ZeroFox Intelligence Flash Report - Possible ShinyHunter SSO Phishing Campaign Identified

ZeroFox Intelligence Flash Report - Possible ShinyHunter SSO Phishing Campaign Identified

Product Serial: F-2026-01-29b

TLP:CLEAR

In this Flash report, ZeroFox researchers report on actors claiming to be well-known threat collective “ShinyHunters” reportedly orchestrating extortion-focused voice phishing attacks targeting single sign-on (SSO) accounts.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

• In late January 2026, actors claiming to be well-known threat collective “ShinyHunters” are reportedly orchestrating extortion-focused voice phishing or vishing attacks targeting single sign-on (SSO) accounts hosted by Okta, Google, and Microsoft at several major organizations.
• Concurrently, ZeroFox has observed that a leak site associated with threat collective “Scattered Lapsus$ Hunters” has been recently renamed to ShinyHunters and lists six organizations as victims.
• Given the fact that some of the companies listed on the leak site have disclosed intrusions but not exfiltration of sensitive data, it is very likely that the threat actors are advertising either recycled data or data that is not sensitive and is available in the open source.