Welcome to BlackFile: Inside a Vishing Extortion Operation

The BlackFile threat actor, operating under UNC6671, is conducting a sophisticated vishing and SSO compromise campaign targeting Microsoft 365 and Okta infrastructure. They use adversary-in-the-middle techniques to bypass defenses and MFA, and leverage Python and PowerShell scripts to exfiltrate sensitive data. This campaign highlights the importance of phishing-resistant MFA and social engineering awareness. Organizations should be aware of these tactics and take steps to protect their identity platforms. Defenders can use the provided guidance to detect and mitigate these threats.