Pink Extortion Group Employs Vishing and IT Impersonation for Cloud Data Theft
The Pink extortion group is using voice phishing and fake IT helpdesk calls to steal credentials, bypass MFA, and exfiltrate data from cloud storage, threatening victims with public data leaks.
A new cybercriminal collective, dubbed Pink, has emerged employing a well-worn but effective tactic: voice phishing (vishing) combined with IT helpdesk impersonation. This strategy allows the group to gain initial access to organizations, steal sensitive data, and then extort victims by threatening to leak the compromised information. Palo Alto Networks' Unit 42 first identified the gang and its associated data-leak site, which became active on May 31, 2026.
Pink's modus operandi involves tricking employees into revealing their login credentials and multi-factor authentication (MFA) codes by posing as IT support staff. Once authenticated access is achieved, the attackers proceed to exfiltrate data from cloud storage and productivity platforms such as SharePoint and OneDrive. This method is not new; it was notably popularized by the Lapsus$ group during its high-profile attacks on companies like Nvidia and Microsoft, and later adopted by Scattered Spider, known for its disruptive attacks on major organizations.
The effectiveness of this social engineering technique lies in its ability to bypass traditional security measures, including MFA, by leveraging human trust and urgency. Attackers often exploit the perceived legitimacy of internal IT support to manipulate employees into compromising their own accounts. The threat actors then leverage this access to purloin valuable corporate and customer data, creating significant leverage for their ransom demands.
Following data exfiltration, Pink attackers communicate with their victims, often using compromised internal systems or direct messages, setting a strict 72-hour deadline for ransom payment before threatening to publish the stolen data. This tactic aims to pressure victims into quick compliance, capitalizing on the potential reputational and financial damage associated with a public data leak.
Unit 42 analysts noted that the Pink group reuses second-level domains for targeting multiple organizations, with the third-level domain often tailored to reflect the specific victim. This approach, while not unique, allows for efficient campaign execution. The group is also believed to be affiliated with "The Com," a loosely organized network of cybercriminals involved in various illicit activities, including extortion and even violent crime for hire.
Indicators of compromise identified by Unit 42 include specific phishing domains such as passkeyadd[.]com, passkeydeploy[.]com, and deploypasskey[.]com. Additionally, malicious IP addresses associated with the attacks include 185[.]178.208.153 (hosting phishing domains), 172.93.100.252 (accessed compromised accounts), and 96.232.20.66 (residential proxy for extortion emails). Observed user-agent strings during data exfiltration, such as Microsoft.Graph.Client/5.62.0 and python-requests/2.28.1, can aid in threat hunting.
The resurgence of these vishing and impersonation tactics underscores the persistent threat posed by social engineering in the modern cybersecurity landscape. As organizations increasingly rely on cloud services and remote work, the human element remains a critical vulnerability. Defenders are urged to be vigilant against suspicious helpdesk calls and to reinforce employee training on recognizing and reporting such phishing attempts.