BlackFile: Analyzing UNC6671 Vishing & Cloud Data Extortion

BlackFile: Sophisticated Vishing and Cloud Data Extortion by UNC6671

Google Threat Intelligence Group (GTIG) has been actively tracking an extensive extortion campaign orchestrated by the threat actor UNC6671, operating under the ‘BlackFile’ brand. This campaign primarily targets organizations through advanced voice Phishing (vishing) and single sign-on (SSO) compromise. Leveraging Adversary-in-the-Middle (AiTM) techniques, UNC6671 effectively bypasses traditional perimeter defenses and even multi-factor authentication (MFA) to gain deep access into cloud environments, focusing heavily on Microsoft 365 and Okta infrastructure. The threat actors then employ Python and PowerShell scripts to programmatically exfiltrate sensitive corporate data for subsequent extortion attempts. This analysis details UNC6671’s sophisticated attack lifecycle and provides critical guidance for security professionals to detect UNC6671 vishing AiTM attacks and mitigate these identity-centric threats.

Since its emergence in early 2026, UNC6671 has maintained a high operational cadence, targeting dozens of organizations across North America, Australia, and the UK, according to Google Threat Intelligence Group. It is important to note that these compromises do not stem from security vulnerabilities in vendor products but rather highlight the efficacy of social engineering and the urgent need for organizations to adopt phishing-resistant MFA solutions.

Initial Access: Vishing and Real-Time MFA Interception

UNC6671’s initial access relies on high-volume vishing, characterized by meticulous social engineering and synchronized real-time credential harvesting. Callers, often hired by the threat actor, target employees’ personal cellular phones to bypass corporate security controls. They masquerade as internal IT or help desk personnel, citing mandatory migrations to passkeys or required MFA updates. This pretext directs victims to credential harvesting sites and provides cover for security alerts generated during the compromise.

UNC6671 has evolved its approach to credential harvesting domains, shifting from unique, organization-tailored domains to a subdomain-based model. Recent campaigns utilize subdomains referencing ‘passkey’ or ‘enrollment’ themes, such as <organization>.enrollms[.]com, <organization>.passkeyms[.]com, or <organization>.setupsso[.]com, to enhance legitimacy. The vishing call functions as a live AiTM attack, following a rapid procedural lifecycle:

• Redirection: Victims are directed to a lookalike subdomain mirroring their organization’s SSO portal.
• Credential Capture: As victims enter credentials, UNC6671 captures them in real-time and immediately submits them to the legitimate SSO provider.
• MFA Bypass: When the legitimate portal issues an MFA challenge (Push, SMS, or TOTP), the victim, believing it’s a setup step, provides the code or approval to the threat actor.
• Device Registration: Upon gaining access, the threat actor swiftly registers a new, attacker-controlled MFA device to establish persistence, often before the victim or a Security Operations Center (SOC) can detect the anomaly.

Data Theft and Programmatic Exfiltration

Following successful authentication, UNC6671 leverages SSO access for Lateral Movement across the victim’s SaaS applications to facilitate data theft. The actors primarily target Microsoft 365 and Okta environments, accessing SharePoint, OneDrive, and connected applications like Zendesk and Salesforce. They specifically query internal search functions for terms such as “confidential” and “SSN” to prioritize high-value data.

The group transitions from interactive browser-based reconnaissance to automated exfiltration using Python and PowerShell scripts. This involves using formal APIs like Microsoft Graph, the python-requests library, and PowerShell to issue direct HTTP GET requests against document URLs. By repurposing valid session cookies (e.g., FedAuth) from the initial vishing phase, UNC6671 can “stream” file content directly to attacker-controlled infrastructure. This ‘direct fetch’ method often results in FileAccessed events rather than FileDownloaded events in audit logs, allowing the activity to blend into routine traffic and potentially bypass detection in many SOC environments that might prioritize FileDownloaded events as more critical.

Analysis of Microsoft 365 Unified Audit Log (UAL) telemetry reveals consistent forensic indicators of scripted exfiltration. Notably, User-Agent mismatches are common: while ClientAppId may be spoofed as “Microsoft Office,” the UserAgent strings often identify scripting engines such as python-requests/2.28.1 or WindowsPowerShell/5.1. These access attempts consistently originate from non-standard infrastructure, including commercial VPN exit nodes and hosting providers, offering crucial IoC for BlackFile cloud data exfiltration detection.

Extortion and Aggressive Pressure Tactics

UNC6671 conducts highly targeted extortion campaigns, starting with unbranded ransom notes from programmatically generated consumer email accounts. Upon victim engagement via encrypted communication channels (e.g., Tox or Session), the operators identify themselves as “BlackFile.” Initial demands often reach millions of dollars, frequently pivoting to low six-figure amounts upon active engagement. When met with silence or resistance, the group escalates pressure aggressively, including spamming employee mailboxes, sending threatening voicemails to C-suite executives, and in severe cases, utilizing swatting tactics against company personnel.

The BlackFile Data Leak Site (DLS), launched on February 6, 2026, claims to operate as “security researchers.” However, its approach deviates from typical high-publicity DLS models, as it is not publicly advertised or indexed by search engines. To date, UNC6671 has only leaked limited file samples and directory listings rather than full datasets. The DLS briefly came back online in May 2026 to announce its shutdown “under this name,” signaling a possible rebranding or retooling phase rather than a permanent cessation of operations.

Remediation and Hardening Against UNC6671 Cloud Compromise

To protect against UNC6671’s sophisticated TTPs, GTIG recommends the following mitigations and hunting strategies:

• Deploy Credential Guarding: Configure environment-specific protections like Google Workspace’s Password Alert or Microsoft Defender’s Credential Protection and SmartScreen to intercept credential submissions to unauthorized domains.
• Implement Phishing-Resistant MFA: Transition away from SMS or push-notification MFA. Prioritize FIDO2-compliant security keys or passkeys, which are inherently resistant to the AiTM and vishing tactics employed by UNC6671. This is a crucial step for phishing-resistant MFA for Microsoft 365 Okta environments.
• Monitor IdP Logs: Review identity provider logs for system.multifactor.factor.setup events immediately preceded by user.authentication.auth_via_mfa failures or “Abandoned” challenges.
• Correlate Infrastructure: Alert on authentication attempts originating from known commercial VPNs or hosting providers that are anomalous for a user’s typical geographic location.
• Audit SaaS API Activity: Monitor Microsoft 365, SharePoint, and Salesforce audit logs for anomalous, high-volume file access (FileDownloaded or FileAccessed events) originating from generic scripting user agents (e.g., PowerShell, Python).
• Monitor User-Agents: Monitor for specific IdP SDK User-Agents on devices not previously associated with a user’s profile.
• Re-Evaluate “Access” Severity: Security Operations Centers (SOCs) should treat FileAccessed events with the same criticality as FileDownloaded when the User-Agent identifies a programming library (Python, Go) or a command-line tool.
• Audit for Direct File Streaming: Monitor for FileAccessed logs where the AppAccessContext indicates a headless client or where the volume of “Accessed” files in a short window exceeds human browsing capability.

Outlook and Implications

The announced shutdown of the BlackFile DLS suggests a potential rebranding or strategic pivot by UNC6671. Historically, threat clusters often rebrand to evade scrutiny, resolve pending cases, or retool their infrastructure. Regardless of the BlackFile brand’s future, the core TTPs — sophisticated social engineering, MFA bypass, and programmatic data theft from cloud/SaaS environments — represent a highly successful and evolving trend in the cybercrime landscape. Organizations must remain vigilant and continuously harden their identity and cloud security postures to counteract these persistent threats.