Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

UNC6671

Also known asunc6671

UNC6671 is a cybercrime threat cluster tracked by Google Threat Intelligence Group (GTIG) and Mandiant since early January 2026. GTIG describes it as operating under the BlackFile brand and conducting an expansive extortion campaign focused on sophisticated voice phishing (vishing) and single sign-on (SSO) compromise. Mandiant and GTIG assess UNC6671 is distinct from ShinyHunters/UNC6240, although it has used similar tradecraft and in at least one instance co-opted ShinyHunters branding; GTIG cites separate TOX channels, distinct domain registration patterns, and a dedicated BlackFile data leak site. UNC6671 has targeted dozens of organizations across North America, Australia, and the UK, primarily against Microsoft 365 and Okta environments and other connected SaaS applications. Observed UNC6671 tradecraft includes impersonating internal IT or help desk staff in live phone calls, often to employees’ personal phones, and directing victims to victim-branded credential-harvesting sites that mimic corporate SSO portals. During these sessions, the actor captures usernames, passwords, and MFA codes or approvals in real time, then registers attacker-controlled MFA devices for persistence. Reported phishing infrastructure includes subdomain-based lures such as <organization>.enrollms[.]com, <organization>.passkeyms[.]com, and <organization>.setupsso[.]com, and Mandiant notes UNC6671 commonly used Tucows-registered domains. After access, UNC6671 pivots through compromised SSO into SaaS platforms including SharePoint, OneDrive, Zendesk, Salesforce, and in some cases Okta customer accounts. UNC6671 has been observed searching for sensitive data using terms such as "confidential" and "SSN" and exfiltrating data from SharePoint and OneDrive using Microsoft Graph, python-requests, and PowerShell. GTIG reported the actor repurposed valid session cookies such as FedAuth to fetch file content directly, with activity potentially logged as FileAccessed rather than FileDownloaded. Mandiant specifically noted PowerShell-based downloads of sensitive data from SharePoint and OneDrive. Extortion behavior linked to UNC6671 includes unbranded extortion emails, operation under the BlackFile brand, and aggressive pressure tactics including harassment of victim personnel. The reported activity is described as social-engineering-driven rather than exploitation of vendor vulnerabilities.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States
  • 🇦🇺 Australia
  • 🇬🇧 United Kingdom
MITRE ATT&CK

Tradecraft

33 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics49 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1589
Gather Victim Identity Information
T1598×4
Phishing for Information
T1598.003
Spearphishing Link
T1598.004×4
Spearphishing Voice
TA0042
Resource Development
2 techniques
T1583
Acquire Infrastructure
T1583.001
Domains
T1586
Compromise Accounts
T1586.002
Email Accounts
TA0001
Initial Access
3 techniques
T1078×7
Valid Accounts
T1078.004×2
Cloud Accounts
T1133
External Remote Services
T1566
Phishing
T1566.002×3
Spearphishing Link
T1566.004×3
Spearphishing Voice
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
T1059.001×4
PowerShell
T1059.006
Python
TA0003
Persistence
4 techniques
T1078×7
Valid Accounts
T1078.004×2
Cloud Accounts
T1098
Account Manipulation
T1133
External Remote Services
T1556×2
Modify Authentication Process
TA0004
Privilege Escalation
2 techniques
T1078×7
Valid Accounts
T1078.004×2
Cloud Accounts
T1098
Account Manipulation
TA0005
Stealth
3 techniques
T1036×2
Masquerading
T1070
Indicator Removal
T1078×7
Valid Accounts
T1078.004×2
Cloud Accounts
TA0112
Defense Impairment
1 technique
T1556×2
Modify Authentication Process
TA0006
Credential Access
5 techniques
T1539
Steal Web Session Cookie
T1556×2
Modify Authentication Process
T1557×4
Adversary-in-the-Middle
T1621×2
Multi-Factor Authentication Request Generation
T1649×4
Steal or Forge Authentication Certificates
TA0007
Discovery
1 technique
T1087×3
Account Discovery
TA0009
Collection
5 techniques
T1114
Email Collection
T1114.003
Email Forwarding Rule
T1119
Automated Collection
T1213×6
Data from Information Repositories
T1530
Data from Cloud Storage
T1557×4
Adversary-in-the-Middle
TA0011
Command and Control
1 technique
T1090
Proxy
T1090.002
External Proxy
TA0010
Exfiltration
3 techniques
T1041
Exfiltration Over C2 Channel
T1537
Transfer Data to Cloud Account
T1567×4
Exfiltration Over Web Service
T1567.002
Exfiltration to Cloud Storage
TA0040
Impact
1 technique
T1657×3
Financial Theft
IOCS

Observables

3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

3 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
bank info securityNews
Apr 14, 2026
Hanging Up on ShinyHunters: Experts Detail Vishing Defenses

A Google-tracked activity cluster using similar vishing tactics, plus PowerShell-based collection of sensitive data from SharePoint and OneDrive, followed by unbranded extortion emails and aggressive extortion tactics.

Read more
sentinelone blogNews
Feb 6, 2026
The Good, the Bad and the Ugly in Cybersecurity - Week 6

Related cluster conducting similar vishing/SSO compromise operations, differentiated by separate infrastructure and more aggressive coercion/pressure during social engineering.

Read more
security online infoNews
Feb 4, 2026
"IT Support" Imposters: ShinyHunters Vishing Rings Bypass MFA to Steal Data

Mandiant-tracked cluster using vishing and victim-branded credential harvesting to steal SSO/MFA, then accessing cloud/SaaS (including Okta customer accounts) and exfiltrating data (SharePoint/OneDrive) followed by aggressive extortion including harassment.

Read more
scworldNews
Feb 3, 2026
ShinyHunters-branded SaaS data theft attacks ramp up | SC Media

Used IT staff impersonation to steal credentials and MFA codes, then accessed and exfiltrated data from Microsoft 365 services (OneDrive/SharePoint), including use of PowerShell for data theft.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping33

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables3

Domains, IPs, and hashes tied to this actor, refreshed continuously.