Architecture Shift
Impact: Important
Strength: High
Conf: 95%
Google Threat Intelligence Exposes UNC6671's Identity-Centric Attacks and Automated Data Exfiltration
Summary
Google Threat Intelligence Group details UNC6671 (BlackFile) operations targeting enterprise cloud environments. The group uses sophisticated vishing and real-time adversary-in-the-middle attacks to bypass MFA, then leverages automated scripts for large-scale data exfiltration from Microsoft 365 and Okta, highlighting identity as the new primary attack surface.
Key Takeaways
UNC6671's attack chain starts with vishing calls to personal cell phones, impersonating IT support to direct victims to fake SSO portals. Attackers capture credentials and intercept MFA codes in real-time, then register attacker-controlled devices for persistence.
Post-access, they use Python/PowerShell scripts to exfiltrate data at scale from SharePoint and OneDrive via Microsoft Graph API or direct HTTP requests, often logged as 'FileAccessed' events to evade detection focused on 'FileDownloaded'.
The primary targets are Microsoft 365 and Okta environments. Stolen data is used for targeted extortion, including threatening voicemails to executives and even 'swatting' tactics.
Post-access, they use Python/PowerShell scripts to exfiltrate data at scale from SharePoint and OneDrive via Microsoft Graph API or direct HTTP requests, often logged as 'FileAccessed' events to evade detection focused on 'FileDownloaded'.
The primary targets are Microsoft 365 and Okta environments. Stolen data is used for targeted extortion, including threatening voicemails to executives and even 'swatting' tactics.
Why It Matters
This intelligence signals a definitive shift of the attack focus from network perimeters to the identity control plane. Attackers use automation to bypass static MFA defenses, forcing enterprise security architecture to evolve from detecting 'anomalous logins' to monitoring 'anomalous data access under legitimate identities'.
PRO Decision
**Threat Escalation Type**
**Vendors**: Must develop detection products that correlate identity context, user behavior, and data access patterns (especially FileAccessed events), not just authentication logs. Inaction will render their security solutions obsolete.
**Enterprises**: The attack surface now extends to the post-authentication data layer. Immediately audit and enhance monitoring of data access behavior within SaaS applications, particularly API and script activity, and prioritize phishing-resistant MFA deployment.
**Investors**: Monitor security budget shifts from traditional perimeter defense to Identity and Data Security (IDSA, DSPM) and User Entity Behavior Analytics (UEBA). Track vendors with effective detection capabilities for automated script-based data exfiltration.
**Vendors**: Must develop detection products that correlate identity context, user behavior, and data access patterns (especially FileAccessed events), not just authentication logs. Inaction will render their security solutions obsolete.
**Enterprises**: The attack surface now extends to the post-authentication data layer. Immediately audit and enhance monitoring of data access behavior within SaaS applications, particularly API and script activity, and prioritize phishing-resistant MFA deployment.
**Investors**: Monitor security budget shifts from traditional perimeter defense to Identity and Data Security (IDSA, DSPM) and User Entity Behavior Analytics (UEBA). Track vendors with effective detection capabilities for automated script-based data exfiltration.
💬 Comments (0)