive data from multiple SaaS applications. Victims face potential financial losses from extortion demands and reputational damage from data breaches. These attacks can impact organizations across various sectors that heavily rely on SaaS infrastructure. The absence of malware makes these attacks harder to detect with traditional endpoint security solutions. Recent reports suggest that ShinyHunters has been actively involved in corporate extortion sprees, indicating a widespread campaign affecting numerous organizations.

Recommendation

• Deploy phishing-resistant MFA, such as FIDO2 security keys or passkeys, especially for administrators and users with access to sensitive SaaS data (Identity and Access Controls).
• Monitor identity provider and SaaS logs for anomalous sign-ins, unusual API activity, and high-volume data exports (SaaS and Cloud Security).
• Implement a Sigma rule to detect access to look-alike domains or impersonated subdomains resembling corporate or SSO portals based on DNS or proxy logs (see rule: “Detect Access to Impersonated Subdomains”).