“Pink uses vishing and IT impersonation to phish credentials/MFA, then exfiltrates enterprise cloud storage and productivity data to extort victims,” Palo Alto Networks’ Unit 42 wrote in a LinkedIn post.
Unit 42 flags a new extortion brand and a live leak site
Palo Alto Networks’ Unit 42 is tracking a new extortion cluster it calls CL-CRI-1147 and has tied the activity to a brand named Pink. Unit 42 said the Pink data-leak site went live on May 31 and that its analysts observed new communications on June 1, 2026, linked to an ongoing extortion negotiation. Unit 42 analysts Richard Emerson and Cuong Dinh reported that the actor provided a new qTox ID and a leak site associated with the Pink brand while referencing data exfiltrated in an earlier notice.
Tactics: vishing, IT impersonation, and credential/MFA theft
Pink’s playbook, as described by Unit 42, relies on voice phishing and fake help-desk calls to obtain credentials and bypass multi-factor authentication. After gaining access to accounts, the attackers search for valuable corporate and customer data in cloud platforms such as SharePoint and OneDrive. The criminals then exfiltrate that data and use compromised accounts and internal Microsoft Teams messages to pressure victims into paying, setting a 72‑hour deadline before publicly leaking the stolen files.
Connections to prior groups and the broader pattern
Unit 42 and other incident responders draw a through line between Pink and a recurring phone-based extortion pattern popularized by earlier gangs. The source links Pink to methods used by Lapsus$, Scattered Spider, and ShinyHunters — groups that previously used help-desk calls and vishing to steal credentials and compromise cloud services. Unit 42 said this latest cluster is “likely a Com-affiliated actor,” aligning Pink with The Com, a loosely knit collection of English-speaking networks of hackers, SIM swappers, and extortionists that incident responders have previously associated with similar campaigns. The reporting also notes that despite multiple arrests involving members of those earlier gangs, the vishing-and-help-desk approach persists.
Indicators of compromise Unit 42 published
Unit 42 provided concrete artifacts defenders can use for hunting and detection. They listed three phishing domains: passkeyadd[.]com, passkeydeploy[.]com, and deploypasskey[.]com. Three IP addresses associated with the activity were published: 185[.]178.208[.]153 (hosting the phishing domains), 172[.]93.100[.]252 (used to access compromised accounts), and 96[.]232.20[.]66 (a residential proxy IP used to create extortion emails). Observed user-agent strings during data exfiltration included Microsoft.Graph.Client/5.62.0, python-requests/2.28.1, and python-requests/2.33.1. Unit 42 noted that Pink reuses second-level domains against multiple targets while the third-level domain typically reflects the target organization.
What this means for technologists, enterprises, and end users
- Technologists and security teams: Unit 42’s domains, IPs, and user-agent strings are concrete hunting artifacts to query logs and cloud telemetry for suspicious access and data egress tied to SharePoint and OneDrive.
- Enterprises and procurement leaders: Organizations that rely on cloud productivity storage should audit account access patterns and be alert to lateral use of compromised internal accounts and Teams messages for extortion; Pink’s 72‑hour leak deadline compresses response windows.
- End users and internal help desks: Unit 42’s advisory is explicit — be wary of help-desk calls, whether from people claiming to be locked-out employees or from callers purporting to roll out emergency MFA updates.
Pink is a reminder that the same social-engineering techniques — a short phone call, an impersonated IT staffer, a convincing request — remain effective at opening enterprise doors. Unit 42’s timeline (leak site live on May 31, renewed communication on June 1), the published indicators, and the reuse of domain naming conventions give defenders immediate, actionable clues. The longer pattern is equally plain: past waves of arrests have not eliminated the threat, and the criminal playbook keeps reappearing under new brand names. How quickly organizations use the supplied artifacts to detect misuse of SharePoint, OneDrive, and internal messaging will determine whether Pink’s 72‑hour countdown ends in payment, exposure, or successful containment.
