Back

New Pink Extortion Group Targets Microsoft 365 Users with Vishing Tactics

Severity: High (Score: 69.5)

Sources: Theregister, Thecyberexpress, github.com

Published: 2026-06-04 · Updated: 2026-06-05

Keywords: pink, extortion, data, fake, calls, steal, group

Summary

The newly identified Pink extortion group has emerged, targeting organizations by using voice phishing (vishing) to steal credentials and access Microsoft 365 accounts. Researchers from Palo Alto Networks' Unit 42 have classified this group under cluster designation CL-CRI-1147, with their data-leak site becoming active on May 31, 2026. Pink's operations involve impersonating IT staff to manipulate employees into providing sensitive information. Once access is gained, the group quickly exfiltrates data from cloud services like SharePoint and OneDrive, threatening to leak the stolen data unless a ransom is paid. The group is believed to be affiliated with the broader Com cybercriminal ecosystem, known for similar extortion tactics. This operation reflects a trend in cybercrime where established actors rebrand to evade law enforcement scrutiny. The urgency of the situation is underscored by the 72-hour deadline set for victims to respond to ransom demands. Key Points: • Pink extortion group uses voice phishing to steal Microsoft 365 credentials. • The group's data-leak site went live on May 31, 2026, listing multiple victims. • Pink is likely affiliated with the Com cybercriminal ecosystem, known for extortion.

Detailed Analysis

**Impact** Organizations using Microsoft 365 are targeted, with multiple victims already listed on the group's leak site since May 31, 2026. The attackers exfiltrate sensitive corporate and customer data from cloud platforms such as SharePoint and OneDrive, threatening to leak stolen files unless ransom demands are met. The campaign affects sectors relying on cloud collaboration tools and spans multiple geographies, though specific regions are not detailed. **Technical Details** Initial access is gained through vishing attacks where threat actors impersonate IT staff to phish credentials and bypass multi-factor authentication. Compromised Microsoft 365 accounts are used to exfiltrate data via Microsoft Graph API and automate collection using tools identified by user-agent strings: Microsoft.Graph.Client/5.62.0 and python-requests versions 2.28.1 and 2.33.1. Infrastructure includes phishing domains such as passkeyadd[.]com, passkeydeploy[.]com, deploypasskey[.]com, and IPs 185[.]178.208.153, 172[.]93.100.252, and 96[.]232.20.66. Post-exfiltration, attackers send extortion messages internally via email and Microsoft Teams to increase pressure. **Recommended Response** Prioritize user awareness training to recognize vishing and social engineering attempts, especially fake help desk calls. Monitor for suspicious login activity and unusual use of Microsoft Graph API with the identified user-agent strings. Block and investigate connections to the listed phishing domains and IP addresses. Harden MFA processes and verify any out-of-band authentication requests through separate channels. No specific CVEs or patches are mentioned; focus on detection and response to credential phishing and lateral movement.

Source articles (3)

  • Pink Extortion Group Emerges Targeting Microsoft 365 Data — Thecyberexpress · 2026-06-04
    A newly identified cyber extortion operation is gaining attention among incident responders after security researchers uncovered a threat group using voice phishing, cloud data theft and aggressive ex…
  • Pink is the latest goon squad to use fake helpdesk calls to steal creds — Theregister · 2026-06-04
    A new extortion brand called Pink uses voice phishing and fake help-desk calls to gain initial access to organizations’ IT environments, steal their sensitive data, and threaten to leak it unless the…
  • 2026 06 03 Pink Extortion Brand Activity.txt — github.com · 2026-06-04

Timeline

  • 2026-05-31 — Pink's data-leak site becomes active: The site lists multiple victims, marking the group's entry into the cybercrime landscape.
  • 2026-06-01 — New communication from Pink observed: Unit 42 noted a new message from a threat actor linked to Pink, referencing previous extortion attempts.
  • 2026-06-04 — Pink extortion group reported: Unit 42 published findings on Pink's tactics, highlighting their use of vishing and cloud data theft.

Related entities

  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • AT&T (Company)
  • MGM (Company)
  • Microsoft (Company)
  • Nvidia (Company)
  • Okta (Company)
  • Salesforce (Company)
  • Ticketmaster (Company)
  • CWE-287 - Improper Authentication (Cwe)
  • deploypasskey.com (Domain)
  • passkeyadd.com (Domain)
  • passkeydeploy.com (Domain)
  • 172.93.100.252 (Ipv4)
  • 185.178.208.153 (Ipv4)
  • 96.232.20.66 (Ipv4)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • DDoS-Guard Hosting (Platform)
  • Microsoft 365 (Platform)
  • SharePoint (Platform)
  • Microsoft Teams (Tool)
  • OneDrive (Tool)
  • QTox (Tool)
  • Teams (Tool)
  • Microsoft Graph APIs (Tool)
  • Microsoft Graph Client (Tool)
  • Python-requests (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed