ShinyHunters Recovery Playbook: What to Do in the First 48 Hours

ShinyHunters doesn't break in. They log in. ShinyHunters doesn’t need malware because they borrow your trusted tools, like SSO, the help desk, and your SaaS platforms. Yet most IR teams arrive to a ShinyHunters incident already behind. The attack has been running for days, and the immediate pressure is eradication and containment, not forensics. The instinct is to look for encrypted files and ransomware artifacts. There won't be any. That's not what ShinyHunters does, and that gap in expectation is exactly what they count on. While your team is getting oriented to what kind of attack this isn't, ShinyHunters is already walking out the door with your data.

Most IR plans were written for ransomware. ShinyHunters breaks that mold entirely. ShinyHunters is tracked by Google/Mandiant as UNC6040 (intrusion) and UNC6240 (extortion), with related 2026 activity tracked under UNC6661 and UNC6671, and requires a fundamentally different recovery motion. Organizations that don't recognize that distinction will spend their first 48 hours taking an approach that works against them.

Who is ShinyHunters?

ShinyHunters (whose tradecraft overlaps significantly with Scattered Spider) is an active exfiltration and extortion group. A July 2025 joint advisory from CISA and the FBI documents the TTPs that define this cluster: vishing, MFA fatigue, and SSO abuse. It is the same playbook MOXFIVE has responded to across multiple engagements in 2026. Notably, they currently do not deploy ransomware or encrypt environments. Rather, their playbook is identity driven.

The initial access technique is as simple as it is effective. The threat actors impersonate IT support staff in a vishing phone call to a targeted employee, directing the user to Salesforce's connected app setup page and instructing them to enter an attacker-supplied 8-digit connection code. The malicious app, often a modified version of Salesforce's Data Loader, sometimes rebranded as "My Ticket Portal" or similar is presented as a legitimate utility, but once authorized, it retains persistent, broad OAuth access. The inverse approach may also be taken, with threat actors impersonating employees to request credential or MFA resets. Since the approval occurs within an authenticated session, MFA does not block the authorization. This technique exploits human trust and application permissions rather than software vulnerability.

ShinyHunters specifically targets SaaS platforms like Salesforce, Snowflake, and Microsoft 365, as well as single sign-on (SSO) and identity provider (IdP) infrastructure like Okta and Entra. Once inside, they focus their efforts on the bulk theft of customer and account data for re-sale or extortion. ShinyHunters has been known to extort both the victim and the victim’s customers directly.

The First 48 Hours

The early hours of a recovery engagement, what MOXFIVE refers to as ‘The First 48’, are critical. They set the trajectory for everything that follows. The first hours of a response can impact a wide variety of variables, including how long the threat actor remains in your environment, how much data walks out the door, and how much damage they do on the way out.  

While a traditional IR runbook leads with backup validation, recovery time objectives, and restoration, none of this applies in a ShinyHunters intrusion. There is nothing to restore. The environment is intact with the threat actor still loose inside it.

Because there is no encryption, traditional restoration steps will not address the root issue. ShinyHunters victims do not need backup recovery. What they need is rapid containment of an active identity-based intrusion, eviction of a sophisticated and persistent actor, and a security maturity uplift that closes the doors before the actor returns or sells access.

The real problem is an active, identity-savvy threat actor with persistent access across SSO, SaaS, and cloud, who may have already sold that access. The clock is not about downtime. It's about re-entry and data leverage.

How to Recover from a ShinyHunters Attack

Here are seven steps to out-execute this fast, identity-savvy threat:

1. ‍Containment: The first priority is breaking the threat actor's active access, immediately and completely. To do so, force session terminations across all privileged accounts, revoke OAuth authorization tokens and federation trust, apply emergency conditional access policies to block suspicious authentication patterns, and lock down impacted Single Sign-On (SSO) and SaaS tenants. Every action in this step runs in coordination with the digital forensics and incident response (DFIR) team's indicators of compromise (IOC) stream so containment decisions are informed by the forensic picture in real time, not made in isolation.
   ‍
2. Credential and MFA rotation: Once active sessions are terminated, the focus shifts from eviction to lockout. Where step one breaks the actor's grip, this step helps ensure the same handholds no longer exist. More than a simple password reset, this step is a structured rebuild of authentication trust. Reset all MFA factors for privileged users, eliminate SMS and voice fallbacks that ShinyHunters exploits through vishing, and stand up phishing-resistant authentication (FIDO2 security keys or passkeys) for anyone with elevated access.
   ‍
3. Help desk hardening: In this step, focus shifts to closing the vishing vector that opened the door to ShinyHunters. Require out-of-band verification before any sensitive action like a password reset, MFA reset, or account unlock. Moving forward, when desk staff receive inbound calls, verification questions should be open-ended ("what is your employee number?") rather than leading ("is your employee number 12345?"), since caller ID, employee numbers, and manager names can all be harvested in advance. Limit what help desk accounts can access and what actions they can take without secondary approval. Agents should have explicit authority to pause a request and verify, with protocol enforced consistently rather than waived under pressure to resolve calls quickly.  
   ‍
4. SaaS access tightening: With social engineering addressed, this step improves visibility so repeat activity is caught immediately. To do so, review and lock Salesforce, M365, Snowflake, Box, HubSpot, and other connected SaaS platform policies. Deploy egress monitoring and validate logging coverage.
   ‍
5. Identity rebuild: The IdP is not just a victim of the intrusion. In many ShinyHunters engagements, it is the intrusion. Because this actor exploits IdP infrastructure to escalate privileges,  a surface-level credential reset is not enough. The IdP itself must be restored from a known-good state, federation trusts audited and reestablished from scratch, and every privileged access pathway inventoried and validated. We are not patching a compromised system. We are rebuilding the foundation that everything else authenticates against
   ‍
6. Security uplift roadmap: When we at MOXFIVE run this playbook, we provide clients with a roadmap that advances their security maturity with remediation tied directly to the threat actor TTPs. This provides leadership with a clear before-and-after story for the board, regulators, and their cyber insurance carrier. Because ShinyHunters will return if the doors they used remain open, or sell that access to someone who will, the roadmap is not a nice-to-have. It is the difference between a contained incident and a recurring one.
   ‍
7. Data mining and regulatory scoping: For organizations subject to breach notification requirements like HIPAA, state attorneys general, SEC, or any regulation governing protected health information (PHI) or personally identifiable information (PII), this step is not optional. It runs in parallel with the technical recovery workstream, not after it. The goal is to identify precisely what the actor had access to, confirm or rule out PHI and PII exposure, and produce a defensible scope document that holds up to scrutiny from breach notification counsel, regulators, and the cyber insurance carrier. In ShinyHunters engagements, where bulk data theft is the entire point, getting this answer fast and getting it right matters as much as the technical containment work.

Two Patterns from the Field

These two anonymized examples illustrate the repeatable ShinyHunters playbook and how MOXFIVE runs the recovery motion at different scales.

• Real Estate: This was a textbook identity-driven intrusion where ShinyHunters’ vishing campaign successfully targeted a high-level executive with a spoofed Okta page. Once in, they exfiltrated more than 7,500 files from Box. We applied the first six steps in our recovery pattern, effectively containing and hardening the environment while providing a security maturity roadmap that was accepted as the basis for the post-incident security program.
  ‍
• Healthcare: This multi-workstream engagement followed the same pattern, with an identity-driven intrusion and no encryption deployed. In addition to rapid containment and hardening, this organization also needed to address the scope of data exfiltrated. Data mining analyzed nearly 1.5 million files and over 3TB of data for PHI exposure.

These two engagements look different on the surface. One is a lean containment and hardening play, the other a multi-workstream recovery with significant regulatory complexity. But the recovery motion is identical and that consistency is not an accident. MOXFIVE has run this playbook more times in the last quarter than most firms have in the last year, and the pattern holds regardless of sector, scale, or how long the actor had been in the environment before we arrived. The outcomes we help build are designed to satisfy all three audiences: your cyber insurance carrier who wants to see rapid containment, documented scope, and no re-entry; counsel who wants a clear timeline, privileged work product, and PHI/PII exposure confirmed or ruled out; and the board who wants to know what changed and why it won't happen again. The seven-step motion addresses all three, but only if it's executed fast and documented well.

‍

If you're working a ShinyHunters or same-playbook engagement now, MOXFIVE can help. Contact us today at 833-568-6695 or email our team at incident@moxfive.com.