A newly identified cyber extortion group known as Pink is posing a significant threat to enterprises by employing social engineering tactics to acquire cloud storage credentials and sensitive information. This group, under the cluster code CL-CRI-1147, unveiled its data leak platform on May 31, 2026, already affecting multiple organizations.
Pink Group’s Tactics and Operations
Pink distinguishes itself by opting for non-traditional methods such as voice phishing, commonly referred to as vishing, to infiltrate corporate networks. By impersonating internal IT personnel, they trick employees into visiting phishing sites controlled by attackers, leading to unintentional disclosure of login credentials and multi-factor authentication codes. This human-centric approach makes Pink particularly dangerous as it leverages trust rather than exploiting technical flaws.
Analysts from Unit 42 have documented the group’s activities, revealing affiliations with the wider Com network, a community known for aggressive social engineering efforts. Pink shares operational similarities with other notorious cybercriminal groups like Lapsus$, Scattered Spider, and ShinyHunters, suggesting a common tactical framework.
Execution and Impact of Pink’s Attacks
Once access is gained, Pink swiftly exploits Microsoft’s internal automation tools to commandeer cloud storage environments, exfiltrating data from OneDrive and SharePoint in mere minutes. Following data acquisition, the group uses compromised accounts to send urgent payment demands via Microsoft Teams and emails, imposing a 72-hour deadline to heighten the sense of urgency and legitimacy.
The group may also represent a rebranding of a previous operation, with Google’s Threat Intelligence Group suggesting links to the now-defunct BlackFile, which briefly operated as Redact. Such rebranding strategies are common among advanced extortion operations seeking to evade detection.
Defensive Measures Against Pink
The effectiveness of Pink’s strategies lies in their ability to bypass standard security measures. By utilizing legitimate employee accounts and Microsoft’s tools, their activities often go unnoticed by firewalls and endpoint detection systems. They direct victims to phishing domains like passkeydeploy.com, capturing session cookies and circumventing MFA without needing passwords again.
To combat such threats, security experts recommend a people-first approach. Organizations should train employees to independently verify unexpected IT calls and exercise caution when asked to enter credentials. Implementing phishing-resistant authentication methods like FIDO2 hardware keys, monitoring unusual file downloads, and blocking known phishing domains linked to Pink’s infrastructure are critical steps in enhancing security.
Additionally, deploying behavioral monitoring tools to detect large data transfers can help prevent potential breaches before data leaves the network.
Conclusion
As Pink continues to evade traditional detection mechanisms, organizations must adopt comprehensive security strategies combining human vigilance with advanced technical defenses. By staying informed and proactive, enterprises can better protect themselves against this evolving threat.
