Attack Chain

1. Initial Vishing: The attacker initiates a voice phishing (vishing) call to a target employee, often on their personal cellular phone, impersonating IT or help desk personnel.
2. Credential Harvesting: The attacker directs the victim to a fake SSO login page (e.g., <organization>.enrollms[.]com) under the guise of a mandatory passkey migration or MFA update, capturing their username and password.
3. MFA Bypass (AiTM): As the victim enters their credentials, the attacker relays them to the legitimate SSO provider, intercepting the MFA challenge (Push, SMS, or TOTP). The victim unknowingly provides the MFA code to the attacker.
4. Device Registration: With successful authentication, the attacker immediately registers a new, attacker-controlled MFA device to the user’s account for persistent access.
5. Lateral Movement: Using the compromised SSO credentials, the attacker moves laterally across the victim’s SaaS applications, focusing on Microsoft 365 and Okta environments. They access SharePoint, OneDrive, and other connected apps like Zendesk and Salesforce.
6. Data Discovery: The attacker queries internal search functions within these applications, looking for sensitive data using keywords such as “confidential” and “SSN.”
7. Programmatic Exfiltration: The attacker utilizes Python and PowerShell scripts to automate the exfiltration of high-value data from SharePoint and OneDrive repositories. They use Microsoft Graph API or direct HTTP GET requests, often using stolen session cookies (e.g., FedAuth) to stream file content to attacker-controlled infrastructure.
8. Extortion: After successfully exfiltrating sensitive data, UNC6671 threatens to leak the stolen information on their dedicated “BlackFile” data leak site (DLS) unless a ransom is paid.

Impact

UNC6671’s campaign has targeted dozens of organizations across North America, Australia, and the UK, resulting in the theft of sensitive corporate data. Successful attacks can lead to significant financial losses, reputational damage, and legal consequences due to the exposure of confidential information and personal data. The group’s use of social engineering and AiTM techniques allows them to bypass traditional security controls, making them a formidable threat to organizations relying on cloud-based services.

Recommendation

• Deploy the Sigma rule “Detect Mismatched User-Agent and Application Display Name in SharePoint Online” to identify scripted data exfiltration attempts with spoofed ClientAppId, based on the log example in this brief.
• Block the domains enrollms[.]com, passkeyms[.]com, and setupsso[.]com at the DNS resolver to prevent users from accessing credential harvesting sites.
• Implement phishing-resistant MFA methods, as highlighted in the overview, to prevent AiTM attacks.
• Monitor FileAccessed events in Microsoft 365 Unified Audit Logs for unusual activity, particularly those originating from non-standard infrastructure (VPNs, hosting providers) and associated with scripting engines like python-requests, per the forensic artifacts described.