ShinyHunters Campaign: Identity-Based Social Engineering and Large-Scale SaaS Data Theft Targeting Enterprise Cloud Environments
May 14th, 2026
High
Our Cyber Threat Intelligence Unit has identified ongoing cyber intrusions linked to the ShinyHunters threat collective, which first surfaced publicly in early 2020 and has continued through 2025 and 2026. The activity represents a large-scale data-theft campaign targeting enterprise cloud and SaaS environments, leveraging social engineering and identity-based access techniques rather than traditional malware. Recent reporting indicates overlap and loose alignment between ShinyHunters-branded activity and actors associated with Scattered Spider and LAPSU$, which Augur Security has tracked as the ScatteredLapsu$ShinyHunters compound cluster since September 2025. The campaign exploits authentication workflows, voice phishing, and cloud authorization mechanisms to access enterprise systems and extract sensitive data at scale. Organizations across the technology, finance, telecommunications, and healthcare sectors have been affected, with reported incidents involving large-scale exposure of sensitive customer, business, and SaaS data, followed by financial extortion. This activity is ongoing and represents a persistent risk to organizations that rely on cloud-based identity and SaaS infrastructure.
Technical Details
Attack Type: Identity-based Social Engineering + Adversary-in-the-Middle (AiTM) + SaaS Data Exfiltration
Severity: High
Delivery Method: Voice phishing (vishing) calls impersonating internal IT/help-desk staff, directing victims to attacker-controlled lookalike SSO domains hosting real-time AiTM credential harvesting panels
Technique: Real-time AiTM credential harvesting, capturing credentials, MFA codes, and session tokens; MFA device re-enrollment using Android emulator; OAuth token abuse for persistence; lateral movement across SaaS platforms; automated cloud data exfiltration
Affected Products: Identity providers and connected SaaS services, including Okta/SSO authentication portals, Google Workspace, Slack, SharePoint, Salesforce, Zendesk, and Salesforce Experience Cloud portals, with misconfigured guest user permissions
Attack Chain:
The attack begins with voice phishing (vishing) in which attackers impersonate internal IT/help-desk staff and contact employees, directing them to enroll updated MFA settings or resolve an urgent account issue.
Victims are directed to lookalike SSO phishing domains registered with valid HTTPS certificates to appear legitimate.
Domains commonly follow naming patterns such as <companyname>sso[.]com, <companyname>internal[.]com, and <companyname>okta[.]com, typically registered via NICENIC or Tucows.
The phishing page operates as a real-time AiTM credential harvesting proxy, relaying authentication traffic between the victim and the legitimate identity provider.
When victims enter their credentials and MFA codes, the proxy captures the authenticated session token in real time.
Using the stolen session, attackers register their own MFA device using a Genymotion Android emulator, identifiable in IdP logs by the Geny Mobile user agent string, to maintain persistent access.
Attackers may also harvest OAuth access and refresh tokens exposed in code repositories, allowing persistence even after password resets.
With the compromised identity established, attackers pivot into integrated SaaS services such as Slack, SharePoint, Salesforce, Zendesk, and Google Workspace.
Targeting of specific platforms is largely opportunistic and determined by the permissions and applications accessible through the individual compromised SSO session.
The ToogleBox Recall application is authorized via OAuth using Gmail add-on scopes, including gmail.addons.execute and gmail.addons.current.message.readonly, and is used to locate and delete the "Security method enrolled" notification email from Okta, preventing the victim from detecting the new MFA device registration.
Attack traffic is routed through VPNs and residential proxies, including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and nsocks, to conceal the attacker's location and origin.
Automated scripts exfiltrate cloud data rapidly, with 50 or more files downloaded within five minutes from SharePoint and other SaaS platforms being a documented pattern.
Data discovery targets documents containing keywords including poc, confidential, internal, proposal, salesforce, and vpn, as well as personally identifiable information stored in Salesforce.
In a related ShinyHunters-attributed campaign, attackers have also exploited misconfigured Salesforce Experience Cloud guest user permissions, allowing unauthenticated access to backend objects through the /s/sfsites/aura API endpoint using a repurposed AuraInspector tool, a Mandiant-developed defensive utility originally designed to identify Salesforce Aura access control misconfigurations.
Additional tooling observed in this technique class includes sret and cirusgo.
Impact
Large technology, SaaS, financial services, telecommunications, healthcare, and travel sector organizations are at high risk due to their reliance on cloud identity platforms and integrated SaaS ecosystems.
Successful exploitation can result in large-scale data theft, including PII, financial records, source code, and internal communications.
Extortion follows via email, with documented demands including a cryptocurrency payment destination and a 72-hour deadline.
Incidents of this nature may trigger regulatory obligations under frameworks such as GDPR, DPDP Act, PCI-DSS, and HIPAA.
Beyond financial loss, organizations may experience operational disruption through DDoS attacks against victim websites and broad internal account compromise.
Legal exposure and severe reputational damage following public data leaks on underground breach forums and dedicated leak sites associated with the ShinyHunters brand represent further downstream consequences.
Detection Method
Monitor IdP/SSO authentication logs for MFA device enrollment within 10 minutes of a first login from a new IP address, particularly where the enrolling device presents a user agent string matching the pattern Geny Mobile, indicating the use of a Genymotion Android emulator consistent with documented attacker tradecraft.
Detect geographically improbable login sequences where two successful authentications occur from locations inconsistent with plausible human travel, as these may indicate AiTM session relay or compromised credential reuse by a remote operator.
Identify AiTM authentication patterns such as a failed login followed by an MFA failure followed by a successful login within five minutes from the same IP address.
Monitor SaaS audit logs for unauthorized OAuth application authorization events, particularly those involving ToogleBox Recall or any application requesting Gmail add-on scopes such as gmail.addons.execute or gmail.addons.current.message.readonly.
Monitor for deletion of security notification emails matching MFA enrollment subject patterns (e.g., "Security method enrolled"), particularly where deletion occurs shortly after a new device login event.
Monitor for abnormal SaaS access bursts from VPN or residential proxy infrastructure, particularly where a single session reaches multiple SSO-integrated applications within a short window.
Known proxy providers used in this campaign include Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and nsocks.
Detect high-volume data exfiltration patterns such as 50 or more file downloads within five minutes from SharePoint or Google Drive via API or non-browser user agents.
Inspect Salesforce Event Monitoring logs (available via Salesforce Shield or as a standalone add-on) for guest user enumeration activity. Key signals include:
High-volume requests to the /s/sfsites/aura API endpoint from sessions where USER_TYPE = 'Guest'
Invocation of the GraphQL endpoint (aura://RecordUiController/ACTION$executeGraphQL) by guest user sessions
The AuraInspector default user agent (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0)
Note: the AuraInspector default user agent is not exclusive to ShinyHunters and should be treated as a tool-based access signal requiring investigation, not as standalone attribution.
The campaign-specific ShinyHunters user agent string identified by Reco (Anthropic/RapeForceV2.01.39).
Focus on the USER_AGENT, USER_TYPE, CLIENT_IP, and ACTION_MESSAGE fields in AuraRequest event log files.
Implement SIEM correlation rules linking SSO login, MFA enrollment, and SaaS enumeration within short time windows.
GTIG has published YARA-L detection rules for Google Security Operations covering Okta suspicious actions from anonymized IPs, ToogleBox Recall OAuth authorization, SharePoint bulk file access and download, SharePoint queries for strings of interest, and O365 MFA notification email deletion.
Augur Security recommends alerting when a new MFA factor is enrolled, followed by a login from a different IP or geographic region within a 60-minute window.
Indicators of Compromise
The following indicators have been sourced across multiple threat clusters.
IP Addresses
192[.]42[.]116[.]179 | 38[.]135[.]24[.]30 |
192[.]42[.]116[.]20 | 138[.]199[.]43[.]100 |
194[.]15[.]36[.]117 | 185[.]129[.]61[.]5 |
195[.]47[.]238[.]178 | 37[.]114[.]50[.]27 |
195[.]47[.]238[.]83 | 192[.]159[.]99[.]74 |
45[.]138[.]16[.]69 | 192[.]159[.]99[.]168 |
192[.]42[.]116[.]20 | 199[.]195[.]253[.]156 |
185[.]220[.]101[.]169 | 124[.]198[.]131[.]223 |
185[.]220[.]101[.]133 | 31[.]133[.]0[.]210 |
185[.]220[.]101[.]164 | 81[.]17[.]28[.]95 |
185[.]220[.]101[.]167 | 185[.]130[.]47[.]58 |
185[.]220[.]101[.]185 | 195[.]47[.]238[.]178 |
185[.]220[.]101[.]143 | 185[.]207[.]107[.]130 |
185[.]220[.]101[.]180 | 185[.]220[.]101[.]33 |
URLs and Email Address
Indicator Type | Indicator | Description |
URL | http://64.95.11[.]112/hello.php | UNC6040 malicious endpoint (FBI) |
URL | http://91.199.42[.]164/login | UNC6040 malicious login endpoint (FBI) |
Email Address | shinycorp@tutanota[.]com | UNC6240 extortion contact address (GTIG) |
Email Address | shinygroup@onionmail[.]com | UNC6240 extortion contact address (GTIG) |
Recommendations
Deploy FIDO2/WebAuthn MFA using hardware security keys or platform passkeys and replace all push-based, SMS, and TOTP MFA mechanisms to prevent AiTM phishing and session relay attacks.
Disable self-service MFA enrollment and require IT administrator approval with out-of-band identity verification before registering any new MFA device.
Apply a quarantine period for newly enrolled MFA devices and restrict high-risk operations such as bulk SaaS data exports or security configuration changes during the verification window.
Audit Salesforce Experience Cloud configurations and remove unnecessary guest user permissions, restrict external object access, disable guest visibility to sensitive records, and enforce private access controls across all public-facing portal components.
Restrict SaaS access to organization-managed and compliant devices from trusted network locations, and block authentication attempts originating from residential proxies and commercial VPN infrastructure.
Deploy SIEM correlation rules to detect abnormal authentication activity, MFA manipulation, improbable login sequences, and suspicious OAuth authorization events.
Establish an approved OAuth application allowlist and alert immediately on any third-party application requesting high-risk scopes or Gmail add-on permissions.
Revoke unauthorized OAuth grants and conduct regular reviews across all cloud identity platforms and SaaS services.
Strengthen help desk identity verification procedures by requiring secure out-of-band verification methods before performing any MFA reset or account recovery action.
Require callbacks to verified corporate phone numbers rather than processing requests on inbound calls.
Monitor and scan code repositories for exposed secrets, API keys, OAuth tokens, or credentials, and immediately rotate any compromised authentication artifacts.
Implement user behavior analytics to detect anomalies such as unusual login locations, excessive file downloads, or abnormal SaaS application access patterns.
Subscribe to dark web monitoring services to detect early exposure of company data, credentials, or mentions on breach forums and underground marketplaces.
Implement a Zero Trust access architecture enforcing continuous verification, least-privilege access, and micro-segmentation across all SaaS integrations and identity platforms.
Develop and regularly test an identity-focused incident response playbook that includes revoking active sessions, invalidating OAuth refresh tokens, auditing service account credentials, and enforcing strict post-incident access controls.
Conclusion
ShinyHunters and the broader ScatteredLapsu$ShinyHunters ecosystem represent a sophisticated, financially motivated threat that operates primarily within the identity layer, using AiTM credential harvesting, OAuth abuse, and exploitation of cloud platform misconfigurations, which reduces the effectiveness of traditional perimeter defenses. Organizations should consider this threat to be active and growing. Immediate actions include deploying FIDO2/WebAuthn MFA, auditing Salesforce Experience Cloud guest user settings, establishing OAuth application governance, and improving coordination among security, identity, and SOC teams to strengthen both monitoring coverage and incident response readiness.