GTIG details 'BlackFile' vishing extortion operation by UNC6671 targeting Microsoft 365 and Okta
Per Google Threat Intelligence Group's May 15 report, threat actor UNC6671 — operating under the "BlackFile" brand — is running an expansive extortion campaign that pairs voice phishing with single sign-on compromise.
At a glance
- UNC6671, branded 'BlackFile', runs a vishing-plus-SSO-compromise extortion campaign using AiTM techniques to bypass MFA, per GTIG
- The group primarily targets Microsoft 365 and Okta and exfiltrates data programmatically via Python and PowerShell scripts
VERDICT — CONFIRMED

Per Google Threat Intelligence Group's May 15 report, threat actor UNC6671 — operating under the "BlackFile" brand — is running an expansive extortion campaign that pairs voice phishing with single sign-on compromise. GTIG says the group uses adversary-in-the-middle techniques to bypass perimeter defenses and multi-factor authentication, gaining deep access to cloud environments. UNC6671 primarily targets Microsoft 365 and Okta infrastructure and uses Python and PowerShell scripts to programmatically exfiltrate sensitive corporate data.
Key facts on file
- UNC6671, branded 'BlackFile', runs a vishing-plus-SSO-compromise extortion campaign using AiTM techniques to bypass MFA, per GTIG
- The group primarily targets Microsoft 365 and Okta and exfiltrates data programmatically via Python and PowerShell scripts


