TL;DR: ShinyHunters compromised more than 100 organisations in early 2026 by using voice phishing, fake IT support pretexts, and real-time MFA interception to gain legitimate access, then move laterally across SaaS and cloud environments, according to Google’s Mandiant threat intelligence team. The incident shows that authentication success is not the same as identity safety, and post-authentication visibility has become essential.
NHIMG editorial — based on content published by AuthMind: How ShinyHunters Carry Out Their Attacks
By the numbers:
- Google’s Mandiant threat intelligence team says ShinyHunters compromised over 100 organizations between early and mid-January 2026.
Questions worth separating out
Q: What breaks when attackers get a legitimate login through vishing or MFA abuse?
A: The assumption that a successful login indicates trusted behaviour breaks immediately.
Q: Why do phishing-resistant MFA methods matter if attackers can still get in?
A: They materially reduce real-time credential harvesting and replay attacks, which removes one of the easiest entry paths.
Q: How do security teams spot malicious activity after a legitimate login?
A: They correlate identity events across applications and look for behavioural deviation.
Practitioner guidance
- Treat device enrolment as a privileged identity event Require step-up verification and explicit monitoring whenever a user registers a new MFA device, changes security settings, or rebinds an authenticator.
- Correlate identity signals across SaaS platforms Join authentication, file access, API authorisation, and mailbox activity into one investigation view so suspicious sequences become visible.
- Prioritise phishing-resistant MFA for workforce access Move high-risk users and administrators to FIDO2 security keys or passkeys, then verify that help desk processes cannot casually downgrade those protections.
What's in the full article
AuthMind's full article covers the operational detail this post intentionally leaves for the source:
- A deeper walkthrough of the ShinyHunters playbook across vishing, MFA device enrolment, and SaaS lateral movement.
- Specific examples of how the group used Salesforce, SharePoint, OneDrive, DocuSign, Slack, and Google Workspace to expand access.
- The vendor's view of identity observability signals that can separate normal user behaviour from post-compromise activity.
- Practical guidance on how post-authentication telemetry supports detection and response when prevention fails.
👉 Read AuthMind's analysis of how ShinyHunters hijack identity sessions →
ShinyHunters and vishing: are your identity controls keeping up?
Explore further
Identity observability is now the control boundary that matters after authentication succeeds. ShinyHunters demonstrated that identity risk no longer ends at login. Conventional authentication evidence can be perfectly valid while the underlying session is malicious, which makes post-authentication behaviour the real decision point for security teams. The implication is straightforward: identity programmes that stop at MFA and conditional access are measuring the wrong layer of risk.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance still lacks complete operational sightlines.
A question worth separating out:
Q: Who should be accountable when authenticated users abuse access after a social engineering attack?
A: Accountability sits with the identity, security, and application owners together, because the failure spans identity proofing, session monitoring, and downstream access governance. The right framework question is not just who clicked the phishing link, but which controls allowed a valid session to become an uncontrolled data path.
👉 Read our full editorial: ShinyHunters exposes the limits of MFA-only identity security