10 Critical Insights into the BlackFile Vishing Extortion Campaign

In the ever-evolving landscape of cyber threats, the BlackFile vishing extortion campaign has emerged as a sophisticated and persistent danger. Operated by the threat actor UNC6671, this operation targets organizations through a combination of voice phishing (vishing) and single sign-on (SSO) compromise. By leveraging adversary-in-the-middle (AiTM) techniques, the group bypasses traditional security measures, including multi-factor authentication (MFA). Their primary targets are Microsoft 365 and Okta infrastructures, using Python and PowerShell scripts to exfiltrate sensitive data for extortion. Since early 2026, UNC6671 has maintained a high operational tempo, hitting dozens of organizations across North America, Australia, and the UK. This article breaks down ten critical aspects of the BlackFile campaign, offering defenders a roadmap to recognize and counter these identity-centric attacks.

1. The Rise of UNC6671 and the BlackFile Brand

UNC6671, operating under the BlackFile moniker, first appeared in early 2026 and quickly established a pattern of high-volume attacks. Google Threat Intelligence Group (GTIG) has tracked this actor closely, noting its targeting of organizations across multiple continents. The group uses a dedicated data leak site (DLS) called BlackFile to publicize stolen data, adding pressure on victims. Unlike many ransomware groups that rely on malware, UNC6671 focuses on social engineering, vishing, and credential theft to gain initial access. Their methods are continually refined, making them a persistent threat in the identity security space.

10 Critical Insights into the BlackFile Vishing Extortion Campaign — Source: www.mandiant.com

2. Vishing as the Primary Entry Vector

The cornerstone of UNC6671's initial access is voice phishing, or vishing. Attackers, often hired callers, contact targeted employees on their personal mobile phones to bypass corporate security tools. They pose as IT or help desk personnel, citing a required migration to passkeys or an MFA update. This pretext convinces the victim to visit a credential harvesting site. The calls are meticulously scripted and synchronized with real-time attacks, creating a seamless deception that even security-aware employees can fall for.

3. Pretext Themes and Domain Strategies

UNC6671 chooses pretexts that align with common IT procedures, such as passkey enrollment or MFA resets. To support these, they register domains with subdomains containing terms like “passkey” or “enrollment.” Earlier campaigns used unique organization-tailored domains, but recent shifts involve a subdomain-based model, making detection harder. Domains are typically registered through Tucows, and the group avoids using previously associated infrastructure. This evolving approach helps them evade domain reputation blacklists.

4. Real-Time Credential Harvesting via AiTM

Once a victim visits the phishing site, UNC6671 employs adversary-in-the-middle (AiTM) techniques. The phishing proxy captures credentials and session tokens in real time. This allows the attacker to log in as the victim, even bypassing multi-factor authentication if the victim completes an MFA prompt on the fake site. The AiTM setup also intercepts any back-end communications, providing a persistent foothold into the organization’s cloud services without triggering alarms.

5. Bypassing Multi-Factor Authentication

Multi-factor authentication is a cornerstone defense, but UNC6671 specifically targets it. By capturing both the password and the session token during the AiTM attack, they gain authenticated access that MFA is designed to prevent. The victim themselves unwittingly validates the MFA request on the fake portal. Thus, even organizations with robust MFA can be compromised if they lack phishing-resistant methods like FIDO2 keys. The campaign underscores the urgent need to move beyond SMS or app-based MFA.

6. Targeting Microsoft 365 and Okta Environments

UNC6671 focuses heavily on Microsoft 365 and Okta — two of the most widely used identity and SaaS platforms. After gaining initial access, they exploit SSO trust relationships to move laterally. They can access email, cloud storage, and other integrated services. The target’s identity provider becomes the attacker’s entry point. This approach is effective because it relies on legitimate user access rather than vulnerability exploits, making it difficult for security tools to flag as malicious.

7. Automated Data Exfiltration with Python and PowerShell

Once inside, UNC6671 uses automated scripts written in Python and PowerShell to programmatically exfiltrate data. These scripts query APIs for emails, files, and directory information, then transfer the data to attacker-controlled servers. Automation allows for rapid extraction of large volumes before detection. The group has been observed exfiltrating sensitive corporate data, including intellectual property, financial records, and personal information, which they later use for extortion.

8. Extortion Tactics and the BlackFile Data Leak Site

After data exfiltration, UNC6671 initiates extortion by threatening to leak the stolen information on the BlackFile data leak site unless a ransom is paid. They often contact victims directly with demands. The threat is amplified by the publication of a portion of the data as proof. In at least one instance, the group used the ShinyHunters brand to add false credibility, but GTIG assesses they are independent. The pressure from potential public exposure forces many organizations to consider compliance.

9. Distinction from ShinyHunters and Other Groups

While UNC6671 has borrowed the ShinyHunters brand, GTIG analysis confirms they operate separately. Differences include distinct TOX communication channels, unique domain registration patterns, and the launch of the dedicated BlackFile leak site. This independence is important for attribution and for defenders to avoid conflating indicators of compromise. UNC6671’s operational cadence and methods are consistent across campaigns, allowing tailored detection strategies.

10. Defensive Measures and Mitigation Strategies

Organizations can defend against UNC6671 by implementing phishing-resistant MFA, such as FIDO2 security keys. Training employees to recognize vishing and verify IT requests through official channels is critical. Monitoring for unusual domain registrations containing keywords like “passkey” can help early detection. Additionally, analyzing SSO logs for unusual session activity or token replay can reveal AiTM attacks. GTIG recommends adopting a zero-trust architecture and limiting lateral movement with strict conditional access policies.

The BlackFile campaign is a sobering reminder that social engineering remains a primary threat. By understanding the attack lifecycle and deploying robust identity protection measures, defenders can significantly reduce their exposure to such extortion operations. Staying informed and proactive is key to keeping ransomware-style extortion at bay.

Tags: