Here’s a number that’ll make you spill your expensive, ethically sourced coffee: Since early 2026, one outfit, calling themselves ‘BlackFile,’ has been hitting dozens of organizations across North America, Australia, and the UK. And how are they doing it? Not with zero-days or sophisticated APT magic. Nope. They’re using good old-fashioned voice phishing, or ‘vishing,’ to get your employees to hand over their credentials. And that’s just the appetizer.
Google Threat Intelligence Group (GTIG) has been tracking this crew, known in the shadowy corners of cybersecurity as UNC6671. They’re not messing around with sloppy phishing emails; they’re going straight for the jugular: your single sign-on (SSO) systems. Think Microsoft 365 and Okta. The scary part? They’re so good at it, they’re bypassing traditional defenses and even multi-factor authentication (MFA) with what they call adversary-in-the-middle (AiTM) techniques. This isn’t some script kiddie in a basement; this is organized crime with a serious tech bent, all to steal your sensitive corporate data and then, naturally, extort you for it.
It’s All About the Voice (and the Trickery)
Look, we’ve all gotten those calls. The ones where someone sounds like they’re from IT, asking you to verify something. BlackFile has perfected this. They hire these ‘callers’ who are apparently good at convincing people to jump through hoops. They’ll call your personal cell phone—smart move, bypasses corporate firewalls—and tell you there’s a mandatory security update, maybe a move to passkeys or a required MFA change. It’s all a pretext, a smokescreen to get you to click on a dodgy link and type in your username and password. And they’re getting clever with their fake domains, using subdomains that sound legit, like <organization>.enrollms[.]com or <organization>.passkeyms[.]com. They want to sound as official as possible.
The Real-Time MFA Heist
This is where the vishing call becomes a live hack. The victim is redirected to a fake login page that looks exactly like the real SSO portal. As you type your credentials, the bad guys snag them. Then, when your phone buzzes with that MFA prompt—the one you think is for your legitimate login—you blindly approve it. Bam. They’re in. And they’re fast. The GTIG report notes that within moments, they’re registering their own attacker-controlled MFA device. This ensures they have persistent access, long before your overworked SOC team even gets a whiff of trouble. It’s a race against time, and in this case, the criminals are winning.
The speed of this execution ensures the threat actor can establish a permanent foothold before the victim or the organization’s Security Operations Center (SOC) can identify the anomaly.
Data Dredging and Scripting the Heist
Once inside, they don’t just poke around. They’re programmatic. They use compromised accounts to access cloud storage like SharePoint and OneDrive, and CRM systems like Zendesk and Salesforce. They’re not just grabbing random files; they’re specifically searching for keywords like “confidential” and “SSN”—social security numbers, folks. They know what’s valuable on the dark web. And to make sure they don’t miss a byte, they transition from interactive browsing to automated scripts, often written in Python and PowerShell, to exfiltrate everything they can get their hands on.
Who’s Actually Paying for This?
Let’s cut through the technobabble. Who’s making money here? It’s UNC6671, aka BlackFile. They’re the ones launching these sophisticated extortion campaigns. They’re also not afraid to piggyback on other threat actor names, at least once impersonating the ShinyHunters group (UNC6240) to add a veneer of credibility to their threats. But GTIG is clear: these are separate operations. BlackFile has its own channels, its own domains, and its own shiny, new data leak site (DLS) to display their stolen wares. This isn’t some hobbyist play; this is a business model, and a disturbingly effective one.
The Age-Old Advice: MFA That Works
The GTIG report hammers home a point that should be obvious by now: these attacks aren’t exploiting some obscure software flaw. They’re exploiting human trust and the continued reliance on easily tricked authentication methods. The real solution? Moving toward phishing-resistant MFA. Hardware tokens, FIDO2 keys—stuff that can’t be faked with a phone call. Until organizations get serious about that, operations like BlackFile will keep thriving, using our own employees and our willingness to answer the phone against us.
What Happens After the Data is Gone?
BlackFile doesn’t just steal your data; they use it as use. The goal is extortion. They’ll threaten to release sensitive corporate information publicly on their data leak site unless their demands are met. This can lead to massive reputational damage, regulatory fines (especially if PII is involved), and significant business disruption. It’s a direct threat to the bottom line and the very existence of some businesses.
Why is this a 2026 Problem?
It’s a 2026 problem because GTIG’s report explicitly states the UNC6671 campaign has been active since early 2026. This isn’t a theoretical future threat; it’s a current, ongoing operation that has already impacted numerous organizations. The sophistication and high operational cadence suggest they’re well-funded and organized, making them a persistent threat for the foreseeable future. They’ve adapted their tactics, from unique domains to subdomain models, and refined their social engineering, indicating they’re constantly evolving.
🧬 Related Insights
- Read more: Asqav vs. Microsoft AGT: Crypto Chains Crush Central Dashboards
- Read more: GitHub Copilot’s New Appetite: Devs’ Code Snacks Fuel Smarter AI
Frequently Asked Questions
What is BlackFile?
BlackFile is the brand name for a threat actor group, UNC6671, that conducts sophisticated voice phishing (vishing) and single sign-on (SSO) compromise operations to exfiltrate corporate data for extortion.
How does BlackFile bypass MFA?
BlackFile uses a live adversary-in-the-middle (AiTM) technique during vishing calls. Victims are tricked into entering their credentials and MFA codes into fake login pages controlled by the attackers, who then use this information in real-time to bypass MFA challenges and register their own persistent MFA devices.
Is this an AI-driven attack?
While the report mentions AI in the context of how organizations might detect threats, the BlackFile operation itself is described as leveraging social engineering, sophisticated vishing, and programmatic data exfiltration via scripts (Python/PowerShell). The AI aspect appears to be more on the defensive side for detection, rather than the offensive creation of attack vectors by the threat actor in this instance. The core of their success is human manipulation and technical credential theft.
