Redact Ransomware/BlackFile Extortion Campaign Targets Hologic and FCCI Insurance via M365/Okta AiTM Attacks
Threat actor UNC6671 (operating under the "BlackFile" brand) is executing sophisticated extortion-only campaigns targeting high-profile entities, including Hologic and FCCI Insurance Group. The campaign utilizes high-volume vishing (voice phishing) to facilitate Adversary-in-the-Middle (AiTM) credential harvesting, allowing the group to bypass Multi-Factor Authentication (MFA) via real-time interception of Push, SMS, or TOTP tokens. Following initial access, the actor performs programmatic, automated exfiltration from Microsoft 365 and Okta environments using Python-based scripts and the Microsoft Graph API to circumvent standard "FileDownloaded" alerts. The objective is the mass theft of PII, PHI, and sensitive corporate data to maximize leverage for high-pressure extortion negotiations.