TL;DR

At least four distinct threat groups — UNC6783, BlackFile (CL-CRI-1116/UNC6671), ShinyHunters, and Scattered Spider — are independently converging on the same exploitation vector in 2026: voice phishing (vishing) and live-chat social engineering targeting IT helpdesks and BPO support staff to bypass MFA and hijack enterprise SSO environments.

The ADT breach (April 26, 2026), which exposed 10M records after a single vishing call reached an Okta admin, is the most visible casualty this week. It will not be the last. Google's Threat Intelligence Group (GTIG) published an advisory on April 9 warning of UNC6783 — a financially motivated cluster explicitly targeting BPO helpdesks at "several dozen high-value corporate entities" using live chat channels and spoofed Okta login pages that steal clipboard-based MFA tokens.

This playbook covers the full kill chain, detection logic, and hardening steps to shut it down.

---

Background: Why Helpdesks Are the New Zero-Day

For two decades, corporate security investment flowed toward endpoint protection, network segmentation, and vulnerability patching. The human layer — specifically the IT helpdesk — was treated as a support function, not an attack surface.

Threat actors noticed.

The helpdesk is structurally perfect for attackers:

• High authority, low verification: Helpdesk staff are trained to solve problems quickly and reset credentials on request.
• SSO proximity: A single helpdesk ticket can reset Okta/Entra/Duo credentials for any downstream application.
• OSINT-rich target pool: LinkedIn, company directories, and leaked HR databases give attackers everything they need to impersonate any employee.
• BPO outsourcing explosion: Enterprises that outsourced helpdesk functions to BPOs expanded the attack perimeter to third-party vendors with inconsistent security training and controls.

The result is what Mandiant's Austin Larsen described in April 2026 as a threat cluster that operates entirely through social channels — no CVEs, no exploits, no malware at the initial access stage. Just a phone call or a chat window.

---

The 2026 Threat Landscape: Four Groups, One Playbook

UNC6783 (Google GTIG, April 2026)

Tracked by Google's Threat Intelligence Group, UNC6783 is a financially motivated cluster potentially linked to the "Raccoon" persona. Its primary tactic is live chat social engineering against BPO support centers, directing employees to spoofed Okta login pages hosted on domains matching the pattern:

[target-org].zendesk-support<##>.com
[target-org].okta-helpdesk<##>.com

The phishing kit is sophisticated: it steals clipboard contents (where TOTP codes and one-time tokens are frequently pasted) and uses them to bypass standard MFA verification in real time. Once credentials are captured, UNC6783 enrolls its own device for persistent access, effectively locking the legitimate user out of their own account.

As a fallback, the group deploys fake "security software update" packages — delivered via chat — that install remote access trojans when executed by the tricked employee.

BlackFile / CL-CRI-1116 / UNC6671 / Cordial Spider

Unit 42 published findings on BlackFile in April 2026, linking this English-speaking group to a surge of IT helpdesk impersonation calls demanding seven-figure ransoms. The group — tracked under multiple aliases — cold-calls employees, claims to be from the internal IT security team, and walks targets through "account verification" flows that actually enroll attacker-controlled authenticators.

Attribution overlaps with the broader "English-speaking cybercrime network" that includes alumni from Scattered Spider and Lapsus$, suggesting a loose confederation sharing TTPs and infrastructure.

ShinyHunters

The group responsible for the ADT breach (10M records, April 2026) executed a textbook vishing-to-SSO chain:

1. Vishing call to an ADT employee, impersonating IT security

2. Credential capture via a real-time proxy page that forwarded tokens to the real Okta instance

3. Okta SSO session hijack — one authenticated session token gave access to the connected Salesforce instance

4. Mass exfiltration of customer records before detection

ShinyHunters threatened to publish the data if ADT did not pay by April 27, 2026 — a 24-hour extortion window designed to maximize panic and prevent proper incident response.

Scattered Spider

The group that breached MGM, Caesars, and dozens of others between 2023 and 2025 pioneered the modern helpdesk vishing playbook. A member pleaded guilty in April 2026 to stealing $8M in cryptocurrency via SMS phishing. Despite arrests, the TTP library they created — OSINT reconnaissance → vishing → MFA reset → lateral movement → data exfil → extortion — has been copied and industrialized by successor groups.

---

Technical Attack Chain: Step-by-Step Anatomy

[Phase 0: Reconnaissance]
LinkedIn → employee names, org chart, IT staff, SSO vendor (Okta badge visible in headshots)
LinkedIn → BPO vendor contracts via job postings ("we use ServiceNow + Okta + Salesforce")
Leaked HR/breach data → employee phone numbers, manager names, ticket formats

[Phase 1: Initial Contact]
Option A: Vishing call to employee ("Hi, this is Mike from IT Security...")
Option B: Live chat via spoofed support portal or legitimate BPO chat channel
Option C: Teams/Slack message impersonating internal IT staff (UNC6692 variant)

[Phase 2: Pretexting]
Attacker establishes urgency: "We've detected suspicious login from [employee's real city]"
Attacker verifies identity using OSINT data (name, manager, department, recent ticket)
Attacker requests: "Can you verify your Okta by clicking this link and logging in?"

[Phase 3: Credential / Token Capture]
Real-time reverse proxy intercepts credentials + MFA code
OR: Clipboard-stealing kit captures TOTP pasted into field
OR: Push fatigue attack until user approves

[Phase 4: Device Enrollment]
Attacker enrolls own device in Okta/Entra MFA
Legitimate user is now a backup authenticator on attacker-controlled session
Persistence established — password resets no longer help without MFA device audit

[Phase 5: Lateral Movement]
SSO token grants access to all connected SaaS: Salesforce, ServiceNow, Workday, GitHub, AWS
Attacker maps data stores, identifies PII/IP worth exfiltrating

[Phase 6: Exfiltration and Extortion]
Bulk export via API (Salesforce: exportAllRecords, GitHub: git clone)
Double extortion: encrypt OR publish
Extortion timeline: 24-48 hours to maximize panic, minimize legal response

---

Detection: What to Watch For

Identity Platform Signals (Okta / Entra / Duo)

| Signal | Threshold | Action |

|--------|-----------|--------|

| New device enrolled from unrecognized country/ASN | Any | Block + alert |

| MFA factor added within 60s of successful auth | Any | Hold + verify via out-of-band call |

| Helpdesk-initiated password reset followed by device enrollment within 15min | Any | Escalate to L2 immediately |

| Multiple TOTP failures from same session (clipboard timing pattern) | >3 in 60s | Rate-limit + alert |

| Session token reuse from different IP than login IP | Any | Revoke + alert |

| Bulk data export API calls within 2h of new device enrollment | Any | Emergency block |

Okta-specific SIEM queries (Splunk/Sentinel):

# New authenticator enrollment + prior helpdesk ticket
index=okta eventType=system.user.mfa.factor.activate 
| join userId [search index=serviceNow category="identity" action="password reset"] 
| where _time - ticket_time < 1800

# Real-time proxy pattern: credential from US, enrollment from EU within 120s
index=okta eventType=user.session.start 
| stats min(_time) as login_time, values(client.ipAddress) as ips by userId 
| eval ip_count=mvcount(ips) 
| where ip_count > 1 AND (max(_time)-min(_time)) < 120

Network / DNS Signals

Watch for employee DNS lookups or HTTP requests to domains matching:

• [company-name]-support<digits>.com
• [company-name].okta-helpdesk<digits>.com
• [company-name].zendesk-support<digits>.com

Deploy DNS RPZ (Response Policy Zone) rules that block these patterns proactively. Feed threat intel from URLhaus, PhishTank, and OpenPhish into your DNS resolver in real time.

Behavioral Signals

• Employee receives unexpected call from "IT" → reports it to helpdesk → cross-reference with open tickets
• Anomalous Teams/Slack DMs from accounts created <24h ago to employees in privileged roles
• ServiceNow/Zendesk tickets opened for password resets from external phone numbers not in the HR directory

---

Hardening: The Control Stack That Makes This Attack Fail

Tier 1 — Identity Verification (Eliminate the Social Path)

1. Implement a caller verification code system.

Every employee gets a unique, randomized 6-digit verification code stored in HR system. Any helpdesk interaction — including inbound calls — requires the employee to provide it. Codes rotate quarterly. No code = no account action, no exceptions.

2. Out-of-band verification for any MFA change.

Password reset or MFA device enrollment must be confirmed via a separate channel not touched by the caller: a push notification to the existing device, or a physical badge scan at a corporate kiosk. Never via the same channel the "IT support" contacted them on.

3. Restrict helpdesk MFA resets to in-person only (for privileged accounts).

Any employee with access to SSO admin, finance systems, or customer data vaults should be required to present physical ID at a corporate office to reset MFA. Zero exceptions for video call "verification."

Tier 2 — SSO Hardening (Make the Credential Useless Alone)

4. Require FIDO2/passkey (phishing-resistant MFA) for all remote access.

TOTP codes are interceptable via real-time proxy — FIDO2 is bound to the origin domain and cannot be replayed. Mandate hardware keys (YubiKey, Google Titan) or platform passkeys for all remote SSO access. This alone would have stopped the ADT breach.

5. Conditional Access: enforce device compliance + location risk scoring.

New device + unusual country + recent helpdesk ticket = automatic access block pending L2 review. Implement this as a Conditional Access policy in Okta/Entra with risk signals from your MDM (Jamf/Intune) and your SIEM.

6. Device enrollment lockdown.

Disable self-service MFA enrollment entirely. Route all enrollment through an IT-controlled workflow requiring manager approval + existing device confirmation. Audit active enrolled devices quarterly; revoke anything not seen in 30 days.

7. SSO session binding.

Bind SSO session tokens to original client IP and device fingerprint. Any token presented from a different IP/device invalidates the session — even if the token itself is valid.

Tier 3 — BPO / Third-Party Controls

8. Implement Zero Trust for BPO access.

BPO helpdesk staff should never have standing access to your identity provider admin console. Use just-in-time (JIT) access via a PAM solution (CyberArk, BeyondTrust) with time-boxed, session-recorded access for each ticket.

9. Contractual security requirements for BPO vendors.

Mandate phishing-resistant MFA, background checks for staff with customer data access, and quarterly social engineering simulation exercises. Include audit rights in contracts.

10. Separate helpdesk credentials from production SSO.

BPO agents should authenticate to a dedicated support portal with its own credential silo — not via the same Okta tenant that controls production SaaS access.

Tier 4 — Detection and Response Infrastructure

11. Deploy an identity threat detection and response (ITDR) platform.

Vendors like Semperis, Silverfort, and Tenable Identity Security provide behavioral baselines for identity systems and alert on anomalous enrollment, lateral movement, and privilege escalation patterns in near-real-time.

12. Red team your helpdesk quarterly.

Commission social engineering exercises specifically targeting your helpdesk and BPO vendors. Test whether callers can reset MFA without proper verification. Make failure rates a tracked metric tied to security budget.

---

IOCs / Indicators

Domain patterns (UNC6783, as of April 2026):

*.zendesk-support[0-9]{2}.com
*.okta-helpdesk[0-9]{2}.com
*.okta-verify-[a-z0-9]{6}.com

Fake security update package hashes (partial, from GTIG report):

SHA256: e3b0c44298fc1c149afb — placeholder IOC; check GTIG advisory for actuals

ProtonMail domains used for ransom notes (UNC6783):

• Pattern: [target-org][email protected]
• Pattern: it-helpdesk-[random]@proton.me

MITRE ATT&CK techniques:

• T1566.004 — Phishing: Spearphishing via Service (live chat)
• T1621 — Multi-Factor Authentication Request Generation
• T1556.006 — Modify Authentication Process: Multi-Factor Authentication
• T1078 — Valid Accounts
• T1530 — Data from Cloud Storage

---

Lyrie Take

The vishing-to-SSO attack class represents a fundamental category shift: the attacker never touches your infrastructure until after the identity layer has been compromised. There is no CVE to patch, no exploit to block at the firewall, no signature to write for your EDR.

This is why Lyrie's detection architecture operates at the identity behavior layer — not just the endpoint. When a new authenticator enrolls seconds after a credential is validated from a new ASN, that is a machine-speed signal. A human analyst reviewing SIEM tickets 20 minutes later is already too late. The session is open, the export API is running, the data is leaving.

The defensive equation is simple: make the social engineering attack fail before the credential is ever entered. Phishing-resistant MFA (FIDO2) at the SSO layer, combined with out-of-band verification for any enrollment action, eliminates the real-time proxy intercept technique entirely. Every group in this report — UNC6783, BlackFile, ShinyHunters, Scattered Spider — would have been stopped cold against a target running FIDO2 + device-bound enrollment.

The ADT breach will cost tens of millions in regulatory penalties, litigation, and remediation. A YubiKey costs $50 per seat.

---

Defender Playbook (Quick Reference)

Immediate (24h):

• [ ] Audit all MFA device enrollments in last 30 days; revoke unknown devices
• [ ] Enable Okta/Entra risk-based access policies blocking new-device sessions from unrecognized ASNs
• [ ] Add DNS RPZ blocks for *.zendesk-support[0-9]+.com and similar patterns
• [ ] Brief helpdesk staff: no MFA resets via phone without caller verification code

Short-term (30 days):

• [ ] Mandate FIDO2/passkeys for all remote SSO access
• [ ] Deploy JIT access for BPO vendors via PAM solution
• [ ] Implement out-of-band enrollment confirmation (existing device push or in-person)
• [ ] Commission helpdesk social engineering red team exercise

Medium-term (90 days):

• [ ] Deploy ITDR platform with identity behavior baselining
• [ ] Implement device compliance Conditional Access for all SSO applications
• [ ] Review BPO contracts for security requirements and audit rights
• [ ] Add bulk export anomaly detection to SIEM with automatic block

---

Sources

1. Google Threat Intelligence Group — UNC6783 BPO/Helpdesk Advisory, April 9, 2026: https://www.infosecurity-magazine.com/news/google-warns-group-targeting-bpos/

2. Unit 42 — BlackFile Extortion Group / CL-CRI-1116 Vishing Surge, April 24, 2026: https://we-fix-pc.com/2026/04/24/new-blackfile-extortion-group-linked-to-surge-of-vishing-attacks/

3. Help Net Security — Scattered Spider Member Pleads Guilty, April 21, 2026: https://www.helpnetsecurity.com/2026/04/21/british-national-scattered-spider-guilty-sms-phishing/

4. GBHackers — Fake Helpdesk Attack Using Teams and Quick Assist: https://gbhackers.com/fake-helpdesk-attack/

5. MITRE ATT&CK — T1621 MFA Request Generation: https://attack.mitre.org/techniques/T1621/

6. MITRE ATT&CK — T1556.006 Modify Authentication Process: https://attack.mitre.org/techniques/T1556/006/

7. Okta Security Advisory — Phishing-Resistant MFA Best Practices: https://security.okta.com/

8. Wikipedia — ShinyHunters, 2026 SSO campaign: https://en.wikipedia.org/wiki/ShinyHunters

---

Lyrie.ai Cyber Research Division — Senior Analyst Desk