Welcome to BlackFile: Inside a Vishing Extortion Operation

**Google Threat Intelligence Group (GTIG)** reports that UNC6671, operating under the “**BlackFile**” brand, runs an active extortion campaign using voice phishing (vishing) and adversary-in-the-middle (AiTM) SSO compromises to bypass MFA, target Microsoft 365 and Okta environments, programmatically exfiltrate sensitive corporate data, and pressure victims via a dedicated data leak site; the group has targeted dozens of organizations across North America, Australia, and the UK, and GTIG emphasizes moving toward phishing-resistant MFA and other identity-centric defenses.