SaaS extortion now starts with vishing, not malware

Cyber extortion used to happen in a way that security teams were familiar with and could help mitigate. A phishing email got into the inbox, malware ran on a device, attackers moved through the network, and the damage got worse from there. SaaS extortion is changing that order. In a lot of recent cases, the first real step in an intrusion is not malicious code but a phone call that sounds normal, urgent, and real.

Attackers pretend to be IT support, security teams, or internal staff and then help employees log in, approve MFA, or give permission for connected apps, all of which give them valid access. Once they have that access, they do not need to use malware to get in because the victim has already let them in. After that, cloud apps, admin tools, APIs, and built-in export features can take care of the rest. The change is so dangerous because it looks so normal. A real login screen, a live chat, and a familiar workflow are all it takes to start an extortion chain.

Why vishing works better than malware in SaaS environments

For years, the well-known extortion chain began with a phishing email, moved on to running malware and moving laterally, and ended with encryption. A newer pattern that focuses on SaaS often skips the first stage of malware.

A 2024 Frontiers in Artificial Intelligence paper says that phishing emails often look like they come from a trusted source and try to get users to give up private information. This helps explain why attackers now use persuasion and identity theft instead of a malicious file.

Microsoft says that device code phishing lets hackers get access and refresh tokens. Its 2025 Digital Defense Report says that 93% of the device code phishing events it saw in the previous 12 months happened in the second half of the year. It is an example of how quickly token-led intrusion is spreading.

From one phone call to full SaaS access

The patterns for accessing SaaS give a step-by-step explanation of how it works. The attack usually starts with gathering information, and as an IEEE Access study puts it, “Information gathering is the most significant phase for social engineers, where they collect and combine every piece of relevant information about the victim. It is the most exhausting and time-consuming part of the attack approach in social engineering.” Then, a caller impersonates the company or help desk and directs the target to a phishing page, pretending to be performing security or support work.

From there, the next stage begins “when an attacker achieves access due to security weaknesses in a system, then they start to exploit and misuse the resources.” The caller changes the page in real time so that the victim enters their credentials, sends a one-time passcode, or accepts a push request that seems normal instead of suspicious. Microsoft uses the same logic in device code phishing: the victim is tricked into going through a real authentication process that gives them access and refresh tokens.

Microsoft also says that actors can use those tokens to stay logged in, register devices, do Graph reconnaissance, and steal email. The FBI and Salesforce then show how that access turns into extortion: vishing gets the foothold, malicious connected apps or Data Loader extend it through OAuth, API queries pull data in bulk, and stolen records or internal communications become leverage for demands days or months later across SaaS environments such as Salesforce, Microsoft 365, Zendesk, Google Workspace, and other tools tied to the compromised identity.

The campaigns in the news

UNC6040 and Salesforce

The best example of the change is UNC6040. According to Google, the cluster's main job is to run vishing campaigns that break into Salesforce environments to steal a lot of data and then blackmail people. Attackers pretended to be IT support, tricked users instead of taking advantage of a flaw in Salesforce, and often got victims to give permission for a malicious connected app that was a modified version of Data Loader.

The attackers could access, query, and steal sensitive Salesforce data directly once the connected app was approved. Google also says that extortion sometimes didn't happen until months after the first intrusion. Voice-based social engineering first, SaaS access second, data theft third, and extortion last. UNC6040 backs up the main point of the article for that very reason.

ShinyHunters-branded expansion in early 2026

On January 30, 2026, Google reported that a Mandiant identification of the Salesforce pattern did not stay confined to one platform. Mandiant says the expanded activity used sophisticated vishing and victim-branded credential harvesting sites to obtain SSO credentials and MFA codes, then moved into cloud SaaS applications to steal sensitive data and internal communications for extortion.

Google also says the breadth of targeted cloud platforms continued to expand, and that some incidents involved more aggressive pressure tactics, including harassment of victim personnel and even reported DDoS activity against victim websites. One case involved authorizing a Google Workspace add-on to search and delete email, including a message related to MFA enrollment, which shows how the same identity-first playbook can reach beyond Salesforce into broader SaaS ecosystems.

Malware is not gone, but it is no longer required

Malware is still a problem in cybercrime because, as one SensorsI-indexed review says, “Trojan malware can facilitate information theft. If an enterprise system is compromised and the database is accessed to steal personally identifiable information, this information can be sold online.” The same body of literature also helps us understand why malware is not always needed at the start of an attack.

A Digital Health review of multi-factor authentication says that phishing is “social engineering against authentication is an easily accessible attack with low skill requirements and can be executed by a novice adversary. It is a technique to manipulate human behaviour and bypass most information system security efforts.” An attacker can reach their objective through deception and account misuse rather than malware execution.

What needs to change

We need to stop thinking about malware first and start thinking about identity first. Companies need to strengthen three areas at once: identity, SaaS apps, and logging and detection. It is because vishing-led compromises work when a caller can get around help desk verification, change MFA or app consent, and then use trusted cloud tools without dropping malware.

Support teams need strict rules for callbacks and verifying identities, MFA that cannot be easily hacked, tight control over connected apps and OAuth grants, limited API access, and alerts for unusual exports, admin changes, token use, and cross-platform movement. The FBI's Salesforce alert explained that criminals used vishing to trick victims into allowing a malicious connected app, and then they used that access to query and steal sensitive data through APIs.

Paubox is the email layer in that model. Paubox says that its Inbound Security uses generative AI-powered analysis and rules-based controls to protect inboxes from phishing, spoofing, malware, and display name spoofing. ExecProtect focuses on impersonation, and Paubox Tags help staff quickly find verified, safe senders. That matters because many attacks still start or change direction through email, and clearer inbox signals make things less confusing and easier for users.

Paubox should still be part of a larger control stack because it can help people trust email and stop social engineering that happens in the inbox. However, it cannot stop a live phone-based help desk scam or a weak SaaS identity workflow on its own. Paubox should still be part of a larger control stack because it can help people trust email and stop social engineering that happens in the inbox. However, it cannot stop a live phone-based help desk scam or a weak SaaS identity workflow on its own.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is the difference between phishing and vishing?

Phishing is a broad social engineering tactic that usually happens through email, messages, fake websites, or other digital channels. Vishing is voice phishing, which means the attacker uses a phone call, voicemail, or live audio conversation to manipulate the target.

Is vishing replacing phishing?

Not completely. Attackers still use email phishing heavily because it is cheap, scalable, and easy to automate.

Why is vishing harder for employees to spot?

People are trained to inspect emails for bad links, odd domains, spelling mistakes, and suspicious attachments. A phone call removes many of those visual warning signs.