ShinyHunters new playbook

Mandiant: “ShinyHunters-style” vishing + SSO/MFA theft

Google-owned Mandiant reports an expansion of tactics associated with “ShinyHunters” operations: vishing and victim-branded login pages to harvest SSO credentials and MFA codes, then raid SaaS apps and extort victims. The campaigns lean on believable phone calls, fake portals and quick token reuse to bypass defences. Recommended actions include restricting app-to-app access, enforcing phishing-resistant MFA, auditing third-party integrations, and monitoring OAuth grants and unusual session creation.

ShinyHunters’ new playbook: phone first, SaaS second

Per Mandiant, attackers associated with “ShinyHunters” are leaning into voice phishing and slick, victim-branded login pages to swipe SSO credentials and MFA codes—then head straight for your SaaS data. Once they land, it’s a short hop to OAuth token abuse, inbox/data exfiltration and the usual extortion routine.
How it works: an attacker rings your helpdesk or a target user, shepherds them to a convincing look-alike portal, captures SSO creds and the MFA prompt, then spins up sessions across email, storage and HR apps. Because it’s your SSO, logs can look deceptively normal.

What to fix now:
• MFA quality: favour phishing-resistant methods (FIDO2/WebAuthn, passkeys); throttle or challenge repeated push approvals.
• SSO scope: reduce broad OAuth scopes; review connected apps; block legacy auth.
• Detection: alert on unusual MFA prompt patterns, atypical OAuth grants and sudden creation of privileged sessions.
• Humans: brief service desk on social-engineering tells; add call-back procedures and shared codewords.

Governance: periodic SaaS posture reviews (who can read/export what), plus regular token/key rotation. A single “yes” to a vishing call is not just a phone problem—it’s a SaaS breach waiting to happen.