7 Critical Insights into the BlackFile Vishing Extortion Campaign
Since early 2026, a sophisticated threat actor known as UNC6671, operating under the "BlackFile" brand, has been targeting organizations across North America, Australia, and the UK. By combining voice phishing (vishing) with adversary-in-the-middle (AiTM) techniques, this group has breached dozens of cloud environments, bypassing multi-factor authentication (MFA) and single sign-on (SSO) systems. Google Threat Intelligence Group (GTIG) has tracked this campaign, revealing a relentless focus on Microsoft 365 and Okta platforms. Below are seven essential facts to understand how BlackFile operates and how defenders can counter this threat.
1. The Rise of UNC6671 and the BlackFile Brand
UNC6671 emerged in early 2026, quickly establishing a high operational tempo. GTIG has identified that the group targeted organizations in North America, Australia, and the UK. Unlike many cybercriminal operations that simply rebrand, BlackFile launched its own dedicated data leak site (DLS), distinguishing itself from related groups like ShinyHunters. The group uses separate TOX communication channels and unique domain registration patterns, primarily through Tucows. This brand-building effort signals a long-term commitment to extortion-driven campaigns, making it a persistent threat for any organization relying on cloud-based identity systems.
2. The Vishing First Approach: Social Engineering at Scale
The initial access vector for UNC6671 relies heavily on vishing—voice phishing executed by hired callers. These callers often contact employees on their personal cell phones, bypassing corporate security tools that monitor internal support lines. Using a pretext of a mandatory migration to passkeys or an urgent MFA update, they direct victims to credential harvesting sites. This social engineering is meticulously timed to coincide with real-time phishing pages, making it harder for users to detect the scam. The group has refined its approach by using subdomains explicitly referencing "passkey" or "enrollment" to add perceived legitimacy.
3. How AiTM Attacks Bypass MFA and SSO
Once credentials are harvested, UNC6671 employs adversary-in-the-middle (AiTM) techniques to intercept session tokens and bypass MFA. This attack works even against time-based one-time passwords (TOTP) and push notifications, as the malicious proxy captures the authentication response in real time. The attacker then uses these stolen tokens to access the victim's single sign-on (SSO) infrastructure, often targeting Okta or Microsoft 365. By gaining access through legitimate sessions, the group can move laterally without triggering alarms. This method exploits the trust inherent in SSO, which grants broad access once a single session is compromised.
4. Targeting Microsoft 365 and Okta Environments
UNC6671 specifically targets platforms that serve as identity hubs: Microsoft 365 and Okta. These are chosen because compromising them provides a gateway to emails, file storage, and other cloud applications. After initial access, the group uses Python and PowerShell scripts to enumerate users, gather sensitive data, and maintain persistence. The focus on these platforms indicates that the attackers understand how cloud identity management works—and where its weak points are. They do not exploit software vulnerabilities; instead, they abuse the very features designed to make access seamless, such as session cookies and SSO tokens.
5. The Exfiltration Playbook: Python and PowerShell Scripts
Once inside the target's cloud environment, UNC6671 uses automated scripts to programmatically exfiltrate data. Python scripts are employed for accessing APIs and downloading documents, while PowerShell serves to interact with Microsoft 365 Exchange Online and SharePoint. This scripted approach allows rapid extraction of large volumes of corporate data, including emails, files, and user databases. The attackers often search for keywords related to finance, intellectual property, or sensitive client information, which can later be used for extortion. The use of native tools reduces the footprint of custom malware, making detection through traditional antivirus more difficult.
6. Extortion Tactics and the BlackFile Data Leak Site
After exfiltration, UNC6671 pressures victims by threatening to publish stolen data on the BlackFile DLS. The group has demonstrated willingness to leak information if payment demands are not met. This extortion method is similar to other ransomware groups but relies entirely on data theft rather than encryption. The dedicated leak site serves as a public shaming tool, increasing the pressure on organizations to pay. The group also uses the ShinyHunters brand in some communications to add perceived credibility, but GTIG has confirmed that the two operations are independent, with separate infrastructure and TOX channels.
7. Defensive Measures: Moving to Phishing-Resistant MFA
Because UNC6671 exploits weaknesses in standard MFA, the most effective defense is to deploy phishing-resistant MFA, such as FIDO2 security keys or passkey-based authentication. These methods prevent credential theft and session token capture because they rely on cryptographic attestation rather than shared secrets. Additional measures include monitoring for unusual vishing patterns, blocking personal phone calls from external support lines, and implementing conditional access policies that restrict logins from untrusted devices. Regular user training to recognize vishing attempts and the use of dedicated incident response playbooks for SSO compromise are also critical. Organizations should assume that their identity infrastructure is a prime target and harden it accordingly.
Understanding the BlackFile campaign is crucial for any organization that relies on cloud-based identity systems. As vishing and AiTM attacks become more prevalent, the traditional defenses of passwords and even standard MFA are no longer sufficient. By adopting phishing-resistant authentication, monitoring for social engineering indicators, and preparing response workflows, defenders can significantly reduce the risk of falling victim to this evolving threat. Stay vigilant, and remember: the weakest link in security is often not the technology, but the trust we place in a caller's voice.