'Signal Support' impersonation phishing harvesting cloud-backup recovery keys

A phishing campaign first reported on 2026-05-28 impersonates Signal's support team, warning targets that their cloud-backed chats are "at risk of permanent loss due to a sync issue" and instructing them to retrieve their Signal cloud-backup recovery key from the app and paste it into the conversation (TechCrunch, 2026-05-28; Malwarebytes, 2026-05-29). Signal cloud backups are end-to-end encrypted with that recovery key: without it, an attacker who separately hijacks the victim's phone number (SIM-swap or SS7 abuse) can intercept only future messages, while the historical archive of conversations, photos and documents stays sealed. Surrendering the key unlocks that archive. The technique is pure social engineering (T1598 spearphishing for information / T1566) with no exploit component; reporting notes targeting consistent with anti-CCP activists, but both outlets stress the lure is reusable by any actor against secure-messaging users — a population heavily represented among government officials, lawyers, journalists and civil-society staff.

Why it matters to us: Signal is widely used inside Swiss and European public-sector bodies and by the journalists and civil-society contacts they work with for sensitive communications. The attack bypasses transport encryption entirely by going after the backup key, so MDM and message-content controls do not help. Defender takeaway: brief high-value users that Signal Support never initiates contact and never asks for a recovery key, PIN or registration code; pair this with carrier-side SIM port-freeze / number-lock for principals, since phone-number hijacking is the prerequisite for full account takeover even without the key.

Google Threat Intelligence Group published on 2026-05-15 an analysis of UNC6671 — a financially-motivated extortion cluster operating under the "BlackFile" brand since February 2026 — documenting a real-time vishing + adversary-in-the-middle chain that bypasses traditional MFA and pivots to mass SharePoint exfiltration (Google Threat Intelligence Group, 2026-05-15). The chain starts with a phone call placed to a victim's personal mobile number in which an operator impersonates internal IT helpdesk and directs the target to an attacker-registered lookalike single sign-on portal (Tucows-registered hostnames in the <org>.enrollms[.]com and <org>.passkeyms[.]com namespaces); the operator captures credentials and TOTP / push approvals live and immediately registers a new attacker-controlled MFA device for persistent post-vishing access, mapping to T1556 Modify Authentication Process. Post-compromise, BlackFile uses Python requests and PowerShell scripts against the Microsoft Graph API and direct SharePoint file-stream URLs to exfiltrate, with single-victim file counts exceeding one million; the API requests surface Microsoft Office's ClientAppId (d3590ed6-52b3-4102-aeff-aad2292ab01c) in the M365 audit log AppAccessContext field — the same value legitimate Office clients carry — to blend in with normal Office activity. The detection break is the underlying user-agent: legitimate Office clients do not present python-requests/2.28.1 or WindowsPowerShell/5.1 as the user-agent header against Graph or SharePoint endpoints. GTIG also notes that the FileAccessed audit event distinguishes the bulk-API extraction pattern from interactive FileDownloaded events. Geographic focus is North America, Australia, and the UK — but the playbook is language-agnostic; any European helpdesk-fronted M365 / Okta environment is one successful call away from the same outcome. The BlackFile data-leak site went offline in late April 2026 and relaunched on 2026-05-11 with a shutdown announcement, which GTIG assesses as probable rebrand rather than cessation. GTIG explicitly distinguishes UNC6671 from ShinyHunters (UNC6240). MITRE ATT&CK additionally: T1566.004 Spearphishing Voice, T1557 Adversary-in-the-Middle, T1528 Steal Application Access Token. Detection priorities: alert on Okta system.multifactor.factor.setup events not preceded by a user-initiated session; flag M365 audit FileAccessed events with AppAccessContext.ClientAppId == d3590ed6-52b3-4102-aeff-aad2292ab01c AND a user-agent containing python-requests or PowerShell; require Conditional Access compliant-device for Graph API access from administrative accounts; and move helpdesk-privileged accounts to FIDO2 phishing-resistant MFA.