{ "Event": { "analysis": "1", "date": "2026-02-26", "extends_uuid": "", "info": "[Threat Intel] Threat Spotlight: ShinyHunters Fast-Tracks SaaS Access with Subdomain Impersonation", "protected": false, "publish_timestamp": "1775245814", "published": true, "threat_level_id": "3", "timestamp": "1775245814", "uuid": "5d0ac2ca-1c40-4836-8585-37752539c54c", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#fb3bcd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\"", "relationship_type": "" }, { "colour": "#65d24c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Identity Information - T1589\"", "relationship_type": "" }, { "colour": "#62e1b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Session Hijacking - T1185\"", "relationship_type": "" }, { "colour": "#454726", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\"", "relationship_type": "" }, { "colour": "#b206a3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Accounts - T1586\"", "relationship_type": "" }, { "colour": "#c9dbdd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stage Capabilities - T1608\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#2da3e8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Network Information - T1590\"", "relationship_type": "" }, { "colour": "#3d1dab", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Spearphishing - T1534\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#a0d02a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing for Information - T1598\"", "relationship_type": "" }, { "colour": "#6440db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Establish Accounts - T1585\"", "relationship_type": "" }, { "colour": "#cf2da1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Develop Capabilities - T1587\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"ShinyHunters\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Cybercrime\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Scattered Spider\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774004417", "to_ids": false, "type": "link", "uuid": "8c6a0069-ab3f-4473-982f-a37951d50ab1", "value": "https://reliaquest.com/blog/threat-spotlight-shinyhunters-fast-tracks-saas-access-subdomain-impersonation/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774004417", "to_ids": false, "type": "text", "uuid": "99e3c1c7-a160-4094-b863-09417c837105", "value": "The threat group ShinyHunters has adopted a new tactic of subdomain impersonation for initial access, moving away from newly registered lookalike domains. They are utilizing mobile-first lures and outsourcing spam services to scale their operations. The group is likely reusing previously stolen CRM and ERP data to drive social engineering attacks. Their approach involves phone-guided adversary-in-the-middle phishing to capture credentials and authenticated sessions. ShinyHunters is also scaling vishing operations through paid contractors and specialized harassment services. This evolution in tactics allows for rapid identity-to-SaaS compromise without deploying malware, making traditional domain-based monitoring less effective." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774004417", "to_ids": false, "type": "text", "uuid": "ce8774e7-5734-45f4-9692-4318924c6d3b", "value": "Name: Threat Spotlight: ShinyHunters Fast-Tracks SaaS Access with Subdomain Impersonation\nAuthor: AlienVault\nAdversary: ShinyHunters\nTags: [\"saas compromise\", \"crm data abuse\", \"session hijacking\", \"subdomain impersonation\", \"aitm phishing\", \"vishing\", \"identity theft\", \"mobile-first lures\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1592\", \"T1589\", \"T1185\", \"T1584\", \"T1586\", \"T1608\", \"T1528\", \"T1590\", \"T1534\", \"T1566\", \"T1078\", \"T1598\", \"T1585\", \"T1587\"]\nIndustries: [\"Healthcare\", \"Pharmaceutical\", \"Finance\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774004417", "to_ids": false, "type": "threat-actor", "uuid": "d56df192-0136-4184-bbb6-65d2403d05a5", "value": "ShinyHunters" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238507", "to_ids": true, "type": "domain", "uuid": "df0dd4da-01e9-4bb4-bff0-9ce752145f50", "value": "access-terms.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238529", "to_ids": true, "type": "domain", "uuid": "45bbf16e-f7f1-43fc-8398-be3ebfb2c2c4", "value": "acess-terms.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238550", "to_ids": true, "type": "domain", "uuid": "96a9c853-9766-4fcb-bd4e-fa9e3a2d55ec", "value": "desk-okta.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238571", "to_ids": true, "type": "domain", "uuid": "b75810cc-fe69-4787-a0c5-a0e5d13ebc34", "value": "help-okta.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238592", "to_ids": true, "type": "domain", "uuid": "399d730d-7aa0-4d8a-83b3-cef3edbcc536", "value": "lock-okta.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238613", "to_ids": true, "type": "domain", "uuid": "70c332fa-f9c4-456e-a61f-5f192a3e87db", "value": "okta.domains", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238634", "to_ids": true, "type": "domain", "uuid": "a0896bfa-458e-4ac1-9bfc-117493ac5eac", "value": "okta.guide", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238655", "to_ids": true, "type": "domain", "uuid": "bb73efdb-7248-4cbe-97ed-e559088b3d63", "value": "prod-okta.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238676", "to_ids": true, "type": "domain", "uuid": "c5ff4854-cc39-496c-bfe4-82486efa42d2", "value": "safe-okta.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238698", "to_ids": true, "type": "domain", "uuid": "b9b8d6c2-7858-4226-a3e5-52acfd2a0d03", "value": "setup-okta.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238719", "to_ids": true, "type": "domain", "uuid": "e186b341-9b37-4156-aa30-fed30c23566b", "value": "sso-verify.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775238742", "to_ids": true, "type": "domain", "uuid": "495f237d-ab2d-4cfa-a3c7-d43536edd8b6", "value": "sso.guide", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }