A newly identified extortion group called Pink has emerged as a serious threat to enterprise organizations, using social engineering tactics to steal cloud storage credentials and sensitive data.
The group, tracked under the cluster code CL-CRI-1147, launched its dedicated data leak site on May 31, 2026, and has already listed several initial victims.
Security teams across industries are now on high alert as the group’s tactics prove highly effective against even well-defended organizations.
Pink operates with a clear and calculated strategy. Rather than deploying traditional malware, the group relies on voice phishing, also known as vishing, to gain initial access to corporate networks.
Attackers impersonate internal IT staff over the phone, tricking employees into visiting attacker-controlled phishing pages where they unknowingly hand over their login credentials and multi-factor authentication codes. This approach makes Pink particularly dangerous because it exploits human trust rather than technical vulnerabilities.
Analysts at Unit 42 identified and disclosed the group in a report shared with Cyber Security News (CSN).
Researchers noted that Pink appears to be affiliated with the broader Com network, a loose community of cybercriminals known for aggressive social engineering campaigns.
The group also shares tactical similarities with other well-known threat actors such as Lapsus$, Scattered Spider, and ShinyHunters, suggesting a shared playbook among these communities.
Once Pink gains access to an employee’s account, the attackers move fast. They use Microsoft’s own built-in automation tools to sweep through cloud storage environments, draining files from OneDrive and SharePoint folders within minutes.
With the stolen data in hand, the group turns to compromised accounts to send internal Microsoft Teams messages and emails demanding payment, giving executives a tight 72-hour window to respond.
This internal messaging tactic makes the extortion feel more urgent and legitimate to victims.
The group also shows signs of being a possible rebrand of an older operation. Google Threat Intelligence Group analysts have assessed that after the BlackFile brand retired in May 2026, the group may have briefly operated as Redact before surfacing again as Pink.
This pattern of rebranding is common among sophisticated extortion crews seeking to evade tracking.
New Pink Hacking Group Attacking Enterprise Users
Pink’s effectiveness lies in how it avoids triggering standard security tools. Since the group uses legitimate employee accounts and Microsoft’s own internal tools to move data, most firewalls and endpoint detection systems simply do not flag the activity as suspicious.
The attackers direct victims to phishing domains such as passkeydeploy.com and deploypasskey.com, where session cookies are captured, allowing the group to bypass MFA entirely without needing the victim’s password again.
In addition to credential theft, Pink also uses fileless techniques to stay hidden within compromised environments. Rather than dropping large files onto a hard drive, the group runs small code commands that build their payload directly in the computer’s temporary memory.
This means standard antivirus programs that scan folders and drives will not detect any threat. The code also performs environment checks, and if it detects a security research sandbox, it quietly suppresses its own behavior to avoid analysis.
Protecting Your Organization From Vishing Attacks
Security experts urge organizations to take a practical, people-first approach to defending against groups like Pink.
Employees should be trained to independently verify any unexpected IT phone call before following instructions, especially when asked to visit a link or enter credentials.
Help desk teams should have strict identity verification procedures in place that cannot be bypassed through social pressure alone.
On the technical side, organizations are advised to migrate from standard one-time password MFA to phishing-resistant authentication methods such as FIDO2 hardware keys.
Security teams should monitor cloud environments for unusual spikes in file downloads, review OAuth token grants and API permissions, and block known phishing domains linked to Pink’s infrastructure.
Deploying behavioral monitoring tools that flag large, sudden data transfers before they leave the network can also make a critical difference.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Click Here For The Original Source.
