UNC6783 Targets BPOs to Breach Adobe, Dozens of Enterprises

Google's Mandiant team is warning enterprises about UNC6783, a threat actor systematically targeting business process outsourcing (BPO) providers to gain access to their corporate clients. The campaign has already compromised Adobe through an India-based contractor, exfiltrating 13 million support tickets and sensitive bug bounty submissions.

The attacker, operating under the alias "Mr. Raccoon," represents a shift in targeting strategy. Rather than attacking enterprises directly, UNC6783 exploits the weaker security posture of third-party service providers who handle customer data on behalf of major corporations.

How the Campaign Works

UNC6783 relies on social engineering through live chat interfaces—a vector that bypasses email security controls entirely. Attackers contact BPO support employees directly, directing them to spoofed Okta login pages hosted on domains mimicking legitimate company infrastructure.

The phishing domains follow a consistent pattern: [org].zendesk-support[##].com. When employees enter credentials, the attacker's kit captures not just the password but also clipboard contents, allowing them to intercept MFA codes in real time.

Once authenticated, attackers enroll their own devices with the compromised organization's identity provider. This grants persistent access that survives password resets.

The Adobe Breach

The most significant known victim is Adobe. According to Google's threat intelligence, the attack chain started with a phishing email to a support agent at an Indian BPO partner. The agent executed a remote access trojan, giving Mr. Raccoon full control of their workstation.

From there, the attacker pivoted—using the compromised employee's email to phish their manager, who handed over credentials for Adobe's support platform. The attacker then exported:

• 13 million support tickets containing customer PII
• Employee records for 15,000 Adobe staff
• HackerOne bug bounty submissions detailing unpatched vulnerabilities
• Internal documentation and corporate communications

Mr. Raccoon claimed the entire database was extracted with a single API request—a damning indication that the platform lacked adequate access controls for bulk data exports.

Extortion Follows Exfiltration

UNC6783 isn't just stealing data for resale. After exfiltration, victims receive extortion demands via ProtonMail threatening public disclosure. The pattern resembles operations by Scattered Spider, though attribution to that group remains unconfirmed.

Google identified "several dozen" high-value corporations targeted through this method. Many haven't disclosed breaches publicly, suggesting the extortion payments may be working.

Why BPOs Are Vulnerable

The FBI's 2025 Internet Crime Report highlighted business email compromise as a $3 billion problem. BPO targeting extends this attack surface considerably.

Outsourcing providers typically operate with:

• Access to multiple client environments simultaneously
• Lower security budgets than their enterprise customers
• High employee turnover reducing security awareness
• Pressure to resolve tickets quickly, creating phishing susceptibility

When attackers compromise a single BPO employee, they potentially gain access to data from dozens of client organizations. It's supply chain compromise without touching any software.

Detection and Defense

Google's Mandiant recommends several countermeasures:

1. Deploy FIDO2 security keys for all employees with access to sensitive systems—hardware tokens resist phishing entirely
2. Monitor live chat for abuse patterns including rapid escalation requests and urgent credential resets
3. Block the domain pattern *zendesk-support*.com at the network perimeter
4. Audit MFA device enrollments for unexpected additions after credential entry
5. Implement data loss prevention that alerts on bulk exports from support platforms

Organizations should also review their BPO contracts. If a service provider handles customer data, they need to meet the same security standards as internal teams. The Crunchyroll breach last week demonstrated identical third-party credential theft patterns.

Why This Matters

Enterprise security teams have spent years hardening their own environments. UNC6783's campaign demonstrates that attackers have adapted—they're now targeting the contractors, vendors, and service providers that enterprises trust implicitly.

The Adobe breach is particularly concerning. Bug bounty submissions often contain detailed reproduction steps for unpatched vulnerabilities. In the wrong hands, that information becomes a roadmap for exploitation before fixes ship.

For organizations using BPO services, the question isn't whether your provider will be targeted—it's whether they'll notice when it happens.