10 Critical Facts About the BlackFile Vishing Extortion Campaign

Cybercriminals are constantly evolving their tactics, and the BlackFile vishing extortion campaign is a stark reminder of how social engineering can bypass even sophisticated security measures. Operated by the threat actor tracked as UNC6671, this campaign has targeted dozens of organizations across North America, Australia, and the UK since early 2026. By combining voice phishing with adversary-in-the-middle techniques, the group compromises single sign-on platforms like Microsoft 365 and Okta, exfiltrates sensitive data, and demands ransom. Below are ten essential insights for defenders to understand and counter this threat.

1. The BlackFile Brand and UNC6671

UNC6671 operates under the "BlackFile" brand, using a dedicated data leak site to pressure victims. Google Threat Intelligence Group identified this cluster as distinct from other extortion groups, noting its aggressive vishing-first approach. The group maintains a high operational tempo, targeting enterprises with valuable cloud data. Their campaigns rely on meticulous planning, including pre-recorded calls and scripts that mimic legitimate IT workflows. Understanding their branding helps defenders spot associated domains and communication channels.

2. Vishing: The Primary Initial Access Vector

Voice phishing, or vishing, is UNC6671's main entry point. Callers, often hired contractors, contact employees on their personal mobile phones, bypassing corporate phone systems. They impersonate help desk staff and claim a mandatory migration to passkeys or an MFA update is needed. This pretext lowers the victim's guard and justifies directing them to a phishing site. The calls are carefully timed to coincide with real organizational changes, adding credibility.

3. Credential Harvesting Infrastructure

UNC6671 uses subdomain-based credential harvesting domains registered through services like Tucows. Instead of organization-specific domains, they now use generic subdomains referencing "passkey" or "enrollment." This shift reduces suspicion when victims see the URL. The phishing pages are designed to intercept not just passwords but also session tokens, enabling account takeover even when MFA is present.

4. Adversary-in-the-Middle (AiTM) Bypass of MFA

The group employs sophisticated AiTM techniques to circumvent multi-factor authentication. After luring the victim to a fake login page, the attacker proxies the authentication request to the real service, capturing both credentials and the generated session cookie. The victim completes MFA on the attacker's behalf, granting the threat actor immediate access to cloud environments without triggering typical MFA fatigue alerts.

5. Targeting of Identity Providers

UNC6671 focuses on Microsoft 365 and Okta infrastructure. These platforms serve as gateways to corporate data, email, and applications. By compromising single sign-on, they gain persistent access to multiple services. The attackers leverage privileged accounts once inside, often enumerating roles and permissions to escalate access. Defenders must monitor identity provider logs for unusual token activity or unexpected MFA completions.

6. Automated Data Exfiltration Using Scripts

After gaining access, UNC6671 deploys Python and PowerShell scripts to programmatically exfiltrate data. These scripts target SharePoint, OneDrive, and email accounts, downloading sensitive documents, financial records, and intellectual property. The automation allows rapid extraction before the organization detects the breach. Security teams should watch for unusual API calls or bulk downloads from cloud storage services.

7. Extortion Tactics and Pressure

The group escalates quickly by threatening to publish stolen data on their BlackFile leak site unless a ransom is paid. They often communicate via Tox messaging channels, providing direct negotiation leverage. In some cases, they have used the ShinyHunters brand to add false legitimacy, though GTIG assesses they are independent. Victims may receive calls or emails threatening leaks within hours of compromise.

8. Distinction from ShinyHunters

While UNC6671 has borrowed the ShinyHunters name in at least one incident, the two groups operate independently. Evidence includes separate Tox channels, distinct domain registration patterns, and the exclusive BlackFile leak site. GTIG emphasizes that attributing all similar attacks to one actor is dangerous; defenders should treat each indicator separately. Overlap in techniques does not imply shared infrastructure or motive.

9. Social Engineering Pretexts Continue to Evolve

UNC6671's social engineering is meticulous. They research target organizations to craft believable narratives, such as a new passkey rollout or urgent MFA update. Callers even spoof legitimate internal numbers and use names of real employees. The attacks are not caused by vendor vulnerabilities—they exploit human trust. This highlights the need for user awareness training focused on vishing, especially for employees with access to sensitive systems.

10. Defensive Measures: Phishing-Resistant MFA and Monitoring

Organizations should implement phishing-resistant MFA, such as FIDO2 security keys or certificate-based authentication, which cannot be intercepted by AiTM proxies. Additionally, monitor for anomalous login patterns, out-of-hours access, and large data transfers. Deploy strong identity protection policies, including conditional access rules and session risk scoring. User education on verifying IT requests through official channels remains critical. Regular tabletop exercises simulating vishing scenarios can also improve response readiness.

The BlackFile campaign is a powerful reminder that sophisticated social engineering combined with technical bypasses can defeat traditional defenses. By understanding these tactics—from the initial call to the extortion demand—defenders can build layered protection. Stay vigilant, update MFA methods, and always verify the identity of anyone requesting credentials or access.