ShinyHunters social engineering campaign targeting employee SSO accounts
Campaign
Summary
Hide ▲
Show ▼
The ShinyHunters extortion gang is running an ongoing social engineering campaign against employee Microsoft Entra, Okta, and Google SSO accounts, creating a path into connected business systems. The group uses vishing and SSO compromise to reach SaaS platforms and steal data for extortion. The operation has been active since last year and has increasingly focused on medtech companies. A successful login can expose multiple downstream services, broadening the blast radius of a single account takeover.
Related Happenings
Pink new extortion brand within The Com
Threat Actor Meta
H score31
First: 08.07.2026 19:47
Last: 08.07.2026 19:47
Sources 1
About this happening:
Pink is a The Com-linked extortion brand associated with O-UNC-066 that is now being used in a voice-based phishing campaign against Microsoft 365 users. The a...
Pink new extortion brand within The Com
Threat Actor MetaAbout this happening: Pink is a The Com-linked extortion brand associated with O-UNC-066 that is now being used in a voice-based phishing campaign against Microsoft 365 users. The a...
U.S. Scam Center Strike Force anti-fraud initiative
Public Sector Action
H score50
First: 04.06.2026 09:06
Last: 04.06.2026 09:06
Sources 1
About this happening:
The U.S. government continued Scam Center Strike Force, an ongoing anti-fraud initiative aimed at dismantling cyber-enabled fraud and pig butchering networks targe...
U.S. Scam Center Strike Force anti-fraud initiative
Public Sector ActionAbout this happening: The U.S. government continued Scam Center Strike Force, an ongoing anti-fraud initiative aimed at dismantling cyber-enabled fraud and pig butchering networks targe...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian,...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
Campaign
H score33
First: 14.04.2026 15:00
Last: 14.04.2026 15:00
Sources 1
About this happening:
The Triad Nexus campaign is continuing to run large-scale investment scams and brand impersonation, expanding into emerging markets and driving higher fraud losses...
Triad Nexus investment scam and brand impersonation campaign targeting emerging markets
CampaignAbout this happening: The Triad Nexus campaign is continuing to run large-scale investment scams and brand impersonation, expanding into emerging markets and driving higher fraud losses...
ShinyHunters widespread Okta SSO data theft campaign
Campaign
H score43
First: 03.04.2026 20:41
Last: 03.04.2026 20:41
Sources 1
About this happening:
ShinyHunters is tied to a widespread campaign that compromised Okta SSO accounts to steal data from third-party cloud storage and SaaS platforms, widening the...
ShinyHunters widespread Okta SSO data theft campaign
CampaignAbout this happening: ShinyHunters is tied to a widespread campaign that compromised Okta SSO accounts to steal data from third-party cloud storage and SaaS platforms, widening the...
Timeline
-
17.07.2026 23:45 2 articles · 2h ago
ShinyHunters targets employee Microsoft Entra, Okta, and Google SSO accounts
Campaign Scope UpdateShinyHunters is described as running a social engineering and vishing campaign since last year against employee Microsoft Entra, Okta, and Google SSO accounts, using compromised SSO access to reach connected SaaS platforms such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox. The group also claimed a mid-June vishing compromise of several employees, a Microsoft Entra SSO account takeover, and downstream data exfiltration from internal and cloud-connected systems.
Show sources
- Abbott Laboratories probes two cyber incidents amid extortion claims — www.bleepingcomputer.com — 17.07.2026 23:45
- Abbott Laboratories probes two cyber incidents amid extortion claims — www.bleepingcomputer.com — 17.07.2026 23:45