{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/zendesk/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["UNC6671"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft 365","Okta","SharePoint","OneDrive","Zendesk","Salesforce"],"_cs_severities":["high"],"_cs_tags":["vishing","extortion","aitm","credential-theft","data-exfiltration","sso"],"_cs_type":"threat","_cs_vendors":["Google","Microsoft","Okta","Tucows","Zendesk","Salesforce"],"content_html":"\u003cp\u003eUNC6671, known as \u0026ldquo;BlackFile,\u0026rdquo; is engaged in an extensive extortion campaign targeting organizations using sophisticated vishing and SSO compromise techniques. Since early 2026, the group has targeted dozens of organizations across North America, Australia, and the UK. The group leverages adversary-in-the-middle (AiTM) attacks to bypass traditional security measures, including multi-factor authentication (MFA), primarily targeting Microsoft 365 and Okta environments. UNC6671 employs Python and PowerShell scripts to programmatically exfiltrate sensitive corporate data from SharePoint and OneDrive, later used for extortion. These attacks do not exploit software vulnerabilities but rely on social engineering, highlighting the need for phishing-resistant MFA.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Vishing:\u003c/strong\u003e The attacker initiates a voice phishing (vishing) call to a target employee, often on their personal cellular phone, impersonating IT or help desk personnel.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting:\u003c/strong\u003e The attacker directs the victim to a fake SSO login page (e.g., \u003ccode\u003e\u0026lt;organization\u0026gt;.enrollms[.]com\u003c/code\u003e) under the guise of a mandatory passkey migration or MFA update, capturing their username and password.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMFA Bypass (AiTM):\u003c/strong\u003e As the victim enters their credentials, the attacker relays them to the legitimate SSO provider, intercepting the MFA challenge (Push, SMS, or TOTP). The victim unknowingly provides the MFA code to the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDevice Registration:\u003c/strong\u003e With successful authentication, the attacker immediately registers a new, attacker-controlled MFA device to the user\u0026rsquo;s account for persistent access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using the compromised SSO credentials, the attacker moves laterally across the victim\u0026rsquo;s SaaS applications, focusing on Microsoft 365 and Okta environments. They access SharePoint, OneDrive, and other connected apps like Zendesk and Salesforce.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Discovery:\u003c/strong\u003e The attacker queries internal search functions within these applications, looking for sensitive data using keywords such as \u0026ldquo;confidential\u0026rdquo; and \u0026ldquo;SSN.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProgrammatic Exfiltration:\u003c/strong\u003e The attacker utilizes Python and PowerShell scripts to automate the exfiltration of high-value data from SharePoint and OneDrive repositories. They use Microsoft Graph API or direct HTTP GET requests, often using stolen session cookies (e.g., FedAuth) to stream file content to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExtortion:\u003c/strong\u003e After successfully exfiltrating sensitive data, UNC6671 threatens to leak the stolen information on their dedicated \u0026ldquo;BlackFile\u0026rdquo; data leak site (DLS) unless a ransom is paid.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eUNC6671\u0026rsquo;s campaign has targeted dozens of organizations across North America, Australia, and the UK, resulting in the theft of sensitive corporate data. Successful attacks can lead to significant financial losses, reputational damage, and legal consequences due to the exposure of confidential information and personal data. The group\u0026rsquo;s use of social engineering and AiTM techniques allows them to bypass traditional security controls, making them a formidable threat to organizations relying on cloud-based services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Mismatched User-Agent and Application Display Name in SharePoint Online\u0026rdquo; to identify scripted data exfiltration attempts with spoofed ClientAppId, based on the log example in this brief.\u003c/li\u003e\n\u003cli\u003eBlock the domains \u003ccode\u003eenrollms[.]com\u003c/code\u003e, \u003ccode\u003epasskeyms[.]com\u003c/code\u003e, and \u003ccode\u003esetupsso[.]com\u003c/code\u003e at the DNS resolver to prevent users from accessing credential harvesting sites.\u003c/li\u003e\n\u003cli\u003eImplement phishing-resistant MFA methods, as highlighted in the overview, to prevent AiTM attacks.\u003c/li\u003e\n\u003cli\u003eMonitor FileAccessed events in Microsoft 365 Unified Audit Logs for unusual activity, particularly those originating from non-standard infrastructure (VPNs, hosting providers) and associated with scripting engines like python-requests, per the forensic artifacts described.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T17:08:04Z","date_published":"2026-05-15T17:08:04Z","id":"https://feed.craftedsignal.io/briefs/2026-05-blackfile-vishing/","summary":"UNC6671, operating under the \"BlackFile\" brand, conducts a sophisticated extortion campaign targeting organizations through voice phishing (vishing) and single sign-on (SSO) compromise, using adversary-in-the-middle (AiTM) techniques to bypass MFA and exfiltrate sensitive corporate data.","title":"UNC6671 BlackFile Vishing Extortion Campaign Targeting Microsoft 365 and Okta","url":"https://feed.craftedsignal.io/briefs/2026-05-blackfile-vishing/"}],"language":"en","title":"CraftedSignal Threat Feed — Zendesk","version":"https://jsonfeed.org/version/1.1"}