GTIG UNC6671 "BlackFile" — DLS shutdown / probable rebrand; vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration [SINGLE-SOURCE: GTIG]

GTIG's 2026-05-16 documentation of UNC6671's leak-site shutdown signals a probable operator rebrand. The distinctive TTP set — multi-stage vishing to establish rapport, adversary-in-the-middle (AiTM) phishing page for credential capture, rogue MFA device registration (T1621), and then programmatic SharePoint exfiltration using the stolen session — is technically sophisticated enough to suggest continued operation under a new brand. GTIG documents victims across North America, Australia, and the UK. Watch for a new data-leak site using the same distinctive TTP fingerprint (vishing → AiTM → rogue-MFA → SharePoint exfiltration). Detection: audit conditional-access logs for MFA device registrations from anomalous IP ranges; alert on SharePoint API calls using recently-registered device tokens at unusual hours.