Guidance from the Frontlines: Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS

Mandiant details an expansion of ShinyHunters-branded extortion activity that uses evolved vishing and credential-harvesting techniques to socially engineer SSO/MFA enrollment and gain persistent access to cloud SaaS environments; the advisory stresses these are not product vulnerabilities but social-engineering compromises and provides immediate containment steps (revoke sessions, pause MFA registration, restrict password resets), hardening guidance (strong help-desk verification, phishing-resistant MFA, device and programmatic identity controls), and platform-specific mitigations for Okta, Microsoft Entra ID, Google Workspace, GCP, AWS, Azure, source code management, and more.