A newly identified extortion group called Pink has emerged as a serious threat to enterprise organizations, deploying sophisticated voice phishing (vishing) tactics to steal cloud storage credentials and sensitive files. Tracked as cluster code CL-CRI-1147, Pink launched its dedicated data leak site on May 31, 2026, and has already listed multiple initial victims — primarily from legal, professional, and financial services sectors.
Who Is Pink?
Analysts at Unit 42 identified and disclosed the group in a report shared with Cyber Security News. Researchers note that Pink appears affiliated with the broader Com network — a loose community of cybercriminals known for aggressive social engineering. The group shares tactical DNA with well-known threat actors Lapsus$, Scattered Spider, and ShinyHunters, suggesting a shared playbook circulating within these communities.
There are also indications that Pink may be a rebrand of an earlier operation. Google Threat Intelligence Group analysts assess that after the BlackFile brand retired in May 2026, the group may have briefly operated as “Redact” before resurfacing as Pink — a pattern common among sophisticated extortion crews seeking to evade tracking and law enforcement attention.
The Attack Chain: Vishing, Session Hijacking, and Fileless Exfiltration
Pink’s effectiveness lies in bypassing technical security controls entirely by targeting people. The attack chain proceeds in four stages:
- Initial Contact — Vishing: Attackers impersonate internal IT staff and call employees directly. Victims are directed to attacker-controlled phishing pages where they unknowingly submit login credentials and MFA codes. Pink uses domains including
passkeyadd.com,passkeydeploy.com, anddeploypasskey.comfor this purpose. - Session Cookie Theft: Rather than relying on captured passwords, these phishing pages capture session cookies — allowing the attackers to authenticate as the victim and bypass MFA entirely on subsequent access attempts.
- Cloud Storage Draining: Once inside a Microsoft 365 environment, Pink uses Microsoft’s own built-in automation tools to sweep OneDrive and SharePoint folders at speed, draining files within minutes of gaining access.
- Extortion: With stolen data in hand, the group sends threatening messages via compromised Microsoft Teams accounts and email, giving executives a tight 72-hour window to pay. This internal-channel approach makes extortion demands appear more urgent and legitimate to victims.
Why Standard Security Tools Miss It
Pink’s operations are particularly dangerous because they blend into legitimate activity. Since attackers operate inside real employee accounts using Microsoft’s own internal tooling, most firewalls and endpoint detection systems do not flag the activity as suspicious. There is no external malware delivery, no novel exploit to detect — just a compromised identity behaving like a user.
In addition to credential-based access, Pink employs fileless techniques to maintain persistence. Small code commands build payloads directly in system memory rather than writing files to disk, evading antivirus products that scan file system artifacts. The group also performs environment checks: if a security research sandbox is detected, the malware suppresses its behavior to avoid analysis.
Indicators of Compromise
The following indicators are associated with Pink’s infrastructure:
- Domains: passkeyadd[.]com, passkeydeploy[.]com, deploypasskey[.]com
- IPs: 185.178.208[.]153 (linked to DDoS-Guard hosting), 172.93.100[.]252, 96.232.20[.]66
Defensive Recommendations
Security experts urge organizations to take a people-first defensive posture against groups like Pink:
- Call verification: Train employees to independently verify any unexpected IT call before following instructions, especially if asked to visit a link or enter credentials. Help desk teams must have strict, unbypassable identity verification procedures.
- Phishing-resistant MFA: Migrate from TOTP/SMS-based MFA to FIDO2 hardware keys that are immune to session cookie theft and AiTM phishing attacks.
- Cloud monitoring: Deploy behavioral monitoring that flags large or sudden file download spikes from OneDrive or SharePoint. Review OAuth token grants and API permissions regularly.
- Block known domains: Add the known Pink phishing domains to DNS blocklists and email security filters.
- Conditional Access Policies: Enforce device compliance and restrict access from unmanaged or unexpected endpoints.
Pink’s rapid emergence and high operational tempo — combined with its reliance on social engineering over malware — make it a significant near-term threat to any organization relying on Microsoft 365 for sensitive data storage.
Source: Cyber Security News, June 8, 2026