Google
2026-05-15
Google Threat Intelligence Exposes UNC6671's Identity-Centric Attacks and Automated Data Exfiltration
Summary
Key Takeaways
UNC6671's attack chain starts with vishing calls to personal cell phones, impersonating IT support to direct victims to fake SSO portals. Attackers capture credentials and intercept MFA codes in real-time, then register attacker-controlled devices for persistence.
Post-access, they use Python/PowerShell scripts to exfiltrate data at scale from SharePoint and OneDrive via Microsoft Graph API or direct HTTP requests, often logged as 'FileAccessed' events to evade detection focused on 'FileDownloaded'.
The primary targets are Microsoft 365 and Okta environments. Stolen data is used for targeted extortion, including threatening voicemails to executives and even 'swatting' tactics.
Why It Matters
This intelligence signals a definitive shift of the attack focus from network perimeters to the identity control plane. Attackers use automation to bypass static MFA defenses, forcing enterprise security architecture to evolve from detecting 'anomalous logins' to monitoring 'anomalous data access under legitimate identities'.
PRO Decision
Threat Escalation Type
Vendors: Must develop detection products that correlate identity context, user behavior, and data access patterns (especially FileAccessed events), not just authentication logs. Inaction will render their security solutions obsolete.
Enterprises: The attack surface now extends to the post-authentication data layer. Immediately audit and enhance monitoring of data access behavior within SaaS applications, particularly API and script activity, and prioritize phishing-resistant MFA deployment.
Investors: Monitor security budget shifts from traditional perimeter defense to Identity and Data Security (IDSA, DSPM) and User Entity Behavior Analytics (UEBA). Track vendors with effective detection capabilities for automated script-based data exfiltration.
Get 3-5 key AI infrastructure signals weekly →
💬 Comments (0)