ShinyHunters: SSO vishing targeting Salesforce/Okta — FIDO2 as countermeasure
Mandiant details a “ShinyHunters” vishing campaign stealing SSO accounts to loot Salesforce and other SaaS. Phishing-resistant MFA (FIDO2/WebAuthn) operationalizes GDPR Article 32 and reduces notification risk.
What happened
On January 31, 2026, BleepingComputer relayed Mandiant’s analysis of a wave of attacks under the “ShinyHunters” banner: social‑engineering phone calls (vishing) from fake “IT support” drive employees to company‑branded phishing portals to steal SSO credentials and MFA codes, then register a second factor controlled by the attacker. Once inside the SSO directory (Okta, Microsoft Entra, Google), attackers pivot into key SaaS (Salesforce — a stated priority), M365/SharePoint, DocuSign, Slack, Atlassian, Dropbox, etc., and mass‑exfiltrate data for extortion. Public indicators include domain patterns like <companyname>sso[.]com, my<company>sso[.]com, <company>internal[.]com, <company>okta[.]com; outbound access via residential VPN/proxies (Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, nsocks); audit signals (PowerShell User‑Agent on SharePoint/OneDrive, deletion of “Security method enrolled” emails, and activation of the Google Workspace add‑on “ToogleBox Recall” to hide fraudulent MFA enrollment). Sources: BleepingComputer, 31/01/2026 and Google Cloud — Mandiant.
Google Threat Intelligence (GTIG) tracks these operations under multiple clusters (UNC6661, UNC6671, UNC6240), with published IOCs and TTPs for hunting and detection. Clear recommendation: ingest these IOCs into SIEM/SOAR, DNS/proxy, EDR, and SaaS logs to surface past and active exposure. Source: ITPro, 04/02/2026.
Applicable legal framework
GDPR — Article 32 “Security of processing”: controllers and processors must implement “appropriate technical and organisational measures,” including strong authentication. In SSO/SaaS contexts, phishing‑resistant MFA (FIDO2/WebAuthn, origin‑bound passkeys) is now expected for privileged accounts and large‑scale access to personal data. Official text: EUR‑Lex — GDPR, Art. 32. For practical guidance, see our page on GDPR security obligations.
NIS 2 in Luxembourg: the May 5, 2026 law mandates risk‑management measures (Art. 21) and incident reporting timelines (early warning 24 h, notification 72 h, final report 1 month) to the ILR via SERIMA. Guidance and portal: ILR — NIS 2 incident notification and EUR‑Lex — Directive (EU) 2022/2555. See also NIS 2 — Luxembourg. For the local operating model, refer to NIS 2 in Luxembourg and ILR.
Practical impact: an SSO breach leading to CRM exfiltration (customers, prospects, support) typically qualifies as a personal data breach (GDPR) and, under NIS 2, may be a significant incident requiring ILR notification within 24 h depending on impact.
The technical control to deploy
Phishing‑resistant MFA (FIDO2/WebAuthn):
- Goal: prevent capture/replay of OTP/SMS/push during vishing. FIDO2 binds a keypair to the origin: no code entry; lookalike redirects fail because the authenticator verifies the real domain before signing.
- How: roll out hardware keys (YubiKey, Feitian, etc.) or platform passkeys registered on the IdP (Okta/Entra/Google). Require FIDO2 for super‑admins, integration accounts, and critical apps (Salesforce, M365, DocuSign, Slack); ban OTP/push on these scopes.
- Associated controls: supervised enrollment policy, admin approval for any factor addition, network/Device Posture restrictions, session binding, and FIDO2 re‑auth before bulk export/sensitive admin in SaaS.
- Detection/IOC hunting: SIEM rules on Mandiant patterns — <company>sso[.]com/<company>internal[.]com domains, PowerShell User‑Agent on SharePoint, unexpected MFA factor creation, deletion of “Security method enrolled” emails, ToogleBox Recall add‑on activation, connections via listed residential proxies. Sources: BleepingComputer and Google/Mandiant.
Frameworks: ISO/IEC 27001:2022 Annex A (A.5.17 Authentication, A.8.3 User authentication), NIST SP 800‑63B (AAL2/3), CIS Controls v8 (CIS 6 – Access Control, CIS 5 – Account Management).
How Luxgap implements this
- Our ISO 27001 governance: GDPR Art. 32/NIS 2 Art. 21 alignment, risk‑based role scoping, privileged role definitions, authentication policy (mandatory FIDO2 on IdP and critical SaaS), and evidence of compliance (policies, enrollment logs, test reports).
- Our managed SOC (24/7): ingestion of Mandiant IOCs and SaaS/IdP detections; event correlation (MFA factor addition, large Salesforce exports, PowerShell signals, residential proxies); ILR early‑warning procedures (SERIMA). Explore our managed SOC and incident detection.
- Our e‑learning platform: targeted anti‑vishing modules for helpdesk spoofing, “IT call” role‑play; admin certification before FIDO2 enrollment; quarterly simulated voice‑phishing. See our security awareness program.
In practice, we start with a FIDO2 pilot on the IdP (Okta/Entra/Google) and Salesforce, blocking OTP/push on admin profiles, then expand to data‑heavy roles. In parallel, our SOC enables Mandiant detections and a SOAR playbook: account isolation, session revocation, export verification, risky integration freeze, and ILR pre‑notification within <24 h if NIS 2 criteria apply.
Real‑world case in Luxembourg/EU
A Luxembourg fiduciary (NIS 2 important entity) faced 2026 “IT” calls targeting Entra accounts. No confirmed theft, but MFA enrollment attempts appeared in logs. Within 6 weeks we: (1) enforced FIDO2 for Entra/Okta admins and Salesforce export holders; (2) disabled OTP/push on those profiles; (3) deployed SIEM rules on <company>sso[.]com/PowerShell/ToogleBox and residential proxies; (4) prepared a 24 h SERIMA template with IOC section. Outcome: a later attempt triggered a correlated alert “new factor + residential proxy + abnormal Salesforce queries”, account locked in 11 minutes, no exfiltration, no GDPR notification, and no NIS 2 threshold met.
First concrete steps
- Block this week OTP/push for all privileged accounts (IdP, Salesforce, M365, VPN) and mandate FIDO2/WebAuthn. Pilot and user‑test.
- Load Mandiant IOCs into SIEM/SOAR: domain patterns (<company>sso[.]com, <company>internal[.]com, <company>okta[.]com), ToogleBox Recall add‑on detection, PowerShell UA on SharePoint/OneDrive, deletion of “Security method enrolled” emails, residential proxy IPs. Source: BleepingComputer (Mandiant).
- Enable FIDO2 re‑auth before mass exports in Salesforce/M365 and govern Connected Apps (OAuth): mandatory approval and minimal scopes.
- Prepare the “notification” pack: map your significant incident criteria (NIS 2), GDPR breach workflows, and configure 24 h / 72 h / 1‑month SERIMA templates. Refer to ILR: incident notification. For local readiness, also see the NIS 2 framework in Luxembourg.
- Train against vishing: any “IT call” script must be verified via a separate channel. Forbid dictating/entering MFA codes on a call. Measure via simulations. For programs and simulations, visit our cyber awareness services.
Official sources
- News and IOCs: BleepingComputer — Mandiant details how ShinyHunters abuse SSO (31/01/2026); Google Cloud/Mandiant — Expansion of ShinyHunters‑branded SaaS data theft (02/2026); ITPro — Google warning on vishing campaigns (04/02/2026).
- Regulatory texts: EUR‑Lex — GDPR, Article 32; EUR‑Lex — Directive (EU) 2022/2555 (NIS 2); ILR Luxembourg — NIS 2 incident notification (24 h / 72 h / 1 month); European Commission — NIS 2 in Luxembourg.
Executive takeaway: “Here is what happened: weaponized vishing bypassed legacy MFA and enabled SaaS data theft. Here is how to prevent it: mandate FIDO2/WebAuthn for critical access, hunt the published IOCs, and be ready to notify within 24 h if NIS 2 thresholds are met.”
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →