The voice of ShinyHunters
The hacker group ShinyHunters has frequently made headlines in recent months. They targeted Salesforce environments, including those of Odido and Hallmark. These attacks resulted in large-scale data breaches.
What characterizes this group is not only the scale of their attacks, but especially their method. How do they use social engineering—particularly vishing—to gain access to organizations? How do they abuse legitimate login processes and sessions, such as MFA and SSO? And perhaps even more importantly: how can you protect your organization against this?
In this blog, you’ll gain insight into the ShinyHunters’ modus operandi—‘The Voice’—along with practical guidance to strengthen your defenses.
The “voice attack”: social engineering at its finest
The core of ShinyHunters’ attack method is surprisingly simple—and therefore highly effective. The attacker calls an employee and impersonates, for example, an IT support agent, security engineer, or external vendor. Using a convincing story (such as an urgent security incident), the victim is persuaded to log in through a “new” or “temporary” environment. But that environment is fake.
Real-time phishing with MFA-bypass
Where traditional phishing stops at collecting passwords, ShinyHunters goes a step further.
The attack works as follows:
1. The victim is contacted by phone (vishing) and persuaded to log in to a malicious login page.
2. While the victim enters their credentials on the fake site, the information is relayed in real time or entered by the attacker into the legitimate environment (such as Okta or Microsoft Entra ID).
3. The attacker forwards the MFA request to the victim in real time.
4. The victim approves the MFA request, assuming it is part of the login process. The attacker gains access.
This is done through a control panel linked to the phishing environment. The attacker is literally watching along and handling everything in real time, ultimately leading to a full account takeover—despite MFA.
Extortion and lateral movement
Once access is obtained, three steps typically follow:
1. Data exfiltration: sensitive data is downloaded and secured.
2. Extortion: organizations are blackmailed with the threat of public disclosure.
3. Expansion to other organizations: stolen accounts and data are reused to target others based on relationship information.
As a result, a single incident can quickly escalate into a chain reaction.
Why this attack is so effective
The strength of ShinyHunters lies in the combination of:
- Human manipulation (building trust over the phone)
- Technical simplicity (no complex exploits required)
- Real-time interaction (bypassing MFA without breaking it)
This makes the attack difficult to detect and hard to stop with traditional security measures.
Action & advice: how to defend against ShinyHunters
Attacks like these show that traditional security is no longer sufficient. It’s not just about technology, but about the smart combination of people, processes, and detection. These measures will help you become more resilient against this type of attack.
Awareness: train for phone-based attacks
Many organizations train employees to recognize phishing emails, but overlook the power of phone-based attacks (vishing). This is exactly where this attack method gains its initial access. Make sure employees learn:
- How attackers impersonate IT staff
- Which signals indicate a suspicious phone call
- That they should never log in or approve MFA requests under pressure
Make this tangible with realistic scenarios and exercises.
2. Detection of anomalous login behavior
Because attackers use legitimate login processes, traditional detection is often not sufficient. Focus instead on behavioral anomalies, such as:
- Login attempts from unusual locations
- Sudden MFA requests without a clear reason
- “Impossible travel” (e.g., logging in from two countries within a short time)
By actively monitoring these signals, you can respond more quickly.
3. Conditional access and risk-based authentication
Do not blindly trust valid login credentials. Modern attacks show that credentials and MFA are not always enough. Use additional controls through solutions such as Microsoft Entra ID or Okta:
- Automatically block or challenge suspicious logins
- Restrict access based on context (location, device, behavior)
4. Ensure a strong incident response plan (IRP)
If something does go wrong, you need to act quickly. Be prepared for scenarios such as account takeovers, data breaches, or extortion. A strong IRP includes clear roles, communication lines, and step-by-step procedures, so you don’t lose valuable time during an incident.
5. Data minimization: limit the impact
Not all data needs to be retained. The less sensitive information available, the smaller the impact of an attack. Consider:
- Cleaning up old or unnecessary data
- Restricting access through segmentation and least privilege
This reduces the “loot” available to an attacker.
6. Stay up to date on attack techniques
Attackers and threats are constantly evolving. Regularly inform employees about new attack methods, current threats, and real-world examples. By actively sharing this knowledge, you increase awareness and reduce the likelihood of successful attacks.
With our Threats & Insights service, you stay up to date on the latest attack techniques and receive actionable advice to strengthen your resilience. Learn more about the service Threats & Insights.
