Here we are again: cybercriminals refining age-old cons, and companies acting shocked when their fancy multi-factor authentication deserts them. Mandiant, the cybersecurity arm of Google Cloud, wants you to know that ShinyHunters—yes, the same group infamous for data theft and extortion—have upped their game by combining aggressive vishing with live MFA theft. If you thought your Okta, Microsoft 365, or Google Workspace login was safe behind a push notification, think again. Hackers have moved on from email phishing to direct calls, schmoozing—or strongarming—their way past your last line of defense: humans and their predictable vulnerability to authority.
Vishing: Not Just for Grandma Anymore
Vishing used to be an old retiree's nightmare. Now it's upper management's. ShinyHunters aren’t cold-calling about your car warranty; they’re running calculated, high-stakes social engineering against corporate employees. Imagine getting a call from someone claiming to be your IT guy, complete with urgent warnings about unauthorized logins. You’re panicked, rushing to cooperate—which is exactly what they want.
The attack isn’t rocket science, it’s psychology 101. They walk you through a near-flawless phony login page, wait for you to spill your SSO credentials and real-time MFA code, then register a device of their own. Suddenly, they’re you, and your SaaS world is wide open. No matter how many times we train staff, fear and authority keep winning—especially when a supposed "helpdesk" tells them it’s urgent.
Modern SaaS Platforms—A Buffet for Attackers
Those sleek SaaS platforms you’ve bet your company’s future on—including Okta, Salesforce, and Google Workspace—are exactly what makes you vulnerable. ShinyHunters don’t waste time on the old workstations. They go for the cloud, where your documents, emails, and user data live. Why crack individual endpoints when a single SSO breach spills the whole motherlode?
Here’s the dirty secret: most MFA implementations are only as strong as the least-informed employee or, worse, the most convenient authentication method. Push notifications and SMS codes? Those weren’t built to stop a crook with a telephone and a convincing narrative. Once inside, ShinyHunters aren't just snooping. They're moving laterally, sifting through your files, exporting sensitive data, firing off additional phishing emails from compromised mailboxes—often targeting cash-rich cryptocurrency firms—and scrubbing their tracks before you even wake up for coffee.
MFA Isn’t the Magic Bullet You Were Sold
For years, cybersecurity vendors pushed MFA as the cure-all. And to some extent, it worked—until attackers started social engineering their way around it. Mandiant’s report is the latest reminder: if push-based or SMS authentication was a steel shield, ShinyHunters just found the backdoor, asked politely—and you opened it for them.
The truth is, convenience almost always beats security. Employees groan at hardware tokens, and IT teams crave simplicity, so companies settle for baseline MFA. But this bare-minimum approach puts whole organizations at risk when attackers go offline to steal credentials in real-time. It turns out, there’s no app for common sense.
Extortion by Phone—How Far Will Hackers Go?
ShinyHunters aren’t satisfied just looting your data. Once in, they use hijacked email accounts to launch further phishing campaigns, sometimes harassing your employees directly. More audacious attacks include threatening and harassing people who stand in their way, or attempting shady forms of old-school extortion. Not exactly the B2B experience you want for your brand.
And since the first sign of trouble is often a panicked call to IT after the fact, most organizations discover the breach after attackers have already deleted traces of their phishing attempts. By then, your “secure” SaaS environment is swiss cheese and the damage—potential operational disruption, regulatory blowback, and yes, ransomware or extortion demands—is already done.
Time for Organizations to Grow Up
Every year, security consultants implore you to do better. Here’s what Mandiant (and frankly, anyone worth their salt) suggests—and what most of the industry continues to ignore:
- Adopt phishing-resistant MFA: Things like FIDO2 security keys or passkeys add real hurdles for attackers. They’re less convenient—and that’s the point.
- Tighten up your helpdesk protocols: Enough with the anonymous password resets via email or phone. Require video verification or something equally painful—anything to slow down a criminal's momentum.
- Lock down authentication methods: Scrap SMS, email, and phone-based authentication where possible. They're low bars easily tripped by social engineers.
- Enforce sane access and password policies: Yes, it’s 2026 and people are still too proud of
Password123!. Strong passwords and limiting where users can log in from matter. - Logging and monitoring actually work if you use them: Don’t just enable logs—watch them. Spot weird out-of-hours logins, random OAuth grants, and device enrollments before you make the evening news.
Cynicism Is Survival—Don’t Trust, Always Verify
It’s exhausting to repeat, but zero trust is more than a buzzword. Trusting your staff to spot every scam is a fantasy when there’s a motivated actor on the line, and the window for error is seconds long. Technology helps, but you’ll never patch human nature. If there’s a shortcut, someone will take it. If there’s an emergency, someone will panic. ShinyHunters and their ilk know how to exploit every crack in your procedures and every weakness in your supposedly air-gapped cloud.
The security community’s latest wake-up call is that attackers have gotten more personal—literally phoning in their hacks and sidestepping the “impenetrable” front doors. The only defense is a bitter cocktail of skepticism, better hardware-based authentication, and a willingness to slow things down—especially when someone’s yelling on the phone about a supposed crisis. You either make security painful for your users, or hackers will make the aftermath a lot more painful for everyone.
