ShinyHunters' New SSO Tricks and Why Traditional MFA Isn't Enough Anymore
ShinyHunters’ New SSO Tricks and Why Traditional MFA Isn’t Enough Anymore
I’ve been digging through this week’s security news, and there’s one story that really caught my attention – not just because it’s technically interesting, but because it shows how attackers are getting frighteningly good at bypassing what we thought were solid defenses.
Mandiant’s latest research reveals that ShinyHunters has been running a sophisticated campaign targeting SSO credentials through voice phishing and company-branded phishing sites. What makes this particularly concerning is how they’re not just stealing passwords – they’re capturing MFA codes in real-time and using them to access cloud environments.
The SSO Problem We Didn’t See Coming
Here’s what’s happening: attackers are creating convincing replicas of company login pages, complete with proper branding and SSL certificates. When employees enter their credentials and receive that MFA prompt on their phone, they’re inputting the code directly into the attacker’s site. The criminals then use those credentials immediately – often within seconds – to authenticate to the real SSO provider.
This isn’t your typical credential stuffing attack. These groups are doing their homework, researching target companies and creating highly convincing phishing infrastructure. The voice phishing component adds another layer of social engineering that makes employees more likely to trust the process.
What really worries me is how this exposes a fundamental assumption we’ve made about MFA. We’ve been telling people for years that MFA makes them safe, but here we see attackers adapting to treat it as just another step in the authentication process they need to capture.
The Ransomware Numbers Tell an Interesting Story
Speaking of evolving threats, ReliaQuest’s Q4 2025 data shows something counterintuitive: ransomware victims increased by 50% even though there are fewer active extortion groups operating.
This suggests the remaining groups are getting more efficient or targeting organizations that are easier to compromise. It could also mean that as law enforcement shuts down some operations, the survivors are absorbing market share and becoming more sophisticated.
From a defense perspective, this tells us that focusing purely on threat intelligence about specific ransomware families might not be enough. We need to think about the fundamental attack vectors these groups use, regardless of which specific malware they’re deploying.
Microsoft and SolarWinds: The Patch Tuesday Blues Continue
The emergency patching cycle continues with Microsoft rushing out a fix for an Office zero-day and SolarWinds addressing four critical Web Help Desk vulnerabilities, including unauthenticated RCE and authentication bypass flaws.
The Office vulnerability is particularly nasty because it requires either system access or convincing a user to open a malicious file – and let’s be honest, that second condition isn’t exactly a high bar for most attackers. Email remains the primary attack vector for a reason.
The SolarWinds fixes remind us that help desk software often sits in a privileged position in our networks, with access to user accounts and system information. CVE-2025-40536, with its 8.1 CVSS score, represents the kind of authentication bypass that can turn a small foothold into domain-wide compromise.
Google Takes Down a Major Proxy Network
In more positive news, Google disrupted the IPIDEA proxy network, one of the largest residential proxy services that was enrolling devices through mobile and desktop SDKs.
This kind of takedown is significant because residential proxy networks are often used to mask malicious traffic, making it appear to come from legitimate home internet connections. When attackers use these services, their traffic blends in with normal user activity, making detection much harder.
The SDK distribution method is particularly concerning because it means the proxy software was likely bundled with legitimate-looking applications that users willingly installed. This creates a massive network of unwitting participants whose internet connections are being used for potentially malicious purposes.
What This Means for Our Defenses
Looking at these stories together, I see a few key themes that should influence how we’re thinking about security right now:
First, we need to stop treating MFA as a silver bullet. The ShinyHunters campaign shows that traditional SMS or app-based MFA can be defeated when attackers control the authentication flow. We should be pushing harder toward phishing-resistant authentication methods like hardware security keys or certificate-based authentication.
Second, the proxy network disruption reminds us that we need better visibility into the applications and SDKs running in our environments. That innocent-looking mobile app might be contributing to a criminal infrastructure.
Finally, the continued stream of critical vulnerabilities in widely-used software like Office and SolarWinds Web Help Desk reinforces that patch management isn’t just an IT hygiene issue – it’s a critical security control that needs executive attention and adequate resources.
The attackers are clearly adapting faster than many of our traditional defenses. We need to be thinking not just about the specific threats we see today, but about the fundamental assumptions our security controls are built on.
Sources
- Mandiant details how ShinyHunters abuse SSO to steal cloud data
- Ransomware Victim Numbers Rise, Despite Drop in Active Extortion Groups
- Google Disrupts IPIDEA Proxy Network
- SolarWinds Fixes Four Critical Web Help Desk Flaws With Unauthenticated RCE and Auth Bypass
- Microsoft Rushes Emergency Patch for Office Zero-Day