BlackFile Extortion Gang Targets Organizations via Voice Phishing

A threat group called UNC6671, operating under the 'BlackFile' brand, is conducting a large-scale extortion campaign targeting organizations across North America, Australia, and the UK. The group uses sophisticated voice phishing (vishing) and SSO compromise techniques combined with adversary-in-the-middle attacks to bypass multi-factor authentication and gain access to cloud environments, particularly Microsoft 365 and Okta systems. They use Python and PowerShell scripts to steal corporate data for extortion purposes. Since emerging in early 2026, the group has maintained high operational tempo. Security experts emphasize these attacks exploit social engineering rather than vendor vulnerabilities, highlighting the need for phishing-resistant authentication methods. Source: Google Threat Intelligence Group.