Google Threat Intelligence Group (GTIG) says a financially motivated threat cluster it tracks as UNC6783 is targeting business process outsourcers, help desks, and other enterprise support teams as an entry point into larger organizations. The campaign relies less on software exploitation than on live chat social engineering, with attackers posing as legitimate contacts, steering workers into fake support interactions, and using those exchanges to gain access. GTIG said the activity was potentially linked to an online persona known as “Raccoon.”
According to GTIG, the goal is to steal sensitive data and use it for extortion. The campaign shows how support and identity workflows can be abused when they are exposed to outside users and designed to move quickly.
How the Attack Chain Works
According to GTIG, UNC6783 impersonates legitimate vendors or support organizations through spoofed domains designed to resemble familiar services used in enterprise environments. Targets are then directed to fake Okta-style login pages designed to appear legitimate.
GTIG says the phishing kits do more than capture usernames and passwords. They can also collect clipboard contents, giving attackers a way to intercept one-time codes and other authentication data entered during the login process. In some cases, the campaign also uses fake security updates to trick users into installing remote-access malware, extending access beyond stolen credentials.
Why Support Teams and BPOs are Attractive Targets
Support teams and BPOs are attractive targets because they sit close to core identity workflows, including user verification, account resets, login troubleshooting, and MFA enrollment.
“Attackers don’t need to hack through security systems when they can persuade people to open the door,” said Mika Aalto, co-founder and CEO of Hoxhunt. “Targeting BPOs and helpdesk teams is particularly effective because these roles handle sensitive access requests and interact with unfamiliar users every day.”
These roles also tend to operate under pressure to resolve issues quickly. That can create openings for attackers posing as legitimate or urgent contacts. Live chat can make that easier. Compared with email or formal administrative workflows, chat interactions may receive less scrutiny, especially when they are treated as routine support activity.
From Stolen Credentials to Persistent Access and Extortion
GTIG says the theft of credentials and authentication data is only one stage of the campaign. Attackers use harvested login data and session information to enroll their own devices in the victim environment, giving them a more durable and less visible foothold than a stolen password alone.
“Attackers understand that compromising a third-party interaction or a support workflow can be more effective than breaching hardened infrastructure,” said John Watters, CEO and Managing Partner of iCOUNTER. “Once inside, they can move laterally through identity systems, enroll persistent access, and operate as a legitimate user.”
With an enrolled device, attackers may be able to return without repeating the same social engineering process each time. From there, the campaign can shift to data theft and extortion, with ransom demands sent after attackers have obtained material they believe can be used as leverage.
What It Means for Enterprise Identity Security
The campaign relies less on a new technical breakthrough than on the abuse of trusted workflows, particularly in environments where users are expected to respond quickly, verify identities, and solve access problems.
The activity also has broader implications for organizations that rely on vendors, contractors, or outsourced support functions to handle identity-related tasks. Those relationships can expand the number of pathways into enterprise systems. The campaign also points to a visibility problem: if security teams are not closely monitoring identity changes, device enrollments, and vendor-linked access paths, malicious activity may be harder to distinguish from normal support operations.
Defensive Steps Organizations Should Prioritize
GTIG recommends phishing-resistant MFA, particularly for help desk, support, and other user-facing roles that are more likely to encounter these lures. Organizations should also review newly enrolled MFA devices regularly and investigate unexplained additions as possible signs of compromise.
Security teams should monitor live chat and support interactions for suspicious link sharing, external redirects, or attempts to move users to lookalike login pages. Organizations should also block unauthorized domains that match known spoofing patterns and alert on unauthorized binary execution during support sessions, particularly installers or supposed security updates launched from chat-driven interactions. Because the campaign relies heavily on social engineering, training should be tailored to these tactics so support staff and BPO personnel can identify suspicious interactions and fake login flows.
