Threat Spotlight: ShinyHunters Fast-Tracks Saas Access with Subdomain Impersonation

This report describes how the financially motivated group ShinyHunters is shifting to branded subdomain impersonation combined with phone-guided, mobile-first AiTM phishing and outsourced vishing to steal SSO sessions and rapidly compromise SaaS (email, CRM, HR) without malware; it highlights reuse of breached CRM/ERP datasets to craft credible pretexts, lists example malicious domains, and recommends phishing-resistant MFA, hardened help-desk and MFA re-enrollment workflows, identity/session telemetry, conditional access, and rapid session containment.