Introduction
Cybercriminals are increasingly using sophisticated social engineering to bypass multi‑factor authentication (MFA) and extort organizations. The BlackFile brand, operated by the threat actor UNC6671, combines voice phishing (vishing), single sign‑on (SSO) compromise, and adversary‑in‑the‑middle (AiTM) techniques to gain deep access to cloud environments. This guide breaks down the steps your organization can take—from immediate hardening to ongoing monitoring—to defend against these identity‑centric attacks.
What You Need
- Phishing‑resistant MFA tokens (e.g., FIDO2 security keys or certificate‑based authentication)
- Updated security monitoring tools that can detect AiTM proxy traffic and unusual logins
- A written incident response plan that includes vishing scenarios
- User awareness training materials covering vishing and social engineering
- Access to cloud identity logs (Microsoft 365, Okta) for forensic analysis
- Script auditing capabilities to detect abnormal PowerShell and Python execution
Step‑by‑Step Defensive Measures
Step 1: Deploy Phishing‑Resistant MFA Everywhere
Traditional MFA is vulnerable to AiTM attacks because users enter credentials and tokens on fake portals that relay them in real time. Replace any SMS, voice, or OTP‑based MFA with phishing‑resistant methods. For Microsoft 365 and Okta, use FIDO2 security keys or Windows Hello for Business. These enforce origin‑bound proof of possession, preventing relay by an attacker’s proxy. Make this mandatory for all privileged accounts—especially IT, finance, and executive roles.
Step 2: Fortify User Awareness with Simulated Vishing Tests
UNC6671’s callers often target personal cell phones to bypass corporate phone security tools and use an IT deployment pretext—claiming a mandatory passkey migration or MFA update. Educate users to never trust unsolicited calls that request credentials or ask them to visit a URL. Run quarterly vishing simulations that mimic these exact scenarios. Emphasize that legitimate IT will never ask them to enter credentials outside the company’s official login page.
Step 3: Implement Detection for AiTM Proxies
AiTM tools intercept credentials and session cookies. Monitor authentication logs for unusual IP geolocation jumps or repeated login attempts from different devices in short time spans. Also watch for traffic to domains that contain subdomains like “passkey” or “enrollment”—UNC6671 frequently registers subdomains at Tucows using these themes. Deploy network detection rules that flag direct connections to credential‑harvesting proxies, especially when combined with calls.
Step 4: Harden SSO and Identity Providers
Attackers who compromise Okta or Azure AD via vishing can move laterally. Audit all SSO applications for excessive permissions. Enable Conditional Access policies that require device compliance, trusted IP ranges, and sign‑in frequency. Disable legacy authentication protocols (IMAP, POP, SMTP AUTH) unless strictly needed. Regularly review Okta and Microsoft 365 for unexpected API integrations or new service principals—the group uses Python and PowerShell to automate data theft.
Step 5: Monitor and Restrict Scripting Activities
After gaining access, UNC6671 exfiltrates data using Python and PowerShell scripts. Log all script execution via Windows Event IDs 4104 and 4103 (PowerShell) and audit Python execution on servers. Create allow‑lists for approved scripts, and use Application Control or AppLocker to block unapproved ones. Set alerts for large‑scale file enumeration or mailbox traversal using Graph API. In Microsoft 365, enable Unified Audit Logging and review Exchange Online logs for bulk export operations.
Step 6: Build and Practice an Incident Response Playbook for Vishing
Prepare a dedicated playbook that covers:
- Immediate containment: revoke session tokens, block the attacker’s IPs, and disable compromised accounts.
- Forensics: collect recorded call logs, harvested domain traffic, and cloud audit data.
- Communication: notify the identity provider (e.g., Okta support) to roll back MFA enrollments.
- Recovery: reset all credentials, enforce fresh MFA registration, and rotate API keys.
Practice this playbook every six months with tabletop exercises that mimic UNC6671’s tactics—including the use of TOX chat channels and the threat actor’s co‑opting of the ShinyHunters brand.
Step 7: Audit Third‑Party Services and Domain Registrations
UNC6671 registers malicious domains through Tucows and uses sub‑domain‑based architectures. Regularly check for domains that resemble your brand but include terms like “passkey” or “enrollment”. Use a domain monitoring service. Also, review all third‑party vendors that have SSO access to your environment—attackers may compromise a partner first. Finally, since the group operates a dedicated data leak site (DLS), subscribe to intelligence feeds that track BlackFile leaks so you can detect if your data is threatened.
Tips & Final Thoughts
- Stay informed about evolving vishing tactics. UNC6671 frequently updates its social engineering scripts and may impersonate internal help desks even more convincingly.
- Never rely solely on user training—also implement technical controls like number blocking policies for personal calls and device‑based conditional access.
- Consider deploying a solution that flags first‑time logins from unrecognized devices for manual approval, even when MFA passes.
- Share threat intelligence with peers and your security vendor. The group has targeted dozens of organizations across North America, Australia, and the UK—collective awareness helps.
- Test your own environment by engaging a red team to simulate a vishing‑to‑exfiltration attack before an actual attacker does.
By following these steps, you can significantly reduce the risk of falling victim to the BlackFile extortion campaign and similar identity‑driven threats.