How to Defend Your Organization Against the BlackFile Vishing Extortion Campaign

Voice phishing (vishing) attacks are becoming increasingly sophisticated, with threat actors like UNC6671—operating under the BlackFile brand—using adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication (MFA) and compromise cloud environments. This guide explains the attack lifecycle and provides actionable steps to protect your organization, focusing on phishing-resistant MFA, employee training, and detection strategies.

What You Need

Knowledge: Basic understanding of MFA, single sign-on (SSO), and OAuth protocols.
Tools: Access to identity provider (IdP) logs, email security gateways, and incident response playbooks.
Policies: An existing security awareness program and a process for verifying IT support requests.
Team: A dedicated security operations center (SOC) or incident response team familiar with cloud security.

Step-by-Step Guide

Step 1: Understand the Attack Lifecycle

UNC6671 relies on vishing calls to employees’ personal phones, pretending to be IT support requesting a mandatory MFA migration or passkey update. They direct victims to a credential harvesting site (often using subdomains like “passkey” or “enrollment”) and use AiTM proxies to steal session tokens. Once inside, they leverage Python and PowerShell scripts to exfiltrate data from Microsoft 365 and Okta. Knowing this flow helps you anticipate their moves.

How to Defend Your Organization Against the BlackFile Vishing Extortion Campaign — Source: www.mandiant.com

Step 2: Deploy Phishing-Resistant MFA

Standard MFA (e.g., SMS codes, push notifications) can be intercepted via AiTM. Implement phishing-resistant methods like FIDO2 security keys, certificate-based authentication, or Windows Hello for Business. This breaks the attack chain—even if credentials are stolen, the session cannot be hijacked. Prioritize for all users with SSO access.

Step 3: Train Employees to Recognize Vishing

Educate staff that IT will never call personal numbers or ask them to “enroll in MFA” via a link. Simulate vishing calls during security drills. Encourage reporting any unsolicited IT-related calls to your security team immediately. Reinforce that any security alert triggered during a real attack should be verified through official channels.

Step 4: Monitor for Suspicious Authentication Events

Review IdP logs for unusual patterns:

Logins from new subdomains (e.g., “enroll.yourcompany-passkey.com”)
Multiple failed MFA attempts followed by success
Session token reuse from different IPs
High volumes of data download via Graph API or PowerShell

Set up real-time alerts for these anomalies. Use conditional access policies to block sign-ins from unexpected countries or devices.

Step 5: Secure SSO and OAuth Configurations

Limit the number of OAuth apps and require admin consent for high-risk permissions. Audit existing third-party integrations in your IdP. Disable legacy authentication protocols that bypass MFA. Implement strict session controls (e.g., session timeout, risk-based sign-in). UNC6671 exploits SSO trust—so reduce the attack surface.

Step 6: Establish an Incident Response Plan for Vishing

Create a playbook specific to vishing and SSO compromise:

Isolate affected accounts and revoke all tokens.
Disable any OAuth app the attacker may have added.
Conduct a forensic review of cloud logs.
Notify affected users and consider mandatory password reset.
Engage with your IdP vendor for support.

Practice the plan with tabletop exercises. Ensure legal and communications teams are ready for extortion threats.

Tips for Long-Term Defense

Monitor threat intelligence: Subscribe to feeds from Google Threat Intelligence Group (GTIG) and others to stay informed about new tactics.
Use internal anchor links: Create a knowledge base page with this guide and link to each step for easy reference during incidents.
Review domain registrations: Monitor registrations using your brand name (especially under Tucows) and consider domain lock services.
Coordinate with telecom providers: Report vishing numbers to help take down caller infrastructure.
Communicate during a crisis: Have a pre-approved template for alerting employees about ongoing vishing attempts.

By following these steps, your organization can significantly reduce the risk of falling victim to the BlackFile extortion campaign and similar identity-centric attacks.