A newly identified cyber extortion group, known as Pink, has emerged as a significant threat to enterprise organizations by employing sophisticated social engineering tactics to steal cloud storage credentials and sensitive data. Operating under the cluster code CL-CRI-1147, Pink launched its dedicated data leak site on May 31, 2026, and has already listed several initial victims. Security teams across various industries are now on high alert as the group’s methods prove highly effective against even well-defended organizations.
Tactics and Techniques
Unlike traditional cybercriminals who rely on malware, Pink leverages voice phishing, or vishing, to gain initial access to corporate networks. Attackers impersonate internal IT staff over the phone, deceiving employees into visiting attacker-controlled phishing pages where they unknowingly provide their login credentials and multi-factor authentication (MFA) codes. This approach exploits human trust rather than technical vulnerabilities, making it particularly dangerous.
Once Pink gains access to an employee’s account, the attackers act swiftly. They utilize Microsoft’s built-in automation tools to rapidly extract files from cloud storage environments, such as OneDrive and SharePoint, within minutes. With the stolen data in hand, the group uses compromised accounts to send internal Microsoft Teams messages and emails demanding payment, giving executives a tight 72-hour window to respond. This internal messaging tactic adds urgency and legitimacy to their extortion attempts.
Affiliations and Rebranding
Analysts at Unit 42 have identified Pink and noted its affiliation with the broader Com network, a loose community of cybercriminals known for aggressive social engineering campaigns. The group shares tactical similarities with other well-known threat actors such as Lapsus$, Scattered Spider, and ShinyHunters, suggesting a shared playbook among these communities.
Furthermore, Google’s Threat Intelligence Group analysts have assessed that after the BlackFile brand retired in May 2026, the group may have briefly operated as Redact before resurfacing as Pink. This pattern of rebranding is common among sophisticated extortion crews seeking to evade tracking and maintain operational continuity.
Evasion of Security Measures
Pink’s effectiveness lies in its ability to avoid triggering standard security tools. By using legitimate employee accounts and Microsoft’s internal tools to move data, most firewalls and endpoint detection systems do not flag the activity as suspicious. The attackers direct victims to phishing domains such as passkeydeploy.com and deploypasskey.com, where session cookies are captured, allowing the group to bypass MFA entirely without needing the victim’s password again.
In addition to credential theft, Pink employs fileless techniques to remain hidden within compromised environments. Rather than deploying traditional malware that can be detected by antivirus software, the group uses scripts and legitimate system tools to execute their attacks, leaving minimal traces and making detection and remediation more challenging.
Implications for Enterprises
The emergence of Pink underscores the evolving landscape of cyber threats, where attackers increasingly exploit human factors and legitimate tools to achieve their objectives. Enterprises must recognize that traditional security measures focusing solely on technical defenses are insufficient against such sophisticated social engineering attacks.
To mitigate the risk posed by groups like Pink, organizations should implement comprehensive security awareness training programs that educate employees about the dangers of vishing and phishing attacks. Regular simulations and drills can help reinforce this training and ensure that employees are prepared to recognize and respond appropriately to such threats.
Additionally, enterprises should consider adopting advanced threat detection solutions that can identify anomalous behavior indicative of a compromise, such as unusual access patterns or rapid data exfiltration. Implementing strict access controls and monitoring for the use of automation tools within the network can also help detect and prevent unauthorized activities.
Conclusion
The Pink hacking group’s emergence highlights the critical need for enterprises to adopt a holistic approach to cybersecurity that addresses both technical vulnerabilities and human factors. By staying informed about evolving threat tactics and implementing robust security measures, organizations can better protect themselves against sophisticated extortion attempts and safeguard their sensitive data.
