SaaS Data Theft: How UNC3944, UNC6040, and UNC6395 Quietly Redefined Cloud Risk

UNC3944, UNC6040, and UNC6395 are executing targeted campaigns against SaaS, cloud, and virtualization environments, leveraging vishing, OAuth abuse, and supply-chain compromise. Their TTPs require precise, telemetry-driven controls and detection.