Back to blog

BlackFile Vishing Attack: MFA Bypass, Detection, Simulation

Case Study

Case Study

Written by

Brightside Team

Published on

The call comes to a personal cell phone, not a desk line. The voice on the other end is calm, knows the company, and has a reason to be calling: IT is rolling out passkeys, the migration is mandatory, and it needs two minutes. The employee is walked to a login page that looks exactly like the one they use every day. They type their password. A multi-factor prompt arrives on their phone, right on cue, because they were told to expect it. They approve it.

The control those attackers impersonated is the control that would have stopped them. Passkeys defeat this attack. A fake passkey rollout delivered it.

This is how Google Threat Intelligence Group (GTIG) describes the opening move of UNC6671, the extortion crew operating as "BlackFile". No malware was installed. No vulnerability was exploited. GTIG says so directly: these compromises "are not the result of a security vulnerability in vendor products or infrastructure." Microsoft and Okta did exactly what they were built to do. What followed, in one documented case, was the theft of more than a million individual files, most of it recorded in the audit log as ordinary, unremarkable activity.

Who BlackFile actually is

Four names describe one cluster, which is worth untangling before anything else, because two of them are routinely confused.

Vendor

Designation

Google Threat Intelligence Group

UNC6671

CrowdStrike

CORDIAL SPIDER

Palo Alto Networks Unit 42

CL-CRI-1116

Community

O-UNC-045

"BlackFile" is the brand the operators chose for themselves and for their data leak site. GTIG assesses the group has targeted dozens of organizations across North America, Australia, and the UK. BleepingComputer adds the sector detail that GTIG's geographic framing leaves out, with retail and hospitality among the hardest hit.

Two corrections matter. First, UNC6671 is not ShinyHunters. The group co-opted that name at least once to borrow credibility it had not earned, but GTIG assesses the operations are independent, pointing to separate Tox channels, distinct domain registration patterns, and the dedicated BlackFile leak site. Second, the group is older than the GTIG report alone suggests: CrowdStrike's adversary profile states that Cordial Spider "has performed data theft and extortion since at least October 2025," months before the activity GTIG describes as emerging in early 2026.

Unit 42, which tracks the cluster as CL-CRI-1116, assesses with moderate confidence a connection to The Com, the loose network of primarily English-speaking young cybercriminals associated with extortion, harassment, and violence-for-hire. That is a judgment, not a finding, and should be read as one. The tradecraft is not in dispute.

How the vishing call bypassed MFA in real time

The intrusion happens during the call, live, while the caller keeps the victim talking.

Callers reach employees on personal mobile numbers, which does two things at once: it steps around corporate security tooling, and it pulls the conversation away from the support channels where someone might check. They pose as internal IT or help desk staff. The stated reason is almost always a mandatory passkey migration or a required MFA update.

That pretext is doing more work than it appears. It explains why the employee is being sent to an unfamiliar login page, it explains why they will be asked to approve prompts, and it pre-authorizes any alarm the compromise sets off, because a person told to expect security notices during a migration will not treat one as a warning. GTIG notes the pretext "provides a logical cover for any subsequent security alerts generated during the compromise."

The credential-harvesting sites are subdomains built to match the story, registered through Tucows and named to sound like what they impersonate:

  • <organization>.enrollms[.]com

  • <organization>.passkeyms[.]com

  • <organization>.setupsso[.]com

From there the adversary-in-the-middle sequence runs on a human clock:

  1. The victim lands on a lookalike page mirroring their organization's SSO portal.

  2. As they type their username and password, the attacker captures both and immediately submits them to the real identity provider.

  3. The real provider issues a genuine MFA challenge. The victim, believing they are completing the setup step they were just called about, supplies the code or approves the push.

  4. The attacker, now authenticated, goes straight to the account's security settings and registers their own MFA device.

Step four is the one that matters. The session the attacker stole would eventually expire. The MFA device they enrolled does not. By the time the call ends, the caller has become a legitimate, persistent, fully authenticated user.

Notice which factors failed. Push approvals, SMS codes, and TOTP all fell, for the same reason: each is a secret or an approval a person can be talked into handing over, and none of them cares what website that person is looking at. This is the same pattern by which vishing attacks bypass Okta MFA generally, and it is not specific to one identity provider. FIDO2 security keys and passkeys do not fail this way. The credential is cryptographically bound to the real site's origin, so a lookalike domain cannot satisfy the challenge. The employee's judgment stops being the deciding factor, because the cryptography refuses the fake domain no matter what the employee has been persuaded to believe.

The log line nobody watches

Once inside, UNC6671 stops behaving like a person.

The interactive phase is short: some browsing, some reconnaissance, and pointed searches through the victim's own SaaS search functions for the literal strings "confidential" and "SSN." They used the company's own search index as a targeting system.

Then the scripts start. GTIG observed exfiltration through Microsoft Graph, PowerShell, and the Python requests library, issuing direct HTTP GET requests against document URLs. The attacker replays valid session cookies captured during the vishing call, such as FedAuth, to stream file contents straight to their own infrastructure.

This is where the detection problem begins. A direct fetch of a document URL is not a download in SharePoint's eyes. It looks like a web client requesting a resource, so SharePoint records it as a FileAccessed event rather than FileDownloaded. Many security operations centers alert on FileDownloaded and treat FileAccessed as background noise, because in a normal week that is exactly what it is. GTIG's guidance is blunt: treat FileAccessed with the same criticality as FileDownloaded when the user agent identifies a scripting library or a command-line tool.

The user agent is the tell, and it is almost embarrassingly catchable. The actor spoofs the ClientAppId for Microsoft Office to slip past basic conditional access filters, but the recorded UserAgent string gives them up:





Microsoft Office does not identify itself as python-requests/2.28.1. An application claiming to be Office while its user agent reads WindowsPowerShell/5.1 is not Office. That single mismatch, correlated with an unmanaged device and a commercial VPN exit node, describes the entire intrusion.

The volume is its own signal. In one case GTIG documents, the actor's Python script accessed and downloaded over a million individual files from a single victim's SharePoint and OneDrive. In another, they iterated through tens of thousands of file interactions. No human browses like that. Any threshold tuned to plausible human behavior would have fired.

None of this is a SharePoint vulnerability, and it is not new. Researchers at Varonis published work on sidestepping SharePoint's exfiltration logging roughly two years before this campaign, documenting different techniques with the same outcome: files leaving an environment without generating the event most defenders watch for. Varonis described "Open in App" links and a spoofed sync user agent. UNC6671 used cookie replay and direct fetches. Different method, same blind spot, now exercised at scale by a real actor with a leak site.

The extortion is a business, and a sloppy one

The first ransom note gives nothing away. It arrives from a pseudorandom Gmail address, carries no branding, sets a 72-hour deadline, and directs the victim to an encrypted channel, originally Tox and later Session. Only once the victim engages do the operators name themselves as BlackFile. Opening demands run into the millions of dollars, though GTIG notes they often settle toward the low six figures when a victim actually engages.

The follow-up emails are where the operation shows its seams. The initial notes are clean. The second-round messages are not, carrying misspellings like "proteciton," "evidense," and "negotate" alongside a salutation of "Dearest executive." The front end is templated. The negotiation is a person improvising under pressure, and not a careful one.

Pressure escalates when victims stay silent. GTIG documented mailbox flooding from dozens of throwaway Gmail accounts, threatening voicemails left for C-suite executives, and, in severe cases, swatting directed at company personnel. Unit 42 corroborates the swatting independently. Since at least March 2026, the notes have arrived from hijacked internal corporate email and Microsoft Teams accounts, defeating both spam filtering and the instinctive distrust an employee reserves for messages from outside.

One detail cuts against the usual pattern. BlackFile never advertised its leak site or tried to index it for search engines, and posted only limited file samples and directory listings. GTIG never observed the group publish a victim's data in full. The leak site was leverage in a negotiation, not a megaphone.

That restraint makes the ending easy to misread. The site went dark in late April 2026, briefly returned on May 11 to announce that "BlackFile is shutting down… under this name," and disappeared again. The qualifier is the important part. GTIG assesses a transition rather than an ending, which matches how extortion brands behave after scrutiny: the name is retired, the infrastructure is rebuilt, and the operation resumes under something new.

The endpoint never mattered

Compare this to Silent Ransom Group, tracked by Mandiant as UNC3753, the other vishing-led data-theft crew of the same period. Silent Ransom Group talks an employee into a screen-sharing session, then into installing a remote monitoring tool like AnyDesk or Bomgar, then pivots through virtual desktop infrastructure to reach the file stores. Every one of those steps touches an endpoint. Every one of them is something an EDR agent could, in principle, see.

BlackFile never touches an endpoint. It authenticates, and then it is simply inside, using the same APIs the business itself uses, from infrastructure that looks like a VPN. Nothing was installed, so nothing was detected.

The lesson is structural rather than tactical. Controls anchored to devices, meaning endpoint agents, application allowlisting, and managed-device posture checks, did not participate in this breach. The controls that could have participated were anchored to identity and to what a session does after it authenticates. That is where the boundary of the enterprise now sits.

What actually breaks the chain

GTIG publishes eight recommendations. They are sound, but read as a checklist they obscure which ones do the heavy lifting. Ordered by where each control intercepts the attack:

Before the call lands. The decisive control is a person. Employees need one rule they know cold: internal IT will never cold-call and walk you through a login or an MFA enrollment on the spot, and any such request gets verified through a known internal channel first. A rule nobody has practiced under pressure is not a control, which is why training employees against AI voice scams looks nothing like a standard phishing module.

At credential submission. Credential guarding acts as a fail-safe. Password Alert in Google Workspace watches for corporate password hashes entered on unauthorized domains, and Microsoft Defender's credential protection and SmartScreen intercept submissions to known phishing and low-reputation sites. These fire after the human decision has already gone wrong, which is precisely their value.

At authentication. Phishing-resistant MFA breaks this attack outright. FIDO2 keys and passkeys do more here than shift the odds, because the relay cannot produce a valid assertion for a domain the credential was never bound to.

At persistence. Alert on identity provider logs for system.multifactor.factor.setup events immediately following failed or abandoned MFA challenges. A stumble followed by a new device enrollment is the signature of step four.

At exfiltration. Treat FileAccessed as seriously as FileDownloaded whenever the user agent names a scripting library or CLI tool. Alert on access volume exceeding what a human could plausibly generate, and correlate authentication from commercial VPNs and hosting providers against the user's normal geography.

None of that is complete without two admissions, because leaving them out would make the advice sound better than it is.

Passkeys close the door this campaign walked through. They do not close every door. Help desk account recovery remains the soft path, and social engineering crews have worked it for years by calling support instead of the employee. A passkey rollout is also, as this campaign demonstrates with some irony, an attack window of its own: a period when employees have been told to expect unfamiliar enrollment prompts, and when a caller claiming to run that migration sounds entirely plausible. Announce rollouts through channels employees already trust, and tell them in advance exactly how the real process will and will not contact them.

Indicators of compromise are close to useless here as a blocking mechanism, and GTIG says as much. Most identified IP addresses are commercial VPN exit nodes, and the phishing domains are registered, used, and abandoned within minutes. Treat the published indicators as intelligence about naming conventions, not as a blocklist that will protect anyone.

Key Takeaways

  • Callers impersonated a mandatory passkey migration, and passkeys are the one control that would have defeated the attack they were running.

  • Push notifications, SMS codes, and TOTP all fall to a live adversary-in-the-middle relay. FIDO2 and passkeys do not, because the credential is bound to the real site's origin.

  • The theft was logged as FileAccessed, not FileDownloaded, because the attacker replayed session cookies and fetched documents directly. Over a million files left one victim through that gap.

  • The catchable tell was a spoofed Microsoft Office application ID paired with a python-requests user agent on an unmanaged device.

  • The leak site shutting down "under this name" signals a rebrand, not an ending. The tradecraft outlives the brand.

Recommended Solutions for Vishing Attack Simulation

Every control above is downstream of one moment: an employee on a phone call, deciding whether the voice claiming to be IT is really IT. Nothing in a slide deck prepares someone for that. Initial access here was a live, adaptive conversation, so the only rehearsal that transfers is a live, adaptive conversation.

The platforms below all address voice-based social engineering to some degree, listed alphabetically. Public detail on live-call capability varies between vendors, and where it is unclear, that is noted rather than guessed at.

Arsen

Arsen is a Paris-based simulation platform covering phishing, smishing, and vishing, with messaging oriented toward executive protection and threat monitoring. Its simulation-first positioning and multi-channel coverage make it a credible fit for European buyers evaluating social engineering rehearsal specifically rather than a broad training suite.

Pros

  • Multi-channel coverage across email, SMS, and voice

  • Simulation-first product focus rather than a bolted-on training library

  • Strong positioning in the European market

Cons

  • Smaller content and course library than the enterprise suites

  • Public documentation of the vishing workflow is thinner than for the specialists below

Brightside

Brightside is a Swiss security awareness platform built around simulation realism, and its AI vishing simulator maps closely onto the BlackFile pretext. Calls are conducted by an AI agent that adapts in real time to a configured persona, goal, tactics, and tone, so an employee experiences the dynamics of an IT-impersonation call rather than reading a description of one.

The template builder is organized around the same elements the attacker used: an attack goal such as obtaining a password reset link while posing as IT support handling a security incident, explicit tactics including Pretexting, Authority Impersonation and Fear/Threat, and a caller persona. Voices come from eight presets across seven languages, or from a custom clone built out of a one to two minute recording for executive impersonation drills.

The capability that matters most for this campaign is Hybrid Attack mode, which pairs a live call with a phishing email containing a trackable link. That is the closest available analogue to BlackFile's call-then-credential-page sequence, and it tests whether employees connect the two events. Running phishing, smishing, and vishing simulations from one place is what makes that kind of multi-channel test workable at all. Admins can also run a call in the browser before launching it to anyone, so iterating on a pretext costs nothing.

One scope note, stated plainly. Brightside is a training and simulation platform. It does not detect or respond to a live breach, does not filter inbound email, and does not monitor employee behavior in real time. None of the audit log hunting described earlier is something Brightside does. It hardens the human layer this attack begins with, alongside the identity and detection controls, not in place of them.

Pros

  • Live AI calls that adapt in real time, rather than pre-recorded or template-only calls

  • Hybrid voice-plus-email campaigns run as one coordinated workflow

  • Explicit social engineering tactic builder with a recommended-strategy rationale

  • Preview a call in the browser before launching it

Cons

  • Narrower content and compliance breadth than the large human risk suites

  • Training and simulation only, with no detection or response capability

Hoxhunt

Hoxhunt is an enterprise human risk platform built around adaptive phishing, gamified learning, and remediation workflows that connect into the SOC. Its simulation realism is fed by threat intelligence, and its coverage extends past email into callback phishing and vishing scenarios.

Pros

  • Adaptive difficulty tuned to individual employee behavior

  • Threat-intelligence-informed simulation content

  • Mature integration with security operations workflows

Cons

  • Voice simulation is one capability inside a broad platform rather than a specialized workflow

  • Enterprise-oriented, which can mean a heavier deployment than a mid-market team wants

Keepnet Labs

Keepnet Labs offers a broad human risk management platform spanning awareness training, phishing, smishing, and a dedicated vishing simulator, with incident response and phishing reporting workflows attached. Organizations that want simulation and response tooling from one vendor will find the coverage wide.

Pros

  • Wide attack-surface coverage across email, SMS, and voice

  • Reporting and incident response workflows included alongside simulation

  • Strong compliance-oriented reporting and localization

Cons

  • Breadth comes at the cost of depth in any single simulation channel

  • Public information does not clearly establish how adaptive its live vishing calls are

KnowBe4

KnowBe4 is the largest platform in this category by content volume and market adoption, with an enormous template library, mature campaign automation, and vishing simulation available through outbound calls drawn from a template library.

Pros

  • The deepest content library and language coverage in the market

  • Mature automation and reporting at enterprise scale

  • Broad familiarity, which shortens internal procurement conversations

Cons

  • Public information does not indicate live, adaptive AI conversations, voice cloning, or hybrid call-plus-email workflows

  • Template-driven voice calls rehearse the format of a vishing call more than its improvisational dynamics

Try our vishing simulator

Experience the most advanced voice phishing simulator built for security teams. Create scenarios, test voice cloning, and explore automation features.

Frequently Asked Questions

Is BlackFile still active?

Probably, under another name. The leak site went offline in late April 2026 and briefly returned on May 11 to announce that "BlackFile is shutting down… under this name." GTIG reads that qualifier as transition rather than retirement, consistent with how extortion brands behave after scrutiny. The people, the tooling, and the technique do not disappear when a leak site does.

Is UNC6671 the same group as ShinyHunters?

No. UNC6671 borrowed the ShinyHunters name in at least one extortion attempt to make its threats seem more credible, which is exactly why the confusion exists. GTIG assesses the operations are independent, citing separate Tox channels, different domain registration patterns, and BlackFile's own dedicated leak site. ShinyHunters is tracked separately as UNC6240.

Do passkeys actually stop attacks like BlackFile?

Against this specific attack, yes. A passkey is cryptographically bound to the legitimate site's origin, so an employee cannot approve it on a lookalike domain no matter how convincing the caller is. That defeats the adversary-in-the-middle relay entirely. Passkeys do not protect the help desk, however. If an attacker can talk your support staff into resetting an account or enrolling a new factor, the strength of the credential becomes irrelevant. Harden account recovery with equal seriousness.

What is the difference between a FileAccessed and a FileDownloaded event?

FileDownloaded is recorded when a file is formally downloaded from SharePoint or OneDrive. FileAccessed is recorded when a file is viewed or fetched without a formal download command. An attacker replaying a stolen session cookie and issuing a direct HTTP GET against a document URL produces the second event, not the first, even though the file leaves the environment either way. Many detection rules watch only for FileDownloaded, which is how over a million files can move without raising an alert. Treat FileAccessed with equal severity when the user agent names a scripting library like python-requests or a command-line tool.

How can you test whether employees would fall for a vishing call?

Run the call. Vishing simulation platforms place a controlled, realistic phone call using a defined pretext, then measure what happens: whether the employee answers, how long they stay on, and whether they hand over what the caller asks for. The useful versions adapt in real time, because a scripted recording tests nothing a real caller would do. Pair the call with a phishing email in the same campaign to rehearse the specific sequence BlackFile used.