{"id":10707,"date":"2026-04-21T13:09:05","date_gmt":"2026-04-21T11:09:05","guid":{"rendered":"https:\/\/the-s-unit.nl\/?p=10707"},"modified":"2026-04-21T17:47:44","modified_gmt":"2026-04-21T15:47:44","slug":"the-voice-of-shinyhunters","status":"publish","type":"post","link":"https:\/\/the-s-unit.nl\/en\/the-voice-of-shinyhunters\/","title":{"rendered":"The voice of ShinyHunters"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Blog<\/a><\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

The voice of ShinyHunters<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"The\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The hacker group ShinyHunters has frequently made headlines in recent months. They targeted Salesforce environments, including those of Odido and Hallmark. These attacks resulted in large-scale data breaches.<\/p>

What characterizes this group is not only the scale of their attacks, but especially their method. How do they use social engineering\u2014particularly vishing\u2014to gain access to organizations? How do they abuse legitimate login processes and sessions, such as MFA and SSO? And perhaps even more importantly: how can you protect your organization against this?<\/p>

In this blog, you\u2019ll gain insight into the ShinyHunters\u2019 modus operandi\u2014\u2018The Voice\u2019\u2014along with practical guidance to strengthen your defenses.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

The \u201cvoice attack\u201d: social engineering at its finest<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The core of ShinyHunters\u2019 attack method is surprisingly simple\u2014and therefore highly effective. The attacker calls an employee and impersonates, for example, an IT support agent, security engineer, or external vendor. Using a convincing story (such as an urgent security incident), the victim is persuaded to log in through a \u201cnew\u201d or \u201ctemporary\u201d environment. But that environment is fake.\u00a0<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Real-time phishing with MFA-bypass<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Where traditional phishing stops at collecting passwords, ShinyHunters goes a step further.<\/p>

The attack works as follows:<\/p>

1. The victim is contacted by phone (vishing) and persuaded to log in to a malicious login page.<\/p>

2. While the victim enters their credentials on the fake site, the information is relayed in real time or entered by the attacker into the legitimate environment (such as Okta or Microsoft Entra ID).<\/p>

3. The attacker forwards the MFA request to the victim in real time.<\/p>

4. The victim approves the MFA request, assuming it is part of the login process. The attacker gains access.<\/p>

This is done through a control panel linked to the phishing environment. The attacker is literally watching along and handling everything in real time, ultimately leading to a full account takeover\u2014despite MFA.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Extortion and lateral movement<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Once access is obtained, three steps typically follow:<\/p>

1. Data exfiltration: sensitive data is downloaded and secured.<\/p>

2. Extortion: organizations are blackmailed with the threat of public disclosure.<\/p>

3. Expansion to other organizations: stolen accounts and data are reused to target others based on relationship information.\u00a0<\/p>

As a result, a single incident can quickly escalate into a chain reaction.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t

Why this attack is so effective<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The strength of ShinyHunters lies in the combination of:<\/p>