UNC6671's BlackFile Campaign: Vishing and AiTM as a Vector to Cloud Extortion at Scale
UNC6671 operates BlackFile, an extortion campaign using sophisticated vishing and adversary-in-the-middle techniques to bypass MFA and compromise Microsoft 365 and Okta environments, exfiltrating corporate data for extortion. The attack chain circumvents traditional perimeter defences by targeting human authentication vectors rather than technical infrastructure.
Affected
UNC6671's BlackFile operation represents a maturation of extortion tactics that weaponise social engineering at scale. Rather than exploiting code vulnerabilities, the group targets the weakest component in security architecture: human decision-making under pressure. Vishing campaigns create a pretext for collecting credentials whilst simultaneous AiTM proxy deployment intercepts session tokens in real-time, rendering MFA effectively moot when the attacker controls both sides of the authentication flow.
The technical execution is competent and purposeful. Once credentials and tokens are obtained, the group deploys Python and PowerShell scripts to programmatically enumerate and exfiltrate high-value data from cloud storage and collaboration platforms. This automation allows the campaign to process many compromised tenancies efficiently, scaling the extortion model across dozens or hundreds of targets. The targeting of Microsoft 365 and Okta reflects rational threat actor economics: these platforms are ubiquitous, contain sensitive corporate data, and often lack the detection maturity of traditional on-premises environments.
Organisations relying on MFA alone have a critical blind spot. Possession of a valid session token obtained through AiTM interception bypasses the assumption that MFA protects the authentication boundary. Defenders must recognise that the vishing phase is reconnaissance and social engineering combined, not merely credential theft. The attacker extracts organisational structure, role information, security posture, and employee psychology during initial contact, then times the technical compromise to maximise success likelihood.
Immediate defensive actions should include deployment of MFA solutions resistant to AiTM attacks such as passwordless sign-in using Windows Hello or FIDO2 hardware keys, conditional access policies restricting token usage to known device fingerprints and networks, and enhanced monitoring for anomalous cloud API activity patterns that correlate with programmatic data exfiltration. Security awareness training must specifically address vishing scenarios that reference legitimate business functions rather than generic phishing awareness.
Broadly, this campaign signals that cloud extortion will intensify as adversaries recognise the concentration of valuable corporate data in SaaS platforms and the relative immaturity of detection and response capabilities in those environments. Organisations should assume that adversaries possess valid credentials and session tokens for their cloud environments and design detection and containment around that assumption rather than prevention. The economics of extortion favour attackers more than defenders when scale is achieved.
Sources