BlackFile Decoded: Unraveling the Vishing Extortion Campaign by UNC6671

Welcome to this comprehensive Q&A-style breakdown of the BlackFile vishing extortion operation. Below, we explore the intricate tactics, techniques, and procedures of the threat actor UNC6671, as tracked by Google Threat Intelligence Group. From initial voice phishing to cloud environment compromise, these questions and answers provide defenders with critical insights to counter this identity-centric threat.

What is BlackFile and who is behind it?

BlackFile is the brand name used by a threat actor tracked as UNC6671, first identified by Google Threat Intelligence Group in early 2026. This group operates a sophisticated extortion campaign targeting organizations primarily in North America, Australia, and the United Kingdom. UNC6671 relies heavily on voice phishing (vishing) and single sign-on compromise to gain initial access. Their ultimate goal is to exfiltrate sensitive corporate data from cloud environments such as Microsoft 365 and Okta, then demand a ransom. The group maintains a dedicated data leak site called BlackFile, where they publish stolen data if victims do not comply. UNC6671 is a distinct, well-resourced threat cluster with its own TOX communication channels and domain registration patterns.

How does UNC6671 gain initial access to victim networks?

Initial access is achieved through high-volume voice phishing (vishing) campaigns. Attackers hire callers who meticulously social-engineer employees, often contacting them on personal mobile phones to bypass corporate security measures. The caller pretends to be internal IT or help desk staff, citing a mandatory migration to passkeys or a required multi-factor authentication (MFA) update. This pretext directs the target to a credential harvesting site—typically a subdomain referencing “passkey” or “enrollment” themes. These domains are registered via Tucows. By convincing the victim to enter their credentials and approve MFA prompts, UNC6671 harvests valid login details and real-time authentication tokens, enabling them to bypass perimeter defenses and traditional MFA.

What techniques does UNC6671 employ after gaining a foothold?

Once inside, UNC6671 leverages adversary-in-the-middle (AiTM) techniques to steal session cookies and authentication tokens in real time. This allows them to bypass even multi-factor authentication and maintain persistent access to cloud platforms like Microsoft 365 and Okta. They deploy Python and PowerShell scripts to programmatically enumerate users, harvest emails, files, and other sensitive data from cloud storage and SaaS applications. The stolen data is then exfiltrated to attacker-controlled infrastructure. UNC6671 uses this information for subsequent extortion, threatening to publish the data on their BlackFile leak site if the victim does not pay. Their focus on identity compromise makes them particularly dangerous because they can move laterally across connected services.

How is UNC6671 different from ShinyHunters?

While UNC6671 has occasionally co-opted the ShinyHunters brand to add artificial credibility to their threats, Google Threat Intelligence Group assesses that the two operations are independent. Key distinctions include UNC6671’s use of separate TOX communication channels, unique domain registration patterns (e.g., subdomain-based harvesting sites with “passkey” themes), and the launch of their own dedicated BlackFile data leak site. In contrast, ShinyHunters (tracked as UNC6240) operates with different infrastructure and targets. This separation is crucial for attribution and defenders should not conflate the two when applying mitigation strategies.

What vulnerabilities does UNC6671 exploit?

UNC6671 does not rely on technical vulnerabilities in vendor products or cloud infrastructure. Instead, they exploit human psychology through sophisticated social engineering. Their success highlights the effectiveness of vishing—voice-based phishing—to trick employees into handing over credentials and approving MFA requests. The campaign underscores a critical gap: organizations that rely on traditional MFA (e.g., SMS or app-based push notifications) remain vulnerable because AiTM proxies can capture and replay these tokens. The threat is not about broken software but about weak identity hygiene and user training.

Which industries and regions are most targeted by UNC6671?

Google Threat Intelligence Group assesses that UNC6671 has targeted dozens of organizations across North America, Australia, and the United Kingdom. While specific industry verticals are not enumerated in the original report, the campaign focuses on companies using Microsoft 365 and Okta as their primary cloud identity platforms. Given the group’s reliance on vishing and SSO compromise, organizations with large, distributed workforces using cloud-based productivity suites are at heightened risk. The broad geographic spread indicates that UNC6671 is opportunistic but also willing to invest in custom vishing scripts tailored to each target.

How can organizations detect and mitigate UNC6671-style attacks?

Defenders should monitor for suspicious voice calls to employees claiming to be IT support requesting credential changes or MFA updates. Implementing phishing-resistant MFA (e.g., FIDO2 security keys) is the most effective mitigation because AiTM proxies cannot replay those cryptographic challenges. Additionally, enable logging for cloud identity provider events and look for unusual login patterns such as logins from new locations or devices, especially after a vishing call. Deploy endpoint detection that flags credential harvesting sites, and conduct regular user training on vishing techniques. Google Threat Intelligence Group provides detailed detection guidance, including indicators like subdomain-based passkey-themed URLs and specific Python/PowerShell script artifacts. Internal anchor: See initial access details above.

What are the broader implications of the BlackFile campaign?

The BlackFile operation highlights a growing trend: identity-centric extortion that bypasses traditional perimeter defenses by exploiting human trust and weak authentication. As organizations continue to migrate to cloud-based identity platforms like Microsoft 365 and Okta, attackers are shifting their focus from network intrusion to credential theft and session hijacking. UNC6671’s use of dedicated data leak sites and separate communication channels also suggests professionalization of extortion-as-a-service. The campaign reinforces the urgent need for phishing-resistant MFA, robust user awareness programs, and continuous monitoring of cloud sign-on activity. Failure to adapt could lead to more frequent and devastating identity-based breaches.