Executive Summary
In January 2026, the cybercriminal group ShinyHunters orchestrated a series of sophisticated voice-phishing (vishing) attacks targeting corporate Single Sign-On (SSO) platforms, including Okta, Microsoft Entra, and Google. The attackers posed as IT support staff, manipulated employees into entering their credentials and multi-factor authentication tokens on fake login pages, and subsequently gained unauthorized access to SSO accounts. Leveraging these credentials, ShinyHunters accessed numerous connected SaaS applications such as Salesforce, Microsoft 365, and Slack, harvesting sensitive corporate data that was later used for extortion demands. High-profile organizations like SoundCloud, Betterment, and Crunchbase reported breaches and data losses as a result.
This incident underscores a significant evolution in social engineering tactics, with attackers combining real-time phishing kits and vishing to bypass MFA and access a wide swath of corporate resources. As threat actors increasingly exploit identity-driven weaknesses and leverage SSO misconfigurations, organizations face greater risks of multi-system compromise and regulatory fallout.
Why This Matters Now
The ShinyHunters campaign demonstrates that sophisticated voice-phishing, combined with dynamic phishing infrastructure, can bypass MFA and exploit SSO systems at scale, risking mass compromise and rapid data exfiltration. The urgency is heightened by the spread of similar TTPs across the industry and the interconnected nature of SaaS platforms that aggregate critical business data.
Attack Path Analysis
Attackers initiated their campaign through social engineering—vishing employees to trick them into revealing SSO credentials and MFA tokens via phishing sites. With valid SSO access, they inherited the victim's entitlements, potentially escalating privileges by targeting users with broad SaaS or administrator rights. Using this SSO foothold, attackers accessed connected cloud services, pivoting laterally to additional platforms and data stores. Monitored via their phishing kit command center, the attackers maintained live control over the intrusion. They then exfiltrated sensitive corporate and customer data from SaaS applications. Finally, they leveraged stolen data for extortion campaigns, threatening to leak or sell information to maximize business impact.
Kill Chain Progression
Initial Compromise
Description
ShinyHunters used targeted vishing and phishing attacks to obtain employee SSO credentials and real-time MFA codes, granting initial access to cloud identity providers.
Related CVEs
CVE-2025-61884
CVSS 9.8A pre-authentication Server-Side Request Forgery (SSRF) vulnerability in Oracle E-Business Suite allows unauthenticated remote attackers to access sensitive resources.
Affected Products:
Oracle E-Business Suite – 12.2.0.1.0
Exploit Status:
exploited in the wildCVE-2025-31324
CVSS 10A critical deserialization vulnerability in SAP NetWeaver Visual Composer allows unauthenticated remote attackers to execute arbitrary code.
Affected Products:
SAP NetWeaver Visual Composer – < 7.50
Exploit Status:
exploited in the wildCVE-2025-42999
CVSS 10A critical vulnerability in SAP NetWeaver Visual Composer allows unauthenticated remote attackers to perform deserialization attacks leading to remote code execution.
Affected Products:
SAP NetWeaver Visual Composer – < 7.50
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques are selected for strong alignment with SSO-targeted vishing, social engineering, MFA bypass, and data exfiltration. Full STIX/TAXII coverage may expand mappings further.
Phishing: Spearphishing via Service
Compromise Accounts: Cloud Accounts
Phishing: Voice Phishing (Vishing)
Brute Force: Password Guessing
Modify Authentication Process: Manipulate Multi-Factor Authentication
Valid Accounts: Cloud Accounts
Data from Cloud Storage Object
Automated Exfiltration
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for All Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Controls
Control ID: Chapter III, Article 8(3)
CISA ZTMM 2.0 – Multi-Factor Authentication Enforcement and Usability
Control ID: Identity Pillar #2
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(1)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
SSO-based vishing attacks targeting Salesforce and enterprise platforms expose financial data, customer records, and regulatory compliance violations across banking operations.
Information Technology/IT
ShinyHunters' social engineering attacks compromise IT infrastructure through SSO platforms, enabling lateral movement and data exfiltration from cloud services.
Computer Software/Engineering
Voice phishing targeting Microsoft, Google, and Okta SSO accounts threatens software development environments, source code, and intellectual property theft.
Health Care / Life Sciences
SSO credential theft enables access to patient data systems, creating HIPAA compliance violations and exposing sensitive medical information.
Sources
- ShinyHunters claim to be behind SSO-account data theft attackshttps://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/Verified
- Oracle silently fixes zero-day exploit leaked by ShinyHuntershttps://www.bleepingcomputer.com/news/security/oracle-silently-fixes-zero-day-exploit-leaked-by-shinyhunters/Verified
- New Exploit for Critical SAP Vulnerability CVE-2025-31324 Released in the Wildhttps://onapsis.com/blog/new-exploit-for-cve-2025-31324/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls—such as segmentation, granular access enforcement, east-west traffic monitoring, and egress policy—could have constrained lateral movement between cloud services and prevented or detected large-scale SaaS data exfiltration, even after successful identity compromise.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Orchestrates inline policy and real-time analytics to identify and stop suspicious authentication flows.
Control: Zero Trust Segmentation
Mitigation: Restricts SSO user reach via least privilege segmentation and identity-based access policies.
Control: East-West Traffic Security
Mitigation: Monitors and limits workload-to-workload or service-to-service flows, identifying suspicious SaaS pivots.
Control: Multicloud Visibility & Control
Mitigation: Centralized visibility exposes C2 or attacker infrastructure interactions.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or alerts on unauthorized outbound data flows and enforces DLP/egress rules.
Rapid detection triggers response to limit business impact of data theft.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management
- Enterprise Resource Planning
- Human Resources
Estimated downtime: 5 days
Estimated loss: $5,000,000
Unauthorized access to sensitive customer records, financial data, and employee information due to exploitation of vulnerabilities in enterprise applications.
Recommended Actions
Key Takeaways & Next Steps
- • Strengthen SSO account monitoring with behavioral analytics to detect anomalous authentication patterns and real-time user risk.
- • Deploy Zero Trust segmentation and east-west security controls to restrict SaaS lateral movement and reduce the blast radius of identity compromise.
- • Enforce granular egress policies and data loss prevention on outbound cloud/SaaS traffic to detect and block unauthorized data exports.
- • Centralize visibility and integrate threat analytics to surface malicious automation, suspicious flows, or attacker infrastructure connections across multicloud environments.
- • Regularly review access entitlements for privileged SSO-linked accounts and ensure MFA/identity-hardening controls align with Zero Trust best practices.
