216.73.217.139

Threat Spotlight: ShinyHunters Fast-Tracks SaaS Access with Subdomain Impersonation

· Published 19/03/2026 14:23 · Modified 20/03/2026 08:17

Export JSON

Essential information

Published
19/03/2026 14:23
Modified
20/03/2026 08:17
Tags
2026-03-19 aitm phishing crm data abuse identity theft mobile-first lures saas compromise session hijacking subdomain impersonation vishing
Related entities
1 intrusion sets (apt), 14 techniques (mitre), 14 others

Description

The threat group ShinyHunters has adopted a new tactic of for initial access, moving away from newly registered lookalike domains. They are utilizing and outsourcing spam services to scale their operations. The group is likely reusing previously stolen CRM and ERP data to drive social engineering attacks. Their approach involves phone-guided adversary-in-the-middle phishing to capture credentials and authenticated sessions. ShinyHunters is also scaling operations through paid contractors and specialized harassment services. This evolution in tactics allows for rapid identity-to- without deploying malware, making traditional domain-based monitoring less effective.

External references