Threat Spotlight: ShinyHunters Fast-Tracks SaaS Access with Subdomain Impersonation
Essential information
- Published
- 19/03/2026 14:23
- Modified
- 20/03/2026 08:17
- Tags
- 2026-03-19 aitm phishing crm data abuse identity theft mobile-first lures saas compromise session hijacking subdomain impersonation vishing
- Related entities
- 1 intrusion sets (apt), 14 techniques (mitre), 14 others
Description
The threat group ShinyHunters has adopted a new tactic of subdomain impersonation for initial access, moving away from newly registered lookalike domains. They are utilizing mobile-first lures and outsourcing spam services to scale their operations. The group is likely reusing previously stolen CRM and ERP data to drive social engineering attacks. Their approach involves phone-guided adversary-in-the-middle phishing to capture credentials and authenticated sessions. ShinyHunters is also scaling vishing operations through paid contractors and specialized harassment services. This evolution in tactics allows for rapid identity-to-SaaS compromise without deploying malware, making traditional domain-based monitoring less effective.