THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-05-15-F1
CYBER · ransomware threat groups · 2026-05-15SCOOP 55

GTIG details 'BlackFile' vishing extortion operation by UNC6671 targeting Microsoft 365 and Okta

Per Google Threat Intelligence Group's May 15 report, threat actor UNC6671 — operating under the "BlackFile" brand — is running an expansive extortion campaign that pairs voice phishing with single sign-on compromise.

·FILED 2026-05-15·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • UNC6671, branded 'BlackFile', runs a vishing-plus-SSO-compromise extortion campaign using AiTM techniques to bypass MFA, per GTIG
  • The group primarily targets Microsoft 365 and Okta and exfiltrates data programmatically via Python and PowerShell scripts

VERDICT — CONFIRMED

pipeline-backfill confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
GTIG details 'BlackFile' vishing extortion operation by UNC6671 targeting Microsoft 365 an
Photo: KK IN HK · via Wikimedia Commons · Public domain

Per Google Threat Intelligence Group's May 15 report, threat actor UNC6671 — operating under the "BlackFile" brand — is running an expansive extortion campaign that pairs voice phishing with single sign-on compromise. GTIG says the group uses adversary-in-the-middle techniques to bypass perimeter defenses and multi-factor authentication, gaining deep access to cloud environments. UNC6671 primarily targets Microsoft 365 and Okta infrastructure and uses Python and PowerShell scripts to programmatically exfiltrate sensitive corporate data.

Key facts on file

  • UNC6671, branded 'BlackFile', runs a vishing-plus-SSO-compromise extortion campaign using AiTM techniques to bypass MFA, per GTIG
  • The group primarily targets Microsoft 365 and Okta and exfiltrates data programmatically via Python and PowerShell scripts

PRIMARY SOURCE

cloud.google.com
— (2026-05-15) · fetched at filing · archived at publication

Sources · two-source rule

PRIMARYcloud.google.com— (2026-05-15)
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-05-15-f1 · filed 2026-05-15 · https://thedwire.com/wire/cyb-2026-05-15-f1-gtig-details-blackfile-vishing-extortion-operation-by.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
Cisco Patches Maximum-Severity Catalyst SD-WAN Auth Bypass (CVE-2026-20182, CVSS
Rapid7
CYBER · SCOOP 78

Cisco Patches Maximum-Severity Catalyst SD-WAN Auth Bypass (CVE-2026-20182, CVSS 10.0) Amid China-Nexus Exploitation

Cisco disclosed and patched CVE-2026-20182, a maximum-severity (CVSS 10.0) authentication bypass in the Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage), affecting on-premises and cloud deployments including FedRAMP 'SD-WAN for Government.' The flaw resides in the 'vdaemon' peering-authentication service

✓ verified
READ THE FILE ›
CVE-2026-0246: Prisma Access Agent flaw lets non-admin users escalate to root or
Photo: Namaste jinx · via Wikimedia Commons · CC BY-SA 4.0
CYBER · SCOOP 57

CVE-2026-0246: Prisma Access Agent flaw lets non-admin users escalate to root or SYSTEM (Severity: MEDIUM)

Palo Alto Networks' May 13 advisory for CVE-2026-0246 describes a privilege-management flaw in the Prisma Access Agent that enables a locally authenticated non-administrative user to escalate to root on macOS and Linux, or NT AUTHORITY\SYSTEM on Windows, allowing arbitrary code execution and access to sensitive information otherwise reser

✓ verifiednewSOURCE ↗
READ THE FILE ›
Microsoft's May 2026 Patch Tuesday Fixes ~120+ Flaws With No Zero-Days — Fi
Malwarebytes / Microsoft
CYBER · SCOOP 52

Microsoft's May 2026 Patch Tuesday Fixes ~120+ Flaws With No Zero-Days — First Since June 2024

Microsoft's May 13, 2026 Patch Tuesday addressed a large batch of vulnerabilities with no actively exploited or publicly disclosed zero-days—the first such cycle since June 2024. Tallies varied slightly by source: BleepingComputer and several outlets reported approximately 120 CVEs including 17 critical (with 14 remote-code-execution flaw

✓ verified
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.