UNC6783 BPO compromise campaign targeting downstream companies
Campaign
Summary
Hide ▲
Show ▼
UNC6783 is an active BPO compromise campaign targeting business process outsourcers and large enterprises to reach downstream environments for extortion. The operation has hit dozens of corporate entities across multiple sectors and uses live chat social engineering, spoofed Okta login pages, and lookalike support domains such as [.]zendesk-support[redacted][.]com to steal sensitive data. The group also uses a phishing kit to steal clipboard contents and bypass MFA, then enroll attacker devices for persistent access. In some cases, it uses fake security software updates to deploy remote access malware and may send ransom notes via Proton Mail after exfiltration.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
OAuth device-code phishing campaign targeting SaaS accounts
Campaign
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
OAuth device-code phishing campaign targeting SaaS accounts
CampaignAbout this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Timeline
-
09.04.2026 00:46 3 articles · 1mo ago
UNC6783 BPO compromise campaign disclosed
Initial DisclosureGoogle Threat Intelligence Group says UNC6783 is compromising business process outsourcing (BPO) providers to reach high-value companies across multiple sectors, using social engineering and phishing against support staff, live-chat abuse, spoofed Okta login pages on Zendesk-style domains, clipboard theft to bypass multi-factor authentication (MFA), and fake security updates to deliver remote access malware; the group has targeted dozens of corporate entities and extorts victims after exfiltrating sensitive data.
Show sources
- Google: New UNC6783 hackers steal corporate Zendesk support tickets — www.bleepingcomputer.com — 09.04.2026 00:46
- Google: New UNC6783 hackers steal corporate Zendesk support tickets — www.bleepingcomputer.com — 09.04.2026 00:46
- Google Warns of New Threat Group Targeting BPOs and Helpdesks — www.infosecurity-magazine.com — 09.04.2026 11:35