The BlackFile vishing extortion campaign, operated by the threat actor tracked as UNC6671, has been targeting organizations since early 2026 using sophisticated voice phishing and single sign-on (SSO) compromises. This adversary leverages adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication (MFA) and gain deep access to cloud environments, primarily Microsoft 365 and Okta. By combining social engineering with automated data exfiltration tools, UNC6671 extorts victims under the BlackFile brand. Below, we answer key questions about this evolving threat.
What is BlackFile and who is behind it?
BlackFile is the branding used by the threat actor tracked as UNC6671, a group that has been active since early 2026. Google Threat Intelligence Group (GTIG) has identified this actor as responsible for a widespread extortion campaign targeting organizations in North America, Australia, and the UK. Unlike traditional ransomware groups, UNC6671 focuses on data theft and extortion without deploying encryption. They have been observed using the ShinyHunters brand in some threats to appear more credible, but GTIG assesses they are an independent operation with their own Tox communication channels, unique domain registration patterns, and a dedicated data leak site called BlackFile. The group employs hired callers to execute voice phishing attacks, demonstrating a sophisticated organizational structure.
How does UNC6671 gain initial access to victim networks?
UNC6671 relies heavily on vishing, or voice phishing, to gain initial access. The group hires callers who pose as internal IT or help desk personnel. They often call employees on their personal mobile phones to bypass corporate security tools. The pretext typically involves a mandatory migration to passkeys or a required multi-factor authentication (MFA) update. This narrative not only directs victims to a credential harvesting website but also provides a logical explanation for any security alerts triggered during the compromise. The threat actor has shifted from using unique, organization-specific phishing domains to a subdomain-based model, often registering domains with Tucows. Recent campaigns use subdomains that reference "passkey" or "enrollment" to enhance legitimacy.
What techniques does UNC6671 use to bypass multi-factor authentication?
To bypass MFA, UNC6671 employs adversary-in-the-middle (AiTM) techniques. During the vishing call, the victim is directed to a phishing site that proxies their authentication request to the legitimate service—such as Microsoft 365 or Okta—in real time. The victim enters their credentials and completes the MFA prompt (e.g., a push notification or OTP), which the attacker captures in session cookies or tokens. This allows the threat actor to authenticate as the victim even after the session ends. By using this method, UNC6671 effectively defeats standard MFA implementations that are not phishing-resistant. AiTM proxies intercept the entire authentication flow, making it appear legitimate to both the user and the identity provider.
Which cloud environments and tools are primarily targeted?
UNC6671 primarily targets Microsoft 365 and Okta infrastructure. After compromising credentials through vishing and AiTM, the group uses Python and PowerShell scripts to programmatically access and exfiltrate sensitive corporate data. They target single sign-on (SSO) platforms because compromising these gives them broad access to connected applications and data. The group focuses on data that can be used for extortion, such as financial records, intellectual property, customer databases, and internal communications. The automated nature of their exfiltration tools allows them to quickly download large volumes of data before detection. GTIG emphasises that these compromises are not due to vendor vulnerabilities but result from effective social engineering.
How does the extortion process unfold after data theft?
After successfully exfiltrating data, UNC6671 initiates extortion by contacting the victim organization, often through email or their dedicated Tox channels. They threaten to publish the stolen data on the BlackFile data leak site (DLS) unless a ransom is paid. The group has been known to use the ShinyHunters brand in some communications to add perceived credibility, but they maintain separate infrastructure. The DLS serves as a public shaming platform to pressure victims. In some cases, they may also contact customers or partners of the victim to amplify the threat. The extortion demands vary but typically involve payment in cryptocurrency. GTIG notes that UNC6671 maintains a high operational cadence, indicating a well-organised criminal enterprise.
What defensive measures can organizations implement to protect against this threat?
Organizations should prioritize moving to phishing-resistant MFA, such as FIDO2 security keys or passkey-based authentication, which are not vulnerable to AiTM proxies. Additionally, deploy robust security awareness training that specifically covers vishing tactics and the IT deployment pretext used by UNC6671. Monitor for unusual login patterns, such as access from new devices or locations shortly after a vishing call. Implement strict policies for IT support calls—employees should verify requests through official channels. Use security tools that detect credential harvesting domains and block access to suspicious subdomains. Finally, maintain offline backups of critical data and have an incident response plan that includes rapid revocation of compromised sessions. Regular security audits and penetration testing can help identify weaknesses in SSO configurations.