Overview
- Google’s threat team said UNC6783 is breaking into business process outsourcers, which run support for other companies, to reach dozens of major firms for data theft and extortion.
- The attackers pose as support over live chat and steer employees to spoofed Okta sign‑in pages hosted on look‑alike domains that mimic a Zendesk pattern such as "[org].zendesk-support[##].com".
- A phishing kit grabs one‑time passcodes by reading the clipboard and then adds the attackers’ own devices to the victim’s account for lasting access.
- Investigators also saw fake security update prompts that install remote‑access malware, with ransom demands later sent from Proton Mail accounts.
- Google and Mandiant urge phishing‑resistant MFA with hardware keys, close monitoring of live chat, blocking Zendesk‑style look‑alike domains, and routine audits of new MFA device enrollments.