Security teams have implemented many things correctly over the last few years. MFA adoption is up. SSO is standard. Identity providers are richer in telemetry than ever.
Yet, vishing-based compromise keeps working, because it doesn’t need malware or an exploit. It needs a person to do a reasonable thing at the wrong moment.
In late January 2026, Mandiant research described ShinyHunters-branded activity using voice phishing (vishing) and victim-branded credential harvesting to capture SSO credentials and MFA codes, then pivot into SaaS platforms to steal data for extortion. The Hacker News summary is equally direct. This is how the combination of identity, human process and token/session abuse can lead to data theft.
What happened in the ShinyHunters vishing campaigns?
At a high level, the attack path is simple: A phone call creates the authenticated access.
Mandiant reports that threat actors:
- Call employees while impersonating IT, often claiming an MFA update is required.
- Direct victims to realistic, victim-branded credential harvesting sites to capture SSO credentials and MFA codes.
- In some cases, enroll attacker-controlled devices into the victim’s MFA solution.
- Then pivot into SaaS applications and use native capabilities to gather sensitive data for extortion, as detailed in Mandiant’s research.
For defenders, in the early moments, a lot of the activity can look “valid,” such as correct credentials, correct MFA flow, and a real session.
Why MFA and SSO don’t stop vishing/phishing attacks
MFA is a workflow that includes a user.
If an attacker can persuade someone to share a code, approve a prompt, or follow a link during a high-pressure call, the attacker can obtain a session and operate through authenticated SaaS authorisation paths. That’s why this isn’t best described as “MFA failed.” It’s closer to: MFA was successfully used—by the attacker—because the user was convinced to participate.
This is also why Mandiant's guidance recommends moving toward phishing-resistant MFA (for example, passkeys or FIDO2 security keys), because push-based and SMS-based methods are more susceptible to social engineering in real environments.
The pattern to watch: From vishing to SaaS-native data theft
The initial access method matters, but the breach outcome is decided by what happens next.
In these incidents, the common progression looks like:
- Vishing creates urgency (“IT needs you to update MFA”)
- Credential harvesting captures SSO + MFA
- Device enrollment / factor changes create durability
- Sessions and tokens enable “normal-looking” access
- SaaS-native actions drive data loss (exports, bulk downloads, OAuth authorisations, admin changes)
Mandiant's guidance (hardening, logging, detections)
Mandiant's guidance is clear about two things: These incidents aren’t driven by vendor exploits and effective defense requires tightening people-driven processes and improving visibility into SaaS-native actions.
The most practical playbook you can scale is containment when you suspect compromise, then hardening, logging, and detections to reduce repeat incidents.
Containment (when you suspect compromise)
Mandiant's guidance recommends prioritising actions that sever access quickly:
- Revoke active sessions and clean up OAuth authorisations across the IdP and SaaS platforms.
- Pause or restrict MFA registration/device enrollment to prevent attackers from enrolling their own device.
- Restrict password resets, especially for administrative accounts, and shift resets to higher-assurance workflows during elevated threat periods.
- Enforce device compliance and restrict IdP/SaaS access to managed, compliant devices and trusted egress where feasible.
Hardening (reduce success rate)
Mandiant's guidance focuses heavily on the human-workflow layer attackers exploit:
- Strengthen help desk verification for password resets and MFA changes, including higher-assurance verification options during heightened risk.
- Move toward phishing-resistant MFA (passkeys/FIDO2), especially for privileged users.
- Reduce exposure from non-human identities (tokens/keys/service accounts) by tightening scope, centralising secrets, restricting where credentials can be used, and baselining expected usage.
Logging and detections (catch SaaS-native exfiltration)
Because attackers often abuse native SaaS features, Mandiant's guidance emphasises visibility into:
- IdP events that show MFA lifecycle changes, unusual sign-ins, and admin/security posture changes.
- SaaS audit sources for OAuth authorisations, bulk exports/downloads, admin changes, and API activity—the behaviors that turn “access” into “data loss.”
In a vishing wave, prioritise session/token revocation, restrict MFA enrollment, implement phishing-resistant MFA for high-risk users, and log OAuth authorisations + bulk export/download activity.
Reality check: Why this is hard in most enterprises
Mandiant's guidance is solid. It’s also a high bar for most organisations to implement quickly, especially where device management is uneven, help desk processes are stretched, and MFA methods are chosen for adoption, not for resilience against social engineering.
My practical takeaway is simple: Education is key. A preventative measure would be “100% effective” if the user was aware of vishing. That sounds obvious, but it’s also the fastest lever most teams can actually pull. Short, repeated training beats an annual slide deck—especially if it teaches one rule people remember under pressure: don’t share MFA codes, don’t approve unexpected prompts, and don’t follow “IT” instructions from an inbound call.
The second reality is “perfect MFA” is not easy to establish across a workforce. A lot of enterprises still rely on SMS/email-based MFA because it’s simple to implement and accessible for less tech-savvy users. Even some large platforms still don’t make stronger MFA options as straightforward as they should.
And yes, monitoring is often post-breach, but at the initial step in this scenario. The practical focus is once access is granted, you can see and stop suspicious actions happening across your SaaS and AI ecosystem before it turns into data loss.
Mandiant's guidance is the destination. Most teams need an on-ramp to tighten help desk flows, raise vishing awareness, and improve visibility into SaaS actions so “one fooled user” doesn’t become a full-ecosystem incident.
A realistic 60-day starting point (what most teams can actually do)
If you’re not in a position to roll out phishing-resistant MFA everywhere tomorrow, you can still reduce risk quickly with a small set of operational changes.
- Run vishing-specific micro-training
Keep it short. Repeat it. Teach one rule and one reporting path. - Harden the help desk path for resets and MFA changes
Treat password resets and MFA enrollment as high-risk actions. Add verification steps during “shields up” periods, consistent with Mandiant's guidance. - Tighten controls around OAuth authorisations and app access
In these campaigns, authorisation and token paths matter. Make new authorisations visible and reviewable. - Improve logging for SaaS-native exfil paths
Bulk exports, bulk downloads, and abnormal API usage are the “data loss” moments. If you can’t see them, you can’t contain them. - Write the containment playbook now
Decide in advance how you will revoke sessions and OAuth authorisations, and who owns which actions across the IdP and core SaaS applications.
When MFA fails, Vorlon steps in
Once an attacker has a valid session, the risk shifts from “can they get in?” to “what can they do across the ecosystem, and how fast can we stop it?”
Vorlon provides an ecosystem visibility layer that helps security teams map, monitor, and control sensitive activity across interconnected SaaS and AI environments. On the platform side, this shows up as fast ecosystem visibility and risk detection across applications and an approach built around mapping and monitoring the ecosystem connections where sensitive data moves.
Concretely, Vorlon helps teams:
- Identify: Understand which third-party apps, AI tools, and integrations touch core SaaS data.
- Detect: Spot high-signal events like new authorisations/tokens, abnormal API behavior, and sensitive actions that indicate data theft.
- Respond: Contain faster with actionable context and drive token/app revocation workflows through existing processes.
Your best bet to combat MFA vishing attacks
Vishing will continue because it works. And “perfect MFA” is hard to establish across a real workforce.
So the goal isn’t to bet everything on one control. It’s to combine education that reduces vishing success, stronger authentication where feasible, and ecosystem-wide visibility so suspicious activity inside SaaS applications doesn’t quietly become data loss.
