Understanding BlackFile: A Deep Dive into Vishing Extortion Operations

Welcome to this comprehensive Q&A on the BlackFile vishing extortion campaign. This campaign, tracked by Google Threat Intelligence Group (GTIG), involves threat actor UNC6671 who uses sophisticated voice phishing (vishing) and single sign-on (SSO) compromise to target organizations. By leveraging adversary-in-the-middle (AiTM) techniques, they bypass multi-factor authentication (MFA) and gain deep access to cloud environments, primarily Microsoft 365 and Okta. Since early 2026, UNC6671 has targeted dozens of organizations across North America, Australia, and the UK. This article answers key questions about the group, their methods, and how defenders can protect against such threats.

1. What is BlackFile and who is behind it?

BlackFile is the brand name used by UNC6671, a threat actor engaged in a large-scale extortion campaign. The group specializes in vishing (voice phishing) and SSO compromise to infiltrate corporate networks. They target cloud environments, particularly Microsoft 365 and Okta, using Python and PowerShell scripts for data exfiltration. UNC6671 emerged in early 2026 and has maintained a high operational pace, targeting organizations in North America, Australia, and the UK. The group employs a dedicated data leak site (DLS) called “BlackFile” to pressure victims. Their attacks are not due to product vulnerabilities but rely heavily on social engineering, highlighting the need for phishing-resistant MFA.

2. How does UNC6671 gain initial access through vishing?

UNC6671’s initial access relies on high-volume vishing calls, often made by hired callers. These callers use meticulous social engineering to trick employees. A common pretext is that the caller is from internal IT or help desk, claiming a mandatory migration to passkeys or an MFA update. They often call victims’ personal cell phones to bypass corporate security tools. The victim is directed to a credential harvesting site, which uses subdomains with keywords like “passkey” or “enrollment” to appear legitimate. This approach provides cover for security alerts generated during the compromise and allows real-time credential harvesting.

3. What is the adversary-in-the-middle (AiTM) technique used by UNC6671?

The adversary-in-the-middle (AiTM) technique allows UNC6671 to bypass traditional perimeter defenses and multi-factor authentication (MFA). Instead of simply stealing credentials, the threat actor positions themselves between the victim and the legitimate service. When the victim attempts to log in, the AiTM proxy captures the session token, even if MFA is used. This token enables the attacker to authenticate as the victim without needing the password or MFA code. The group then uses this access to compromise SSO platforms like Okta, escalating privileges and moving laterally within the cloud environment. AiTM attacks are particularly dangerous because they can defeat most common MFA implementations, including SMS codes and push notifications.

4. What are the primary targets and tools used by UNC6671?

UNC6671 primarily targets Microsoft 365 and Okta infrastructure. They use Python and PowerShell scripts to programmatically exfiltrate sensitive corporate data. The group focuses on high-value data such as intellectual property, financial records, and employee PII for extortion. They also maintain a dedicated data leak site, “BlackFile,” where they publish stolen data if ransoms are not paid. The threat actor registers domains with Tucows and uses subdomain-based hosting for phishing pages, often referencing “passkey” or “enrollment” to appear legitimate. By targeting SSO systems, they can achieve widespread access across an organization’s cloud services.

5. How does UNC6671 differ from ShinyHunters?

While UNC6671 has co-opted the ShinyHunters brand at least once to add credibility, GTIG assesses they are independent operations. Key differences include: UNC6671 uses separate TOX communication channels, has unique domain registration patterns, and operates the dedicated “BlackFile” data leak site. ShinyHunters (UNC6240) uses different infrastructure and does not follow the same operational cadence. This distinction is important for attribution and threat intelligence. UNC6671’s campaigns are not linked to software vulnerabilities but are purely social engineering-driven, emphasizing the need for organizational awareness.

6. What are the indicators of compromise and defense strategies against UNC6671?

Indicators of compromise (IoCs) include unusual vishing calls from numbers not associated with the company, especially when callers ask for MFA codes or direct users to unfamiliar URLs with subdomains like “passkey” or “enrollment.” Also, unexpected password changes or MFA resets may signal compromise. Defense strategies include: implementing phishing-resistant MFA (e.g., FIDO2 security keys), educating employees about vishing tactics, monitoring for anomalous SSO logins, and using conditional access policies to block high-risk sign-ins. Organizations should also audit their Okta and Microsoft 365 trust settings to detect unauthorized apps or tokens. Regular tabletop exercises simulating vishing attacks can improve response readiness.

7. Why is phishing-resistant MFA critical against campaigns like BlackFile?

Phishing-resistant MFA, such as hardware security keys based on the FIDO2 standard, is essential because it cannot be bypassed by adversary-in-the-middle techniques. Traditional MFA methods like SMS codes or push notifications can be intercepted or relayed by vishing attacks. UNC6671’s AiTM proxies capture session tokens even when MFA is used, effectively nullifying those protections. Phishing-resistant MFA ties authentication to a physical device and the origin URL, preventing relay attacks. As social engineering campaigns grow more sophisticated, moving beyond legacy MFA is the most effective way to protect against credential theft and session hijacking. This shift reduces the risk of extortion and data breaches in cloud environments.