Mandiant Finds ShinyHunters Vishing Attacks on SaaS MFA

Multi-factor authentication has long been heralded as the essential deadbolt securing our digital identities, yet threat actors continue to find clever ways to pick the lock. In a sobering reminder that security is rarely a static achievement, researchers at Mandiant—now operating under Google’s umbrella—have uncovered a troubling evolution in how cybercriminals circumvent these protections. Their latest findings reveal that the financially motivated group known as ShinyHunters has refined a particularly insidious approach, blending old-school social engineering with modern SaaS targeting to devastating effect.

Mandiant Finds ShinyHunters Using Vishing to Steal SaaS MFA

Google-owned Mandiant announced on Friday that it had identified a significant "expansion in threat activity" attributed to actors employing tradecraft consistent with ShinyHunters, a notorious hacking collective previously associated with high-profile data breaches and extortion schemes. Unlike conventional phishing campaigns that rely solely on deceptive emails or malicious links, this latest wave incorporates sophisticated vishing—voice phishing—techniques designed to intercept one-time passcodes and approval notifications in real-time. The group’s pivot toward these hybrid attacks signals a calculated adaptation to the widespread adoption of MFA, recognizing that human psychology often presents an easier exploit than cryptographic weaknesses.

The attacks typically unfold with methodical precision: threat actors first harvest credentials through conventional means, then initiate voice calls to targeted employees posing as IT support or security personnel. During these conversations, attackers create artificial urgency—claiming suspicious login attempts or mandatory account verifications—to manipulate victims into revealing MFA codes or approving push notifications sent to their devices. This real-time interception bypasses the time-sensitive nature of most secondary authentication factors, allowing ShinyHunters operatives to establish persistent access to SaaS platforms before security teams can react.

What makes this campaign particularly concerning is ShinyHunters’ established history of monetizing access through data theft and extortion. Having previously claimed responsibility for breaches affecting major retailers, financial institutions, and technology companies, the group’s pivot to vishing represents an operational upgrade rather than a tactical shift. By targeting SaaS environments—where sensitive customer databases, proprietary source code, and financial records increasingly reside—the attackers position themselves to exfiltrate high-value assets while maintaining the plausible deniability that comes with legitimate authenticated sessions.

Vishing Tactics Bypass MFA to Breach Business SaaS Platforms

The technical elegance of these vishing attacks lies in their exploitation of the authentication workflow itself rather than its underlying cryptography. When an attacker possesses valid credentials and can socially engineer the MFA token or approval, the security system registers the login as legitimate, rendering traditional anomaly detection less effective. Mandiant’s analysis suggests that ShinyHunters operators specifically time their calls to coincide with login attempts, creating a seamless experience where the victim believes they are resolving a security issue while actually facilitating a compromise. This technique effectively neutralizes SMS-based codes, authenticator app notifications, and even push approvals that lack stringent number-matching verification.

Business SaaS platforms—including identity providers like Okta, Microsoft 365 environments, and specialized CRM systems—have become prime targets due to their centralized role in modern enterprise architecture. Once inside these platforms, attackers leverage native features like email forwarding rules, data synchronization tools, and API access to establish persistence and conduct reconnaissance without deploying traditional malware that might trigger endpoint detection systems. The cloud-native nature of these platforms means that compromised accounts can access resources across geographic boundaries instantly, complicating incident response efforts and forensic investigations.

Security researchers note that these attacks expose the limitations of relying on MFA as a silver bullet without accompanying user education and process hardening. Organizations that have implemented FIDO2-based hardware keys or number-matching push notifications report greater resistance to these tactics, as these methods require physical possession or explicit correlation that cannot be easily social-engineered over the phone. However, the broader industry remains vulnerable due to inconsistent adoption of phishing-resistant MFA standards and the persistent challenge of training employees to verify caller identity through independent channels before divulging authentication data.

As ShinyHunters demonstrates with alarming clarity, the arms race between attackers and defenders continues to accelerate, with human trust becoming the contested battlefield. While MFA remains a critical component of defense-in-depth strategies, Mandiant’s findings underscore the necessity of complementing technical controls with robust security awareness training and zero-trust architectural principles. Organizations must evolve beyond checkbox compliance, recognizing that adversaries like ShinyHunters will invariably probe the seams between technology and human behavior. In this landscape, the most resilient defenses will be those that treat every authentication attempt—not as a routine transaction, but as a potential infiltration requiring continuous verification.