When an employee picks up the phone and hears what sounds like internal IT asking them to re-enrol a multifactor token, the firewall is already irrelevant. That is the quiet truth behind the latest wave of voice phishing attacks that Google’s Mandiant team documented in January 2026, and it is why every Canadian organisation relying on single sign-on needs to rethink behaviour change cybersecurity before the next call lands.
The attackers are not exploiting a product flaw. They are exploiting trust, urgency, and a gap in muscle memory. The response cannot live in a firewall rule, and it cannot wait for next year’s training cycle.
What Mandiant saw in the ShinyHunters wave
Between early and mid-January 2026, Mandiant tracked two related threat clusters, designated UNC6661 and UNC6671, running voice phishing operations against employees at large organisations that use Okta, Microsoft 365, Salesforce, Google Workspace, and similar SaaS platforms. A third cluster, UNC6240, handled the extortion stage once data was stolen.
The method was low-tech and high-conversion. Callers impersonated internal IT staff, told the employee the company was updating MFA settings, and directed them to a convincing credential harvesting page hosted on a domain like companyname-sso.com or companyname-okta.com. While still on the line, the attacker relayed the stolen credentials in real time, triggered a legitimate MFA push, and told the employee which button to tap. Then they registered their own device for MFA and, in at least one incident Mandiant documented, quietly deleted the Okta notification email so the employee never noticed a new device had been added.
Mandiant’s assessment is blunt. The team wrote that this activity is not the result of a security vulnerability in vendors’ products or infrastructure, but instead continues to highlight the effectiveness of social engineering and the urgency of moving towards phishing-resistant MFA. Charles Carmakal, CTO at Mandiant Consulting, framed it as an evolution of voice phishing techniques that enrol attacker-controlled devices into victim MFA solutions.
Why SSO makes vishing so lucrative
Once a single employee hands over credentials plus an MFA code, the attacker does not land on a single application. They land on everything that sits behind the identity provider. Mandiant observed attackers pivoting into SharePoint, OneDrive, Salesforce, DocuSign, Slack, and Google Workspace, searching for documents tagged with words like confidential, internal, proposal, and VPN. That is why investing in running phishing simulations that test real readiness has to expand beyond the inbox to include voice scenarios that mirror the exact IT-impersonation pretext in the ShinyHunters playbook.
The Canadian Centre for Cyber Security has been warning about this pattern for some time. Its ITSAP.00.102 guidance notes that modern vishers use Voice over IP to spoof caller identification and, increasingly, machine learning to clone the voices of trusted colleagues. The centre’s advice is unambiguous: never provide sensitive information over the phone without verifying the caller through an official channel you look up independently.
Phishing-resistant MFA helps, but it is not enough alone
Mandiant recommends moving to FIDO2 security keys or passkeys, removing SMS and push notifications as MFA factors for privileged accounts, and hardening help desk password reset procedures with live video verification. All of these controls matter. None of them will fully land without employees who can recognise a social engineering attempt in progress and know exactly what to do next.
This is where the human layer of cybersecurity becomes the deciding factor. The ShinyHunters attackers succeeded not because employees were careless, but because their training had not rehearsed a voice-based pretext with a live MFA prompt.
The POPP3R perspective
In our work with Canadian organizations of all sizes, we consistently see that the single biggest predictor of how badly an incident damages an organization is not whether someone clicked, it is whether anyone reported it. In the ShinyHunters pattern, the employee who immediately hangs up and calls the real help desk to report a suspicious call is the one who prevents the breach. The employee who quietly wonders if something was off, and tells no one, is the one who leaves attackers free to pivot through SaaS for days.
What to put in motion this week
Three practical steps are inside reach of most security teams before the next wave of calls arrives. First, add a voice phishing scenario to your next simulated exercise, scripted around IT impersonation and an MFA update request, so employees encounter the pretext in a safe environment. Second, publish a one-paragraph internal playbook that tells any employee exactly which internal number to call and which channel to post to when they receive a suspicious call about credentials or MFA. Third, audit your MFA policy and begin removing push and SMS factors for administrators and privileged users.
If any of that feels out of reach with the team you have today, it is worth talking through options. POPP3R helps Canadian organisations build the practical pieces, from our services for security awareness and assessment through to executive briefings.
Sources
- Google Cloud Blog (Mandiant), Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft, 30 January 2026
- Google Cloud Blog (Mandiant), Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS, 30 January 2026
- Canadian Centre for Cyber Security, What is voice phishing (vishing)? (ITSAP.00.102)
- The Hacker News, Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms, January 2026
