ShinyHunters / UNC6040 Voice-Phishing Campaign

AI-driven vishing campaign breaching SaaS platforms (Salesforce, Okta, Salesloft) at over 1,000 organizations — including Google, Cisco, Workday, and ADT

Published May 12, 2026 | By the OpenEFA Security Team

Vishing Social Engineering SaaS Data Theft High Severity Awareness Required

Overview

A financially-motivated criminal group known as ShinyHunters (tracked by Google/Mandiant as UNC6040, with sister clusters Cordial Spider and Snarky Spider — the new generation of “Scattered Spider”) has spent 2025–2026 breaching over 1,000 organizations and exfiltrating an estimated 1.5 billion records from SaaS platforms — primarily Salesforce, Okta, and Salesloft.

Email is not the entry point. They start with a phone call. An attacker — often using an AI voice agent that can adapt to your responses in real time — calls an employee while spoofing the company's own IT helpdesk number, and walks them through approving an MFA prompt, reading out an SSO/device code, or authorizing a malicious “connected app.” That single approval grants API-level access to the company's CRM, and bulk data export and extortion follow within hours.

Because the initial vector is a phone call, no email security platform alone can stop this attack. Defense depends on employee muscle memory and helpdesk policy. This advisory exists to make sure your team has both.

Confirmed Victims (Partial List)

The campaign is targeting organizations with mature security programs, dedicated SOCs, and full MFA deployments. The attack works because users approve it themselves:

Google Cisco Workday Adidas Chanel Pandora ADT Allianz Life Qantas LVMH brands TransUnion Instructure (Canvas)

How the Call Unfolds

Stage 1: The Inbound Call

Caller ID matches your IT helpdesk or a known internal extension — spoofed. The caller may know your name, your manager, an open ticket number, or a recent password reset, lifted from LinkedIn, prior breach data, or social engineering of another employee. The voice is often an AI agent that adapts to your responses in real time.

Stage 2: Manufactured Urgency

Scripts you may hear:

  • “We're seeing a security incident on your account.”
  • “Your MFA is de-syncing and you'll be locked out in five minutes.”
  • “We're pushing an emergency Salesforce / Okta security update right now.”
Stage 3: Lookalike Login Page

You're directed to a domain that follows combosquatting patterns: my<company>internal.com, <company>sso.com, okta-<company>.com. Push Security tracks 12+ distinct device-code phishing kits actively used in these campaigns.

Stage 4: The “Approval”

The caller asks you to perform one of:

  • Approve an MFA push notification on your phone “to confirm we're talking to the right person.”
  • Read back an 8–12 character device code shown on the page.
  • Click “Allow” / “Authorize” on a Salesforce connected-app prompt — often a re-branded “Data Loader.”
Stage 5: API-Level Theft

The connected-app authorization grants persistent API access independent of the user's password or MFA. Hours later, the attacker bulk-exports your CRM via legitimate APIs. The extortion email typically arrives within a few days.

Red Flags — What to Watch For

  • Unsolicited inbound call from “IT” or “Security” that you didn't request.
  • Urgency. “Right now,” “before you get locked out,” “this expires in five minutes.”
  • An MFA push you didn't initiate — the caller asks you to approve it.
  • Asked to read out a code shown on a webpage. This is a device-code phishing tell.
  • Asked to authorize a “connected app” or install something from a non-standard URL.
  • The voice sounds slightly off — over-scripted, oddly paced, or has a brief silence before answering unexpected questions. These are AI agents.
  • Caller knows internal details but pressures you not to verify through normal channels.

If You Get a Call Like This

Do This
  • Hang up. Don't argue, don't explain, don't apologize. Just hang up.
  • Call IT back using the number on your intranet or badge — never the number that called you.
  • Report the call to your security team even if you didn't fall for it. Other employees are being called too.
Never Do This
  • Never approve an MFA prompt you didn't start.
  • Never read a login code, device code, or one-time password to anyone on the phone. IT will never ask for this.
  • Never authorize a connected app, OAuth grant, or “Data Loader” during a phone call.
  • Never log in via a URL someone read to you over the phone.

For Administrators & Helpdesk Staff

Recommended Controls
  • Require live video + physical government ID verification for any password / MFA reset request.
  • Disable end-user OAuth grants for connected apps in Salesforce — make admin approval mandatory.
  • Restrict Salesforce Data Loader and similar API tools to allow-listed IP ranges.
  • Enable Okta's device assurance / managed-device requirement for SSO.
  • Move from push-based MFA to phishing-resistant MFA (FIDO2 / WebAuthn / security keys).
  • Alert on new connected-app authorizations and on bulk API export volume in your SaaS audit logs.
  • Run a tabletop: “What does your helpdesk do if someone calls claiming they're locked out and need an MFA reset?”

Where OpenEFA Fits

Vishing breaches do not start in email, so no email gateway alone can stop them. OpenEFA's posture is structured to reduce blast radius when one of these campaigns brushes against your environment:

WebAuthn / phishing-resistant MFA for OpenEFA administrators

Shipped May 10, 2026. OpenEFA administrator accounts can now enroll FIDO2 / WebAuthn credentials as a third MFA factor — the only MFA class that cannot be phished over the phone, because there is no code to read out and no push to approve out-of-context.

Extortion and follow-on phishing detection

Once a victim is breached, follow-on extortion email and credential-harvest waves get sent to the rest of the org. OpenEFA's intent modeling, first-contact detection, and the EFA Collective threat intelligence feed catch these secondary campaigns even when the sender authenticates cleanly.

Connected-app and OAuth phishing patterns in email

When attackers send the lookalike Salesforce / Okta consent-page link via email instead of phone, OpenEFA's URL reputation, brand impersonation, and combosquatting detectors are explicitly tuned for the my<company>internal.com / okta-<company>.com pattern.

A modern email security stack reduces the attack surface, but the moment of truth is still on the phone. The single most important defense against this campaign is the muscle memory of every employee: hang up, call IT back, never approve a prompt you didn't start.

Further Reading

Google Cloud / Mandiant — Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft Google Cloud / Mandiant — Proactive Defense Against ShinyHunters-Branded Data Theft Varonis — What Salesforce Organizations Need to Know About ShinyHunters and Vishing (UNC6040) Push Security — Three techniques behind ShinyHunters' 2026 campaigns (Instructure breach analysis) Push Security — Inside a phishing panel used by ShinyHunters and BlackFile EclecticIQ — ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications Mitiga — ShinyHunters and UNC6395: Inside the Salesforce and Salesloft Breaches Rescana — ADT Salesforce Data Breach 2026: Okta SSO Compromised via Vishing Computer Weekly — ShinyHunters Salesforce cyber attacks explained Wikipedia — ShinyHunters (group profile and incident history)

Report a Suspicious Call

If you've received a call matching this pattern — or worse, if you think you may have approved a prompt and want help triaging — contact OpenEFA support immediately at support@openefa.com.

← Back to All Security Advisories