The largest vishing campaign of 2026 didn’t exploit a technical vulnerability. It exploited brand trust, turned inward.
In early 2026,
Google’s Mandiant began tracking a vishing campaign that was unusual in both its consistency and its reach. The technique was the same in every case: attackers called employees at target organizations, identified themselves as IT support, and directed them to a credential harvesting site that looked exactly like the company’s own single sign-on portal. The domains were victim-branded, following patterns likecompanynamesso.com and companynameinternal.com, and Okta’s threat intelligence team documented custom phishing kits capable of replicating the authentication flows of identity providers in real time. The employee would enter their credentials and complete the MFA challenge while the attacker, watching the session live, captured the session token on the other end. MFA worked exactly as designed. The attacker simply collected the output.Silent Push identified over 150 attacker-controlled domains tied to the campaign, most registered in December 2025 in apparent preparation for a coordinated January push. The attackers operated under the ShinyHunters banner, a group Mandiant tracks across multiple threat clusters, and they moved quickly once inside: bulk downloads from SharePoint and OneDrive, targeted keyword searches across Salesforce and Slack, followed by extortion demands with a 72-hour deadline.
The scale of what followed is what makes the campaign worth examining closely. Breach disclosures arrived from Match Group, SoundCloud, Panera Bread, Betterment, Harvard, Crunchbase, Canada Goose, and in March, identity protection firm Aura, whose own employee was vished using the same technique. The victim list is notable less for the names than for their diversity: dating apps, a bakery chain, Ivy League universities, and a company that sells identity theft protection, all compromised by the same playbook. Mandiant eventually estimated the campaign reached over 400 organizations.
Most of the coverage has focused, understandably, on how to harden SSO environments against this kind of attack. What hasn’t received the same attention is the nature of the impersonation itself, and what it means when the brand being weaponized belongs to the victim.
Brand impersonation, inverted
The security industry typically frames brand impersonation as an external threat: attackers spoofing a company’s identity to deceive its customers. That framing shapes how monitoring programs are built, with detection concentrated on customer-facing channels like lookalike domains, fake social media profiles, and fraudulent mobile apps. The underlying assumption is that the brand is being used as a lure to reach people outside the organization.
The ShinyHunters campaign operated on a different axis entirely. The 150-plus domains that Silent Push identified were not customer-facing. They were employee-facing, built to replicate internal SSO portals that only the company’s workforce would recognize. The social engineering was effective not because the impersonation was technically exotic, but because the attacker knew which identity provider the target used, could reproduce its authentication flow in real time, and reinforced the deception with a live phone call from someone who sounded like a colleague. This is brand abuse in a form that most protection programs aren’t scoped to detect, because the impersonation is aimed at the company’s own people rather than the public.
What compounds the damage is the pattern that follows each breach. Most organizations refused to pay ShinyHunters’ extortion demands, and the stolen data was published. Each disclosure then triggered a secondary wave of impersonation that did face outward, as security researchers warned affected users to watch for fake breach notification emails, fraudulent “identity protection” offers, and phishing lures designed to look like legitimate company communications. The initial attack impersonates the brand to employees. The data dump makes headlines. And the aftermath generates a second impersonation wave targeting customers who are now primed to expect urgent communications from the breached company. Each stage exploits a different dimension of the same brand trust, and by the time the customer-facing impersonation begins, the organization is already in crisis mode.
What the campaign reveals about training and authentication
The Aura breach deserves particular attention because of what it implies about the limits of conventional defense. Aura is a company whose entire value proposition is protecting consumers from identity theft, and one of its employees was vished through the same Okta SSO technique that ShinyHunters used against every other target. The attacker had access for roughly an hour before the intrusion was detected and contained. If an organization built around security awareness cannot reliably defend against this technique through training alone, the conclusion is not that Aura’s program was unusually deficient. It’s that vishing introduces dimensions that email-based phishing training was never designed to address: live voice interaction, real-time session manipulation, and infrastructure that looks identical to the real thing because it was built specifically for that employee’s company.
Mandiant, Okta, and every major incident responder involved in this campaign have converged on the same recommendation: phishing-resistant authentication, specifically FIDO2 security keys and passkeys, that cryptographically verify the server being accessed. A hardware key checks the domain before completing the authentication handshake, which means a fake SSO portal fails silently regardless of how convincing it appears to the human sitting in front of it.
The Bottom Line
The technique that powered the largest vishing campaign of 2026 succeeded precisely because it could defeat every form of MFA that depends on human judgment. The only reliable defense is one that removes human judgment from the verification process entirely.
Key Takeaways
- ShinyHunters breached over 400 organizations in early 2026 by calling employees, impersonating IT support, and directing them to victim-branded SSO credential harvesting sites that replicated real authentication flows in real time.
- The campaign inverts the traditional brand impersonation model: the brand being spoofed belongs to the victim, and the targets are employees rather than customers.
- Each breach generates a secondary wave of customer-facing brand impersonation as attackers exploit disclosure confusion with fake notifications and phishing lures.
- Phishing-resistant authentication (FIDO2, passkeys) is the only defense that fully neutralizes the technique, because it removes human judgment from the verification process.
