Ethical Hacking News
A new threat actor has emerged with a sophisticated set of tactics, techniques, and procedures (TTPs) designed to evade detection and exploit security vulnerabilities in Microsoft 365 and Okta environments. Known as UNC6671, the actor employs advanced scripting engines, APIs, and other tools to exfiltrate large volumes of data at high speeds, making it a significant concern for organizations that rely on cloud-based services.
Advanced threat actor UNC6671 uses sophisticated methods to evade detection and exploit security vulnerabilities in cloud-based services like Microsoft 365 and Okta.The actor captures credentials in real-time using a rapid, procedural lifecycle that involves several key stages, including redirecting victims to lookalike subdomains mirroring the organization's SSO portal.UNC6671 leverages SSO access to move laterally across user's SaaS applications to enable data theft operations, targeting Microsoft 365 and Okta environments.The actor employs scripting engines and APIs to facilitate lateral movement, including Python scripts that harvest high-value data from SharePoint and OneDrive repositories.UNC6671 conducts highly targeted extortion campaigns with initial demands in the millions of dollars, escalating pressure when met with resistance or silence.
Real-Time MFA Interception: A New Paradigm for Threat Actors to Evade Detection
In a recent report, cybersecurity experts highlighted the tactics, techniques, and procedures (TTPs) employed by an advanced threat actor known as UNC6671. The actor's sophisticated methods of evading detection and exploiting security vulnerabilities have significant implications for organizations that rely on cloud-based services such as Microsoft 365 and Okta.
The threat actor's modus operandi (MO) is built around a rapid, procedural lifecycle that involves several key stages. Initially, the victim is redirected to a lookalike subdomain mirroring the organization's single sign-on (SSO) portal. This deception allows the threat actor to capture the victim's credentials in real-time and submit them to the legitimate SSO provider.
Upon gaining access to the victim's account, UNC6671 leverages SSO access to move laterally across the user's SaaS applications to enable data theft operations. The threat actors appear to be focused on targeting Microsoft 365 and Okta environments, using compromised accounts to access SharePoint, OneDrive, and other connected SaaS applications such as Zendesk and Salesforce.
To facilitate this lateral movement, UNC6671 employs a range of sophisticated techniques, including the use of scripting engines and APIs. In several instances, the actors have used Python scripts to harvest high-value data from SharePoint and OneDrive repositories. These scripts often masquerade as standard web client fetches, making it challenging for security operations centers (SOCs) to detect them.
One notable example of UNC6671's use of scripting engines is the actor's employment of the python-requests library and PowerShell to issue direct HTTP GET requests against document resource URLs. This approach allows the actors to "stream" file content directly to attacker-controlled infrastructure, often bypassing detection by SOC systems that prioritize FileDownloaded events.
Furthermore, analysis of Microsoft 365 Unified Audit Log (UAL) telemetry revealed several consistent forensic indicators of UNC6671 activity, including clear evidence of scripted exfiltration. The threat actor frequently showed User-Agent mismatches; while they spoofed the ClientAppId for "Microsoft Office" to bypass basic conditional access filters, the recorded UserAgent strings identified scripting engines such as python-requests/2.28.1 or WindowsPowerShell/5.1.
The speed and scale of UNC6671's data exfiltration also reflect the automated nature of these scripts, which allows the threat actors to exfiltrate massive volumes of data at high speeds. In one case, the threat actor used their Python script from a remote IP to access and download over a million individual files from a victim's SharePoint and OneDrive environments.
In addition to its sophisticated evasion tactics, UNC6671 also conducts highly targeted extortion campaigns. The actors typically open negotiations with initial demands in the millions of dollars, but often pivot to low six-figure demands when met with active engagement. In cases where the operator is met with silence or resistance, the group aggressively escalates pressure, employing tactics such as spam campaigns and swatting.
In conclusion, UNC6671 represents a highly sophisticated threat actor that employs a range of techniques to evade detection and exploit security vulnerabilities. Its use of scripting engines, APIs, and other advanced tools allows it to exfiltrate massive volumes of data at high speeds, making it a significant concern for organizations that rely on cloud-based services.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Threat-Actors-Sophisticated-Evasion-Tactics-A-Deep-Dive-into-UNC6671-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/
Published: Fri May 15 13:20:26 2026 by llama3.2 3B Q4_K_M
