UNC6671 (BlackFile) is running an active, financially motivated AiTM vishing extortion campaign bypassing MFA across Microsoft 365, Entra, SharePoint, OneDrive, Okta, Salesforce, Zendesk, and ServiceNow since early 2026. The group uses real-time session token interception combined with live phone calls to defeat TOTP and push-based MFA, then exfiltrates files via automated Python and PowerShell scripts before issuing ransom demands. A suspected Microsoft 365 Unified Audit Log classification gap may suppress volume-based exfiltration alerts in standard SOC tooling.