Welcome to BlackFile: Inside a Vishing Extortion Operation

UNC6671 (aka BlackFile) runs a large-scale extortion campaign using voice phishing (vishing) and AiTM techniques to bypass MFA and compromise SSO accounts (Microsoft 365 and Okta), then programmatically exfiltrate sensitive data (SharePoint, OneDrive, Zendesk, Salesforce) using scripts and stolen session cookies; GTIG documents their credential-harvesting domains, tactics for device registration persistence, and recommends phishing-resistant MFA and telemetry-focused detections.