Mandiant Exposes BlackFile: Vishing Extortion Operation Using Branded Phishing Sites to Steal SSO Credentials
Mandiant has tracked a threat actor dubbed UNC6671 operating BlackFile, a vishing extortion campaign that uses phone calls to lure victims into brand-specific credential harvesting portals, compromising SSO accounts and MFA tokens.
Mandiant Threat Intelligence has published a detailed analysis of a sophisticated vishing (voice phishing) extortion campaign operated by a threat cluster tracked as UNC6671. The operation, which researchers have dubbed ‘BlackFile,’ relies on an unusual combination of telephone-based social engineering and highly targeted, victim-branded credential harvesting websites to achieve initial access to corporate networks.
Unlike conventional phishing that primarily uses email or SMS, the BlackFile operators first place phone calls to their targets. Posing as IT support staff, help desk personnel, or other trusted figures, the callers convince victims to visit a credential harvesting page that has been custom-branded to match the victim’s own organization. This personalized approach significantly increases the likelihood of compliance. Once on the site, victims are prompted to enter their single sign-on (SSO) credentials and, critically, their multi-factor authentication (MFA) one-time codes.
The technical mechanism behind the attack is straightforward but effective. By capturing both the password and the current MFA token in real-time, the threat actor can immediately authenticate into the victim’s account, bypassing the security that MFA is intended to provide. Mandiant notes that the campaign specifically targets SSO platforms, making a single compromise potentially useful for accessing a wide array of connected enterprise applications. The harvested credentials and session cookies enable the actor to establish persistent access.
Mandiant assesses that UNC6671’s primary motivation is extortion. After gaining a foothold, the group threatens to leak sensitive data, disrupt operations, or escalate access unless a ransom is paid. The BlackFile operation is notable for its focus on reaching flesh-and-blood humans through a voice channel—a vector that many security awareness programs underemphasize compared to email phishing.
“The use of telephone-based vishing combined with realistic, branded credential harvesting pages represents a significant evolution in extortion tactics,” Mandiant researchers observed. “Organizations must train employees not only to spot malicious emails but also to verify unexpected phone calls that request login credentials or sensitive actions.”
As of publication, Mandiant has not disclosed specific victim organizations or attributed BlackFile to a known ransomware or extortion group, but the publication of detailed tradecraft is intended to help defenders detect and block these attacks. Recommendations include implementing strict phone-call verification procedures, deploying hardware-bound MFA tokens that are less susceptible to real-time relay, and monitoring for anomalous authentication events tied to new call center or help-desk contacts.
The BlackFile campaign is the latest reminder that vishing remains a potent and underappreciated initial access vector. While many security teams have fortified defenses against email-based spear-phishing and exploit kits, the telephone channel continues to be exploited with alarming success, particularly in campaigns that combine social engineering with custom technical infrastructure."