ReliaQuest warns that the extortion group ShinyHunters appears to be shifting its social engineering playbook toward branded subdomain impersonation, paired with phone-led phishing that targets single sign-on users on mobile devices.

The shift moves away from newly registered lookalike domains. Instead, attackers use generic registered domains and place the victim organisation's branding in the subdomain-a structure that can evade controls designed to flag suspicious or newly created domains.

ShinyHunters is a financially motivated group linked to data theft and extortion. Recent incidents suggest a focus on identity compromise and access to software-as-a-service platforms, rather than deploying malware inside corporate networks...