Cybersecurity News

The Phisher Is Calling: Inside the Vishing Attacks Breaching the World's Biggest SaaS Environments

Voice phishing is now the #2 breach entry point. Inside the ShinyHunters vishing playbook that hit Salesforce customers, and how to defend your help desk.

Illustration of a voice phishing call leading to a cloud data breach.

The most dangerous phishing attack of 2026 does not arrive in an inbox. It arrives as a friendly phone call from "IT support," and by the time it ends, your CRM is already being copied. Here is how vishing-led SaaS breaches work, why existing defenses cannot hear them, and how to train the one control that can: your people.

The numbers: voice is the new inbox

For years, phishing meant email. That era is measurably changing. According to Mandiant's M-Trends 2026 report, built on more than 500,000 hours of incident-response investigations in 2025, voice phishing surged to 11% of initial infection vectors. That made vishing the second-most common way attackers got in, ahead of email phishing at 6%.

In cloud compromises specifically, vishing was not second. It was first, at 23%, ahead of third-party compromise, stolen credentials, email phishing, and insider threats.

Vishing is now the #1 way cloud environments get breached
Initial infection vectors in cloud compromises, attributed to Mandiant M-Trends 2026 investigations.

The growth curve behind those rankings is steep. CrowdStrike's 2025 Global Threat Report documented a 442% increase in vishing between the first and second half of 2024, and its 2025 Threat Hunting Report found it on pace to double again in 2025. Palo Alto Networks Unit 42 reports social engineering now starts 36% of the incidents it investigates, and the Verizon 2026 DBIR puts the human element in 62% of breaches.

The playbook: one phone call to your CRM

The crews driving these numbers, tracked by Google's Threat Intelligence Group as UNC6040 and better known by their extortion brand ShinyHunters, have refined a single, repeatable play documented in detail by Google.

  1. The call. An attacker phones an employee, often in a call center or an English-speaking branch of a multinational, posing as internal IT support. The pretext is plausible: a VPN problem, an open ticket, an MFA update. Caller ID is spoofed, which the FCC notes is trivially easy.
  2. The "fix." The helpful IT voice walks the victim to a page they have no reason to distrust, such as Salesforce's own connected-app setup screen, and asks them to enter an eight-digit code. That code silently authorizes a malicious OAuth app: a renamed copy of Salesforce's Data Loader tool.
  3. The theft. With an authorized app and a valid token, the attackers bulk-export the CRM through ordinary API calls. No malware. No exploit. Google is explicit that these intrusions "relied on manipulating end users, not exploiting any vulnerability," and Salesforce says the same.
  4. The spread. Harvested credentials open doors to Okta, Microsoft 365, and other connected platforms, where attackers hunt documents labeled "confidential," "vpn," and "salesforce."
  5. The shakedown. Weeks or months later, extortion emails arrive, often demanding bitcoin within 72 hours and signed ShinyHunters.

In January 2026, Google reported the playbook evolving: new clusters now direct victims to convincing fake single sign-on pages branded for the victim's own company, capture the SSO password and MFA code live during the call, then enroll the attacker's own device for MFA. The targeting has expanded beyond Salesforce to SharePoint, Okta, DocuSign, Google Workspace, and Slack, and the extortion has escalated to harassing employees and DDoS attacks against victim websites.

Three years of victims, one technique

Three years of the same phone call: vishing-led breaches, 2023-2026
When Victim(s) What happened
Sep 2023 MGM Resorts & Caesars Help-desk vishing; MFA resets; ransomware; approximately $15M ransom paid.
Apr 2025 Marks & Spencer + Co-op Outsourced help-desk vishing; ransomware; estimated £270-440M impact.
Jun 2025 Google corporate Salesforce UNC6040 vishing; malicious connected app.
Jun 2025 Qantas Call-center vishing; approximately 5.7M customers exposed.
Jul 2025 Allianz Life, Cisco, TransUnion Vishing of CRM users; staff profile data and millions of records exposed.
Aug 2025 Workday Vishing plus smishing; malicious OAuth app on third-party CRM.
Oct 2025 39 organizations named on leak site "Scattered Lapsus$ Hunters" extortion site; FBI seizes BreachForums.
Apr 2026 Instructure (Canvas LMS) Began with September 2025 Salesforce vishing; approximately 275M records claimed.
Sources include Google Cloud Threat Intelligence, company disclosures, and security press.

The through-line is striking. The 2023 MGM Resorts and Caesars breaches began with help-desk vishing. The 2025 Marks & Spencer and Co-op attacks began with calls to an outsourced help desk. The 2025 Salesforce wave swept up Google, Qantas, Allianz Life, Cisco, TransUnion, and Workday. By October 2025 an extortion site listed 39 major brands; by April 2026 the same crews claimed roughly 275 million records from Instructure's Canvas, a breach that began with a September 2025 Salesforce vishing compromise. Even Clorox's much-publicized $380 million lawsuit against its IT provider comes down to one question: why did a help desk reset credentials for a caller who was not who he said he was?

Why your security stack cannot hear a phone call

Every layer of a typical security stack is blind to this attack, by design:

  • Email security sees nothing. There is no email. The lure is a voice, and when a link is involved, it points to login.salesforce.com or microsoftonline.com, domains no filter will ever block.
  • MFA does not fire. In OAuth consent and device-code flows, the sign-in happens at the legitimate identity provider. The victim authenticates for the attacker. Microsoft's reporting on device-code phishing shows victims completing every step on the genuine sign-in page.
  • EDR has nothing to detect. Post-consent exfiltration is authenticated API traffic from an approved app, indistinguishable from a sanctioned integration.
  • The FBI says it plainly. Its September 2025 FLASH advisory warns the malicious-connected-app technique "bypasses many traditional defenses such as MFA, password resets and login monitoring."
  • AI is removing the last tells. The FBI has warned about AI-generated voice messages impersonating senior officials, and Consumer Reports found that four of six leading voice-cloning tools required nothing more than a checkbox to clone anyone's voice.

The defense: harden the help desk, train the human

The good news: the same authorities documenting these attacks agree on what works, and the first item is not a product. It is people. The FBI's FLASH advisory lists its mitigations in order, and number one is: "Train call center employees to recognize and report phishing attempts."

Lock down the identity workflows. CISA and the FBI recommend phishing-resistant FIDO/WebAuthn MFA, which cannot be relayed, fatigued, or read over the phone. Okta's guidance adds help-desk rigor: verify identity visually or via callback to a number on file, and require manager approval and dual authorization before resetting MFA on privileged accounts. Microsoft recommends blocking the device-code flow outright wherever you can.

Lock down the SaaS side. Salesforce's own hardening guidance recommends allowlisting connected apps, restricting who can mass-export with Data Loader, enforcing login IP ranges, and monitoring for large downloads.

Then train for the actual attack. Policies only hold if the person on the phone recognizes the moment they are in. That means practicing against the real thing:

  • Phishing simulations with callback scenarios let employees experience the voice-channel con safely and give security teams visibility into who engages.
  • Security awareness training teaches the specific reflexes this playbook exploits: IT will never ask you to approve a connected app or read back a code; unsolicited "support" calls get a callback through the directory, every time.
  • KillPhish reporting turns every employee into a sensor, so the phishing email that often precedes or follows the call gets reported and triaged in one click.
  • Human risk management scores who is most exposed, including call-center staff, help-desk agents, and admins with export rights, so training concentrates where attackers aim.

Attackers rehearse this phone call every day. With over 4 million users globally, PhishingBox makes sure your people have rehearsed it too. See. Score. Secure.

Sources