Pink Extortion Crew Uses Fake IT Calls to Steal Microsoft 365 Data
A newly tracked extortion group known as Pink is using voice phishing and fake internal help-desk calls to trick employees into entering credentials and MFA codes on attacker-controlled phishing pages. Researchers tracking the activity as CL-CRI-1147 said the actor appears likely Com-affiliated and follows a social-engineering playbook associated with groups such as Lapsus$, Scattered Spider, and ShinyHunters. After account takeover, Pink rapidly accesses Microsoft cloud services including SharePoint and OneDrive, steals sensitive data, and then uses the compromised accounts to send extortion emails and internal Microsoft Teams messages to pressure victims.
Investigators said the group has also stood up a leak site and typically gives organizations 72 hours to respond to extortion demands. The campaign shows repeated infrastructure reuse across victims, with common second-level domains and victim-specific subdomains, and phishing hosting frequently tied to DDoS-Guard. Reported indicators include the domains passkeyadd.com, passkeydeploy.com, and deploypasskey.com, along with the IP addresses 185.178.208.153, 172.93.100.252, and 96.232.20.66, giving defenders concrete artifacts for threat hunting and blocking.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose China-linked OP-512 targeting IIS servers
ReliaQuest disclosed a previously unreported espionage-focused threat cluster, OP-512, targeting Microsoft IIS servers with a custom three-web-shell framework. The activity was assessed with moderate to high confidence as linked to China and included anti-forensic timestomping, centralized management of compromised hosts, and attempted privilege escalation using the Potato Suite.
Pink vishing campaign observed targeting Microsoft cloud users
A high-severity campaign was observed in which a threat actor impersonated internal IT staff over voice calls, directed victims to phishing pages, stole credentials and MFA codes, then exfiltrated data from SharePoint and OneDrive. The actor also used compromised accounts to send extortion emails and internal Microsoft Teams messages, while reusing phishing infrastructure across victims.
Pink extortion activity renewed with leak site and extortion communications
Palo Alto Networks Unit 42 identified Pink's leak site after renewed extortion communications tied to the group. The activity was associated with cluster CL-CRI-1147 and assessed as likely linked to a Com-affiliated actor.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
New China-linked threat cluster OP-512 targets Microsoft IIS servers | brief | SC Media
scworld.com
Open sourceNew Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework
thehackernews.com
Open sourcePink Extortion Brand Activity (CL-CRI-1147) | Community Portal | Gurucul
community.gurucul.com
Open sourcePink is the latest goon squad to use fake helpdesk calls to steal creds
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing crews targeted developers and enterprises to steal credentials and extort victims
Security researchers reported two active phishing operations that relied on social engineering rather than mass malware spam to compromise organizations and steal high-value data. Proofpoint said the cluster it tracks as **UNK_DeadDrop**, likely aligned with North Korea, targeted developers at nearly 100 organizations in cryptocurrency, finance, technology, and education. The attackers used fake recruitment, code review, and technical assessment lures to push victims to attacker-controlled GitHub and GitLab repositories, where hidden Visual Studio Code tasks and a malicious VSIX extension triggered malware on **macOS, Linux, and Windows**. The campaign stole browser credentials, cryptocurrency wallets, cookies, and keychain or keyring data, while maintaining persistence through the extension and removing repository artifacts to reduce detection. A separate campaign tracked by Palo Alto Networks Unit 42 as **CL-CRI-1147** and publicly associated with the **Pink** extortion group targeted enterprise users through voice phishing and credential theft. Researchers said Pink impersonated internal IT staff to direct employees to phishing pages that captured credentials, MFA codes, and session cookies, enabling access to Microsoft 365 services including **OneDrive** and **SharePoint**. The group then used legitimate Microsoft automation tools to exfiltrate data and sent extortion demands through compromised Microsoft Teams accounts and email, typically giving victims 72 hours to pay. Unit 42 linked Pink to the broader Com cybercriminal ecosystem and noted overlaps with groups such as **Lapsus$**, **Scattered Spider**, and **ShinyHunters**, while Google Threat Intelligence Group assessed it may be a rebrand of the BlackFile operation.
Jun 9, 2026
BlackFile Extortion Gang Hits Retail and Hospitality With Vishing-Led Data Theft
**BlackFile**, a financially motivated extortion group likely tied to **The Com** and overlapping with activity tracked by CrowdStrike as **Cordial Spider**, has targeted retail and hospitality organizations with voice-phishing campaigns that impersonate corporate IT help desks. Researchers at Palo Alto Networks Unit 42 and RH-ISAC said the group has been active since at least February 2026, using spoofed phone numbers and fake corporate single sign-on pages to trick employees into surrendering credentials and one-time passcodes. After gaining access, the attackers register their own devices to bypass MFA, escalate privileges into administrative and executive accounts, and steal data from platforms including **Salesforce** and **SharePoint** through legitimate API and download functions. The stolen information is moved to attacker-controlled infrastructure, posted on a dark web leak site, and used to support **seven-figure ransom demands** sent from compromised employee accounts or Gmail; in some cases, the group has also used **swatting** against employees and executives to intensify pressure on victims.
Apr 28, 2026
Former Black Basta Affiliates Target Executives With Teams Phishing and Email Bombing
Suspected former **Black Basta** affiliates have launched a fast-scaling social-engineering campaign against dozens of organizations, targeting more than 100 employees to gain network access for **data theft, ransomware deployment, and extortion**. According to ReliaQuest, the operators use mass email bombing to overwhelm victims and then follow up through **Microsoft Teams** messages or phone calls while impersonating IT help desk staff. The activity has been linked to former Black Basta members or closely aligned actors because the tooling, targeting, and execution closely mirror the group’s historical playbook, even after Black Basta fragmented following the leak of its internal chats. The campaign has increasingly focused on senior leaders and other highly privileged personnel, with executive targeting rising from **59%** in January and February to **77%** in March. Attackers have persuaded victims to install remote monitoring and management tools such as **Supremo Remote Desktop** or to launch **Windows Quick Assist**, sometimes obtaining remote access within minutes before running malicious scripts. Manufacturing and professional services have been hit hardest, with finance, insurance, construction, and technology also affected, underscoring how the operators are moving faster and using more automation to scale intrusions and make early detection more difficult.
May 4, 2026