What happened
Mandiant has reported that threat activity linked to ShinyHunters is using voice phishing to compromise single sign-on credentials and access cloud-hosted data. The activity involves impersonation of corporate IT or helpdesk staff during live phone calls, directing targeted employees to phishing sites that mimic legitimate SSO login portals. These sites capture both credentials and MFA codes during the interaction, allowing attackers to authenticate into enterprise SSO dashboards. Once access is obtained, the compromised identity is used to move laterally into connected SaaS platforms and extract data. Mandiant described the activity as part of a broader wave of SaaS-focused data theft incidents.
Who is affected
Organizations using SSO-connected SaaS platforms are affected when employees are successfully targeted by voice phishing campaigns that lead to unauthorized access.
Why CISOs should care
The activity shows how social engineering can bypass identity controls such as SSO and MFA, enabling attackers to misuse legitimate access paths to steal cloud data.
3 practical actions
- Review SSO authentication logs. Look for anomalous access patterns following user phone interactions.
- Strengthen anti-phishing training. Include voice-based social engineering scenarios.
- Evaluate identity security controls. Assess additional safeguards beyond standard MFA.