SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
International Women’s Day
267 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Smartphone suspicious call laptop fake login deceptive subdomain scene
#
SaaS
#
MFA
#
Cloud Security

ShinyHunters pivots to subdomain phishing & vishing

Fri, 27th Feb 2026
Author image
By Catherine Knowles, News Editor

ReliaQuest warns that the extortion group ShinyHunters appears to be shifting its social engineering playbook toward branded subdomain impersonation, paired with phone-led phishing that targets single sign-on users on mobile devices.

The shift moves away from newly registered lookalike domains. Instead, attackers use generic registered domains and place the victim organisation's branding in the subdomain-a structure that can evade controls designed to flag suspicious or newly created domains.

ShinyHunters is a financially motivated group linked to data theft and extortion. Recent incidents suggest a focus on identity compromise and access to software-as-a-service platforms, rather than deploying malware inside corporate networks.

Subdomain shift

In earlier campaigns, the group typically used lookalike support domains where the target name appeared in the registered domain. Registered domains often look routine and include SSO or login-themed wording. The approach also lets attackers rotate subdomains quickly for different victims while reusing the same hosting and domain infrastructure.

The blog post cited examples of domains and domain families. It also reported clustered targeting patterns, with some domain families tied to specific sectors and regions.

Voice and mobile

The campaign relies on vishing, in which an operator calls an employee using a help-desk or support pretext. The caller then directs the user to an organisation-branded subdomain and guides them through authentication and multi-factor authentication on a mobile device.

The behaviour aligns with adversary-in-the-middle phishing kits, which proxy the login process and capture credentials, MFA challenges and authenticated sessions in real time. Stolen sessions can provide direct access to SaaS applications without the need to install malware.

Mobile-first engagement also changes what defenders can observe. Targets often opened lure URLs from mobile user agents and, in several cases, outside typical corporate network egress. That reduces visibility in corporate DNS filtering, proxy telemetry and managed endpoint tooling.

The blog also noted the use of anti-bot checks. It described observing anti-bot gating consistent with Cloudflare Turnstile during sandboxing, which can deter automated analysis and is now common on phishing-kit infrastructure.

Data reuse

ShinyHunters likely reuses previously exposed datasets from CRM, ERP, HR and productivity platforms. These records can make social engineering more convincing because they include employee names, roles, reporting lines and identifiers. They also support repeat targeting by identifying people who can approve access, reset credentials or re-enrol MFA.

Targets from earlier campaigns continue to appear, including organisations linked to widely reported Salesforce-themed activity. That pattern suggests follow-on targeting rather than one-off campaigns, and increases the risk that older breach data remains useful long after remediation of the initial incident.

Outsourced pressure

ShinyHunters appears to be scaling outreach through paid criminal outsourcing. This includes contractors who follow scripts for phone calls and related tasks, plus disruption services such as email bombing, call flooding and SMS spamming. The blog described recruitment activity in a ShinyHunters Telegram channel, including posts seeking additional voice operators and, in some cases, female callers.

ReliaQuest framed the model as a form of specialisation, with high-volume tasks shifted to contractors while core operators retain more sensitive steps in the intrusion chain. This structure can increase the frequency of social engineering waves and shrink the time available for users and IT teams to spot an attack in progress.

Defensive priorities

The guidance emphasises phishing-resistant MFA, hardened help-desk workflows and stronger identity monitoring. Organisations should prioritise identity and session telemetry and be ready to contain incidents quickly, including the ability to revoke sessions when suspicious logins occur.

It also highlighted the visibility gap created by mobile-driven authentication. Logging and monitoring for mobile sign-ins and sessions becomes more important when the lure and authentication happen off managed endpoints and outside corporate networks.

"Subdomain impersonation paired with social engineering speeds up software-as-a-service (SaaS) compromise through session theft and help-desk-driven MFA resets," said ReliaQuest.

ReliaQuest added that the infrastructure and operating model point to further reuse of shared attacker tooling, disposable subdomains and trusted-looking hosted pages, alongside more mature phishing toolkits that improve live session orchestration and page realism.

Related stories
Bridging the gap: Cybersecurity breakthroughs and imbalances
In a cost-pressured AI race, operational maturity is now the competitive advantage
Teramind launches AI governance to tackle shadow AI
UK AI budgets shift to data infrastructure & storage
AI cyber threats outpace staff readiness, report warns

Top stories

Safe AI needs all voices: Celebrating the women who help drive CSA's AI safety initiative
Autonomous AI 'agentic customers' set to reshape banks
How women in cyber change the conversation at board level
The weight women carry
Preserving our voice: Why women must shape the future of AI and cybersecurity