"BlackFile is shutting down… under this name."
UNC6671's vishing and adversary‑in‑the‑middle (AiTM) workflow
Google Threat Intelligence Group (GTIG) describes UNC6671 as a threat cluster that emerged in early 2026 and has targeted "dozens of organizations" across North America, Australia, and the UK. Initial access begins with high‑volume voice phishing (vishing) calls placed to employees' personal mobile phones. Callers hired by the actor impersonate internal IT or help desk personnel and direct victims to lookalike SSO portals. GTIG maps the live AiTM lifecycle in four rapid steps: Redirection to a credential‑harvesting subdomain; real‑time credential capture and immediate submission to the legitimate IdP; interception of MFA challenges when victims supply codes or approvals; and immediate attacker device registration inside the victim account to establish persistence.
Subdomain infrastructure, targeting, and brands
UNC6671 shifted from one‑off credential‑harvest domains to a subdomain model, often registering subdomains with Tucows that explicitly reference "passkey" or "enrollment" (for example, <organization>.enrollms[.]com, <organization>.passkeyms[.]com, <organization>.setupsso[.]com). Although GTIG notes UNC6671 has co‑opted the ShinyHunters brand in at least one instance, it assesses the operations are independent, citing different TOX channels, distinct domain registration patterns, and a dedicated "BlackFile" data leak site (DLS).
Automated, large‑scale data theft and forensic signatures
After SSO compromise, the group moves laterally across SaaS apps—GTIG specifically identifies Microsoft 365, Okta, SharePoint, OneDrive, Zendesk, and Salesforce as targets—and prioritizes files containing literals such as "confidential" and "SSN." UNC6671 transitions from browser reconnaissance to scripted exfiltration using Microsoft Graph, python‑requests, and PowerShell. GTIG observed repurposed session cookies (for example, FedAuth) to "stream" file content directly to attacker infrastructure; such requests frequently register as FileAccessed events rather than FileDownloaded, enabling noisy theft to blend into routine traffic.
Audit logs show consistent forensic indicators: user‑agent mismatches where the ClientAppId or ClientAppName is spoofed as "Microsoft Office" while the recorded UserAgent identifies scripting engines (examples cited include python‑requests/2.28.1 and WindowsPowerShell/5.1). Access commonly originates from commercial VPN exit nodes and hosting providers. In separate cases GTIG observed one actor account download activity exceeding one million individual files and other cases with fast iteration through tens of thousands of SharePoint interactions.
Extortion, BlackFile DLS, and communication evolution
UNC6671 opens extortion with unbranded ransom notes from programmatically generated consumer email accounts and a Tox contact; when victims reply, operators present themselves as "BlackFile" and move negotiations to Session. GTIG documents a clear evolution: early short deadlines (24–48 hours) standardized into 72‑hour demands with all‑caps subject lines such as "[COMPANY NAME] DATA BREACH 72 HOURS TO CONTACT US." From March 2026 the group also began leveraging hijacked internal corporate email and Microsoft Teams accounts to deliver extortion messages.
The BlackFile DLS launched on February 6, 2026. GTIG notes the site deviated from a high‑noise model: the actors did not broadly advertise the DLS, indexed it poorly, and typically published only limited file samples and directory listings rather than full datasets. The DLS went offline in late April 2026, briefly returned on May 11 to post the shutdown message cited above, and was inaccessible at GTIG publication.
GTIG mitigations and detection guidance
GTIG provides specific remediation and hunting recommendations: deploy credential‑guarding controls (Password Alert in Google Workspace; Microsoft Defender Credential Protection and SmartScreen in Microsoft environments); transition to phishing‑resistant MFA such as FIDO2 security keys or passkeys; and monitor IdP logs for system.multifactor.factor.setup events that immediately follow user.authentication.auth_via_mfa failures or "Abandoned" challenges. Defenders should alert on authentications from commercial VPNs or hosting providers that are abnormal for a user's geography.
Operational detection must evolve: audit SaaS API activity for anomalous, high‑volume FileDownloaded or FileAccessed events with scripting user agents; monitor IdP SDK User‑Agents on devices not previously associated with a user; treat FileAccessed events with scripting User‑Agents as high severity; and hunt for direct‑streaming patterns where AppAccessContext indicates headless clients or volumes of accessed files exceed human browsing speed. GTIG has published IOCs in a free GTI Collection and added identified phishing domains to Google Safe Browsing. Google SecOps customers can detect activity via specific rule names such as "O365 SharePoint High Volume File Access Events" and "Okta Suspicious Actions from Anonymized IP."
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: expect identity logs and UserAgent analysis to be as important as network telemetry—hunt for python‑requests and PowerShell UserAgents tied to Office ClientAppIds, and prioritize detection of newly registered MFA devices immediately after successful logins.
- Affected enterprises and procurement leaders: evaluate adoption of phishing‑resistant MFA (FIDO2/passkeys) and validate that vendor conditional access policies flag unusual device registrations and authentications from commercial VPN ranges.
- End users and executives: social‑engineering remains the pivot point—vishing to personal devices, paired with a plausible IT pretext, is the primary initial vector; awareness campaigns should emphasize never registering new MFA devices at a caller's instruction.
The group's May 11 statement that it is "shutting down… under this name" may be genuine or strategic: GTIG warns that rebranding, quiet resolution of cases, or a pivot to new infrastructure are common tactics after disruption. For now, the operational facts are clear—UNC6671 combined human vishing with rapid AiTM credential capture and automated, large‑scale API‑based data exfiltration—and defenders have a defined set of log‑level signals they can tune to detect the same pattern.
Original GTIG report: Welcome to BlackFile: Inside a Vishing Extortion Operation




