A newly identified extortion group called Pink is calling employees while pretending to be IT support, then stealing account credentials and company data to demand payment. Palo Alto Networks Unit 42 says the group, tracked as CL-CRI-1147 and likely linked to the criminal network known as The Com, uses voice phishing and fake help-desk interactions to capture passwords and multifactor authentication (MFA) approvals, then raids services such as SharePoint, OneDrive, and Microsoft Teams. Unit 42 said Pink's leak site went live on May 31 and published domains and IP addresses tied to the campaign as indicators of compromise.
Why it matters: This matters to organizations that rely on cloud productivity tools because attackers do not need malware or software flaws if they can talk staff into handing over access. Companies should warn staff about unsolicited help-desk calls, tighten help-desk identity checks, review Microsoft 365 logs, and block or investigate the listed phishing infrastructure immediately.
2026.06.04
100% relevant
The article establishes a distinct new threat story: a newly branded extortion cluster, Pink, with a named leak site, tradecraft, likely affiliation, and concrete indicators of compromise.
← Back to all stories