Social Engineering Tactics
A newly identified cybercriminal group known as Pink is targeting enterprise organizations by exploiting human trust instead of relying on traditional malware. The group uses voice phishing, or vishing, to trick employees into handing over their cloud storage credentials. Attackers impersonate internal IT staff over the phone, directing victims to fake login pages where they unknowingly provide both their passwords and multi-factor authentication codes. This method allows the group to bypass technical defenses by directly manipulating employees.
The group launched its dedicated data leak site in late May 2026 and has already listed several victims. Security researchers at Unit 42 identified the operation and noted that Pink appears to be connected to the broader Com network, a loose community of cybercriminals known for aggressive social engineering campaigns. Pink shares tactical similarities with other well known groups such as Lapsus$ and Scattered Spider, suggesting a common playbook among these threat actors.
Speed and Extortion Methods
Once Pink gains access to an employee account, the attackers move quickly. They use Microsoft’s built in automation tools to sweep through cloud storage environments, draining files from OneDrive and SharePoint folders within minutes. After stealing the data, the group uses compromised accounts to send internal Microsoft Teams messages and emails demanding payment. Executives are given a 72 hour window to respond, making the extortion feel urgent and credible.
Analysts believe Pink may be a rebrand of an older operation. After the BlackFile brand retired in May 2026, the group may have briefly operated as Redact before reappearing as Pink. This pattern of rebranding is common among sophisticated extortion crews trying to avoid detection. Enterprise security teams are now on alert as Pink’s tactics prove highly effective even against well defended organizations.
Source: Cyber Security News
