Back

New Pink Extortion Group Targets Microsoft 365 via Voice Phishing

Severity: High (Score: 71.8)

Sources: Theregister, Thecyberexpress, github.com

Published: 2026-06-04 · Updated: 2026-06-05

Keywords: pink, extortion, data, fake, calls, steal, group

Summary

The newly identified Pink extortion group has emerged, utilizing voice phishing (vishing) tactics to gain access to Microsoft 365 accounts. Researchers from Unit 42 have tracked the group under cluster designation CL-CRI-1147, with their data-leak site going live on May 31, 2026. The group employs fake helpdesk calls to manipulate employees into revealing credentials, including multi-factor authentication (MFA) tokens. Once access is obtained, Pink rapidly exfiltrates sensitive data from cloud platforms like SharePoint and OneDrive. The group is believed to be affiliated with the broader Com cybercriminal ecosystem, which has a history of similar extortion tactics. Victims are pressured to pay ransoms within a 72-hour deadline to prevent data leaks. The emergence of Pink highlights a trend toward identity-driven attacks and exploitation of trusted cloud environments. Key Points: • Pink extortion group uses voice phishing to steal Microsoft 365 credentials. • The group's data-leak site became active on May 31, 2026, listing multiple victims. • Pink is likely affiliated with the Com cybercriminal ecosystem, known for extortion tactics.

Detailed Analysis

**Impact** Organizations using Microsoft 365 cloud services across multiple sectors are targeted, with multiple victims already listed on the group’s leak site since May 31, 2026. The extortion campaign involves theft of sensitive corporate and customer data from SharePoint and OneDrive, potentially affecting data confidentiality and operational continuity. No specific geographic regions or victim counts beyond multiple organizations have been disclosed. **Technical Details** Initial access is gained through voice phishing (vishing) and IT impersonation calls that trick employees into submitting credentials and MFA tokens via phishing domains such as passkeyadd[.]com, passkeydeploy[.]com, and deploypasskey[.]com. Post-compromise, attackers use Microsoft Graph APIs and tools with user-agent strings like Microsoft.Graph.Client/5.62.0 and python-requests/2.28.1/2.33.1 to rapidly exfiltrate cloud data. Infrastructure includes phishing domains hosted on IPs 185[.]178.208[.]153, 172[.]93.100[.]252, and 96[.]232.20[.]66, with internal use of compromised Microsoft 365 accounts to send extortion messages via email and Microsoft Teams. No malware or CVEs exploited were reported. **Recommended Response** Prioritize user awareness training on vishing and suspicious helpdesk calls, emphasizing verification of IT communications. Block and monitor the identified phishing domains and IP addresses, and deploy detections for the listed user-agent strings during data exfiltration attempts. Harden MFA processes to prevent bypass via social engineering and monitor internal communications for unauthorized extortion messages. No specific patches apply; focus on credential protection and anomaly detection.

Source articles (4)

  • Pink Extortion Group Emerges Targeting Microsoft 365 Data — Thecyberexpress · 2026-06-04
    A newly identified cyber extortion operation is gaining attention among incident responders after security researchers uncovered a threat group using voice phishing, cloud data theft and aggressive ex…
  • Pink is the latest goon squad to use fake helpdesk calls to steal creds — Theregister · 2026-06-04
    A new extortion brand called Pink uses voice phishing and fake help-desk calls to gain initial access to organizations’ IT environments, steal their sensitive data, and threaten to leak it unless the…
  • The Cyber Express Weekly Roundup: Cloud Extortion, Long-Term Espionage, Android Zero-Days, and Public Sector Security Reviews — Thecyberexpress · 2026-06-05
    The cybersecurity landscape in this weekly roundup continues to show a clear shift toward identity-driven attacks, long-term persistence operations, and exploitation of trusted cloud environments. Thr…
  • 2026 06 03 Pink Extortion Brand Activity.txt — github.com · 2026-06-04

Timeline

  • 2026-05-31 — Pink's data-leak site goes live: The Pink extortion group's leak site became active, listing multiple victims and signaling their operational capabilities.
  • 2026-06-01 — New communication from Pink observed: Unit 42 noted new communications from Pink referencing previous extortion negotiations, indicating ongoing activity.
  • 2026-06-02 — CVE-2025-48595 added to CISA KEV: CISA added CVE-2025-48595 to its Known Exploited Vulnerabilities catalog due to active exploitation.
  • 2026-06-03 — First public PoC for CVE-2025-48595: A proof of concept for CVE-2025-48595 was made publicly available, highlighting its exploitation risk.
  • 2026-06-05 — Cyber Express Weekly Roundup published: The roundup highlighted ongoing identity-driven attacks and the rise of the Pink extortion group targeting Microsoft 365.

CVEs

  • CVE-2025-48595

Related entities

  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • AT&T (Company)
  • MGM (Company)
  • Microsoft (Company)
  • Nvidia (Company)
  • Okta (Company)
  • Salesforce (Company)
  • Ticketmaster (Company)
  • Education (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • deploypasskey.com (Domain)
  • passkeyadd.com (Domain)
  • passkeydeploy.com (Domain)
  • 172.93.100.252 (Ipv4)
  • 185.178.208.153 (Ipv4)
  • 96.232.20.66 (Ipv4)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Android (Platform)
  • DDoS-Guard Hosting (Platform)
  • Microsoft 365 (Platform)
  • SharePoint (Platform)
  • Microsoft Teams (Tool)
  • OneDrive (Tool)
  • QTox (Tool)
  • Teams (Tool)
  • Microsoft Graph APIs (Tool)
  • Microsoft Graph Client (Tool)
  • Python-requests (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed