ShinyHunters and vishing: are your identity controls keeping up?

TL;DR: ShinyHunters compromised more than 100 organisations in early 2026 by using voice phishing, fake IT support pretexts, and real-time MFA interception to gain legitimate access, then move laterally across SaaS and cloud environments, according to Google’s Mandiant threat intelligence team. The incident shows that authentication success is not the same as identity safety, and post-authentication visibility has become essential.

NHIMG editorial — based on content published by AuthMind: How ShinyHunters Carry Out Their Attacks

By the numbers:

• Google’s Mandiant threat intelligence team says ShinyHunters compromised over 100 organizations between early and mid-January 2026.

Questions worth separating out

Q: What breaks when attackers get a legitimate login through vishing or MFA abuse?

A: The assumption that a successful login indicates trusted behaviour breaks immediately.

Q: Why do phishing-resistant MFA methods matter if attackers can still get in?

A: They materially reduce real-time credential harvesting and replay attacks, which removes one of the easiest entry paths.

Q: How do security teams spot malicious activity after a legitimate login?

A: They correlate identity events across applications and look for behavioural deviation.

Practitioner guidance

• Treat device enrolment as a privileged identity event Require step-up verification and explicit monitoring whenever a user registers a new MFA device, changes security settings, or rebinds an authenticator.
• Correlate identity signals across SaaS platforms Join authentication, file access, API authorisation, and mailbox activity into one investigation view so suspicious sequences become visible.
• Prioritise phishing-resistant MFA for workforce access Move high-risk users and administrators to FIDO2 security keys or passkeys, then verify that help desk processes cannot casually downgrade those protections.

What's in the full article

AuthMind's full article covers the operational detail this post intentionally leaves for the source:

• A deeper walkthrough of the ShinyHunters playbook across vishing, MFA device enrolment, and SaaS lateral movement.
• Specific examples of how the group used Salesforce, SharePoint, OneDrive, DocuSign, Slack, and Google Workspace to expand access.
• The vendor's view of identity observability signals that can separate normal user behaviour from post-compromise activity.
• Practical guidance on how post-authentication telemetry supports detection and response when prevention fails.

👉 Read AuthMind's analysis of how ShinyHunters hijack identity sessions →

ShinyHunters and vishing: are your identity controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →