Most cyberattacks used to begin with software vulnerabilities. Exploiting bugs, misconfigurations, or outdated systems was the dominant entry point for years. That reality has changed.
Across recent threat intelligence reports from Google and Okta, a clear shift is visible: attackers are no longer primarily breaking into systems. Instead, they are targeting identity itself. In practice, this means they either log in directly using stolen credentials or manipulate users into authenticating for them.
This evolution is particularly visible in modern vishing attacks and broader identity-based intrusions, where technical complexity is low but social engineering is highly refined.
UNC6671 (BlackFile) and the Rise of Vishing Attacks
One of the groups often referenced in this context is UNC6671, also known as BlackFile. Rather than relying on malware or traditional exploits, this group uses something far simpler and often more effective: voice calls. Victims are contacted by individuals pretending to be internal IT support, security teams or administrators. The conversation is carefully designed to create urgency and establish trust, gradually guiding the victim into a controlled authentication process.
From the victim’s perspective, nothing feels unusual. The call appears legitimate, the tone is professional, and the requested actions resemble standard IT procedures. They may be told there is a security issue or login problem, then guided toward a login page that appears to belong to the organization.
In some cases, they are asked to approve multi-factor authentication requests or re-authenticate as part of a supposed verification process. Meanwhile, the attacker synchronizes the conversation in real time with what the victim is seeing on screen, effectively steering both sides of the interaction simultaneously.
How Vishing Attacks Enable Real-Time Adversary-in-the-Middle Access
From the attacker’s perspective, this is not traditional hacking but a live adversary-in-the-middle (AitM) attack, where access is obtained through manipulation rather than exploitation.
What makes this shift particularly important is that attackers are no longer focused on breaking systems. Instead, they abuse functionality that already exists in modern cloud applications and Software-as-a-Service (SaaS) platforms.
SaaS simply means software that runs in the cloud and is accessed through a login, such as email systems, collaboration tools, or identity platforms. Instead of installing software locally, users just sign in through a browser.
In these environments, attackers don’t need to hack the system itself. They only need to abuse how access is granted.
Session tokens can be stolen, allowing attackers to access an account without needing a password.
OAuth permissions can be misused when users unknowingly approve a malicious application, granting access to email, contacts, or cloud storage.
APIs provide another pathway, allowing structured data extraction through legitimate system interfaces.
In more advanced cases, attackers even register their own devices as “trusted devices,” creating long-term access inside the victim’s account.
How Identity Systems Become Attack Targets
In modern cloud-based applications and SaaS environments, attackers no longer focus only on breaking systems directly. Instead, they target the identity layer that controls access.
Because many applications are connected through the same login system, compromising a single account can sometimes unlock access to multiple services at once. In practice, this means that by targeting one person or one authentication flow, attackers may gain access to an entire connected environment.
This is why identity systems have become such valuable targets in modern cyberattacks.
Interestingly, the mechanics behind these attacks are not entirely new. In the crypto ecosystem, similar patterns have existed for years through wallet drain scams, malicious approval requests, and seed phrase phishing attempts.
The overlap is not necessarily in the technical execution, but in the abuse of user authorization and trust. In both cases, attackers avoid directly breaking systems or bypassing encryption. Instead, they manipulate users into granting legitimate access themselves.
In crypto, this may involve signing a malicious transaction or exposing a seed phrase. In cloud and identity-based attacks, it may involve approving an MFA request, authenticating through a fake login flow, or granting access to a malicious application.
Because many cloud services are connected through centralized identity systems, compromising a single trusted account can sometimes provide access to a much larger environment.
Phishing-as-a-Service (PhaaS) and AI Voice Phishing Scams
This convergence is also visible in the rise of phishing-as-a-service, or PhaaS. These kits lower the barrier to entry for attackers by providing ready-made infrastructure for phishing campaigns, including fake login pages, session interception flows, and real-time monitoring dashboards. More advanced variants now combine these tools with live voice-based social engineering.
In these cases, attackers use AI-generated voices to impersonate real people such as IT support, security staff, or even executives. A professional AI voice can now sound highly realistic, with natural tone, pacing, and emotion, making it increasingly difficult for victims to distinguish between real and fake calls.
AI-generated voice technology is accelerating this trend. With only a short audio sample, attackers can now clone voices and use them in real-time calls or pre-recorded messages. This makes impersonation significantly more convincing. Still, it is often not a perfect imitation, but the combination of familiarity, urgency, and trust can mask these imperfections.
The vishing process increasingly resembles a live control system rather than a static phishing attack. Attackers can adjust what the victim sees in real time, simulate authentication steps, and synchronize prompts with the ongoing phone call. This flexibility makes inconsistencies much harder for victims to notice in real time.
Taken together, these developments point to a broader shift in cybercrime: from system exploitation to identity manipulation. The attack surface is no longer just code or infrastructure, but human trust and authentication flows.
How to Defend Against Vishing and Identity-Based Attacks
What makes these attacks particularly dangerous is that victims often do not realize they were compromised until long after access has already been established.
Defending against vishing attacks and SaaS compromise requires a shift in mindset. Treat every login, approval, or access request like a transaction. Verify before you sign. The following steps can help protect you from these attacks:
- Don’t trust urgent login requests
- Don’t approve MFA prompts you didn’t initiate
- Don’t act on phone calls without verifying them
- Always double-check before giving access
Treat identity as the new perimeter. Security is not just about firewalls and blocking network access anymore. It’s about controlling how authentication is granted and verifying every request before trust is given.
FAQ
What is vishing?
Vishing, or voice phishing, is a social engineering attack where attackers use phone calls to manipulate victims into revealing credentials, approving MFA requests, or granting access to accounts and systems.
What is phishing-as-a-service (PhaaS)?
Phishing-as-a-service (PhaaS) refers to ready-made phishing toolkits sold or shared between cybercriminals. These kits often include fake login pages, session interception tools, MFA bypass features, and real-time monitoring dashboards.
Why are identity-based attacks becoming more common?
Modern cloud and SaaS environments rely heavily on centralized login and identity systems. Instead of breaking into systems directly, attackers increasingly target users and authentication flows because compromising one trusted account can sometimes provide access to multiple connected services.
